Salesforce Identity Implementation Guide

  • View
    220

  • Download
    0

Embed Size (px)

Transcript

  • Identity Implementation GuideVersion 39.0, Spring 17

    @salesforcedocsLast updated: March 14, 2017

    https://twitter.com/salesforcedocs

  • Copyright 20002017 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.

  • CONTENTS

    Chapter 1: What Is Salesforce Identity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

    Chapter 2: How to use Salesforce Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    Chapter 3: Quick Start: Set up your own domain, add a Connected App and use theApp Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

    Use My Domain to Create Your Own Subdomain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Launch Your Connected App from the Salesforce App Launcher . . . . . . . . . . . . . . . . . . . . . . 7

    Chapter 4: My Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Set Up a My Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Define Your Domain Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Customize Your Login Page with Your Brand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Add Identity Providers on a Login Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Set the My Domain Login Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

    My Domain URL Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Test and Deploy Your New My Domain Subdomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Guidelines and Best Practices for Implementing My Domain . . . . . . . . . . . . . . . . . . . . . . . . 15Get System Performance and Maintenance Information with My Domain . . . . . . . . . . . . . . . 16

    Chapter 5: Configure and Use the App Launcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

    Enable the App Launcher with a Profile in Salesforce Classic . . . . . . . . . . . . . . . . . . . . . . . . 18Enable the App Launcher with a Permission Set in Salesforce Classic . . . . . . . . . . . . . . . . . . 19Set the Default Sort Order for Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    Reorder the App Menu and App Launcher in Salesforce Classic . . . . . . . . . . . . . . . . . . 20Reorder the App Launcher Apps in Lightning Experience . . . . . . . . . . . . . . . . . . . . . . . 21

    Make the App Launcher the Default Landing Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

    Chapter 6: Set Up Single Sign-On to Google Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

    Get a Salesforce Identity Provider Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Set Google Administrator Single Sign-On Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Create a Connected App for GMail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

    Chapter 7: Set Two-Factor Authentication Login Requirements . . . . . . . . . . . . . . . . . . 26

    Verify Your Identity with a One-Time Password Generator App or Device . . . . . . . . . . . . . . . . 27

    Chapter 8: Customize Your Login Page with Your Own Branding . . . . . . . . . . . . . . . . 28

    Chapter 9: Synchronize your Salesforce and Active Directory Users with IdentityConnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

    Identity Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

  • Installing Identity Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

    Chapter 10: Tutorial: Test Single Sign-On from an External Identity Provider . . . . . . . . . 31

    Establish a Federation ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Set up your identity provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Generate SAML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Troubleshoot SAML assertions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    Chapter 11: Monitor Applications and Run Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

    Monitor Usage for Connected Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Create an Identity Users Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    Chapter 12: Use External Identities to Extend Your Organization to New Users . . . . . . 39

    Chapter 13: Get More Information about Salesforce Identity, Single Sign-On andSecurity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

    Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

    Contents

  • CHAPTER 1 What Is Salesforce Identity?

    EDITIONS

    Available in: SalesforceClassic

    Available in: Enterprise,Performance, Unlimited,Developer, andDatabase.com Editions

    Salesforce Identity connects your Salesforce org users with external applications and services whileproviding administrative tools for monitoring, maintaining, and reporting user apps and authorization.

    Note: Salesforce Identity Demo (12:16 minutes)

    Take a quick tour of Salesforce Identity features.

    Salesforce Identity is an identity and access management (IAM) service with the following features.

    Cloud-based user directories, so user accounts and information are stored and maintained inone place, while available to other services or applications.

    Authentication services to verify users and keep granular control over user access. You canselect which apps specific users can use, require two-factor authentication, and set how often individual users must log in to maintaintheir session.

    Access management and authorization for third-party apps, including UI integration, so a users apps and services are readily available.

    App user provisioning that streamlines the process for providing and removing access to apps to multiple users simultaneously.

    An API for viewing and managing your deployment of Identity features.

    Identity event logs for creating reports and dashboards on single sign-on and connected app usage.

    Salesforce Identity Connect, a connector that integrates Microsoft Active Directory (AD) with Salesforce. You can manage AD usersand Salesforce users simultaneously. You can configure Identity Connect to give AD users access to their Salesforce orgs withouthaving to log in again.

    To implement Salesforce Identity, use any of the following.

    Security Assertion Markup Language (SAML)Security Assertion Markup Language (SAML) is an XML-based protocol that allows you to transfer user information between services,for example, from Salesforce to Microsoft 365. Apps use this information to authorize users and enable single sign-on. Salesforcesupports SAML for single sign-on into Salesforce from a corporate portal or identity provider.

    OAuth 2.0OAuth 2.0 is an open protocol used for single sign-on to allow secure authorization between applications. OAuth authorization flowsdescribe the options for implementing OAuth in Salesforce orgs. For more information on specific flows, see Force.com REST APIDeveloper Guide.

    OpenID ConnectOpen ID Connect is an authentication protocol based on OAuth 2.0 that sends identity information between services. With OpenIDConnect, users can log in to another service, like Gmail, and then access their Salesforce org without logging in again.

    My DomainMy Domain allows you to define your own domain name within the Salesforce domain (for example,https://companyname.my.salesforce.com). My Domain makes it easier to manage login and authentication andallows you to customize your login page. Salesforce requires My Domain if you want to use Lightning components in Lightning tabs,Lightning Pages, or as a standalone app.

    Connected AppsA connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols toauthenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities,

    1

    http://youtu.be/rc1MH2LQoaYhttps://developer.salesforce.com/docs/atlas.en-us.206.0.api_rest.meta/api_rest/https://developer.salesforce.com/docs/atlas.en-us.206.0.api_rest.meta/api_rest/http://openid.net/connect/

  • connected apps allow Salesforce admins to set various security policies and have explicit control over who can use the correspondingapps.

    App LauncherThe App Launcher allows you to give your users easy access to apps that they use most often. Users go to the App Launcher tolaunch Salesforce and third-party apps without having to log in again (referred to as single sign-on). The App Launcher presentstiles that link to your connected apps and standard apps, all from one location in Salesforce. All Lightning Experience users haveaccess to the App Launcher. Salesforce Classic users must have the Use Identi