71
How to use the Salesforce Identity Platform A Deep Dive @dcarroll Dave Carroll Developer Evangelist @metadaddy Pat Patterson Developer Evangelist

Salesforce Identity Workshop

Embed Size (px)

DESCRIPTION

A Deep Dive into Salesforce Identity - first presented at Gluecon 2013

Citation preview

Page 1: Salesforce Identity Workshop

How to use the Salesforce Identity PlatformA Deep Dive

@dcarroll

Dave CarrollDeveloper Evangelist

@metadaddy

Pat PattersonDeveloper Evangelist

Page 2: Salesforce Identity Workshop

Safe harborSafe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services. The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site. Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.

Page 3: Salesforce Identity Workshop
Page 4: Salesforce Identity Workshop
Page 5: Salesforce Identity Workshop
Page 6: Salesforce Identity Workshop
Page 7: Salesforce Identity Workshop
Page 8: Salesforce Identity Workshop
Page 9: Salesforce Identity Workshop
Page 10: Salesforce Identity Workshop
Page 11: Salesforce Identity Workshop
Page 12: Salesforce Identity Workshop
Page 13: Salesforce Identity Workshop
Page 14: Salesforce Identity Workshop
Page 15: Salesforce Identity Workshop

What if there was a single place to login to all your enterprise apps?

Page 16: Salesforce Identity Workshop

What if there was a single place to manage your cloud and mobile apps?

Page 17: Salesforce Identity Workshop
Page 18: Salesforce Identity Workshop
Page 19: Salesforce Identity Workshop

Introducing Salesforce IdentityCloud Identity and Access Management

SimpleLogin once to all your cloud and mobile apps with Single Sign-On.

SocialDeep social and data integration, fully customizable and built on open standards.

TrustedCentralized access management and provisioning, delivered through the simplicity, transparency, and trust of the Salesforce Platform.

Page 20: Salesforce Identity Workshop

social

automateadministrate

trust

enterprise directory integration

single sign-on anduser management

secure single sign-onand social apps

centralized access management, provisioning

and reporting

Page 21: Salesforce Identity Workshop

transparent scalable certified

ISO 27001 SOC 1, 2, 3 ( SAS70 Type II ) GSA Moderate Level Authority EU Safe Harbor Certified JIPDC (Japan Privacy Seal) Tuv (Germany Privacy Mark) SysTrust TRUSTe PCI

60 Billion Transactions / Quarter

26 Billion API calls / Quarter

7 Billion Logins / Year

100,000+ Customers

Page 22: Salesforce Identity Workshop

Simple: Single Sign-On and Social Apps

Single Sign-On to all your Apps• Improve utilization and adoption• Login once with a single, secure cloud Identity• Access any standards based application• Integrated Application Switcher providers quick access

Mobile• Login once, access anywhere• Single Sign-On for Mobile Apps• Secure access without VPN

Social Apps with Deep Integration• Push to your users with a common feed• Apps integrate directly into feed• Deep data integration provides highly differentiated apps

Page 23: Salesforce Identity Workshop

Secure: Centralized Access Management

Centralized Control over User Access• Common Authorization for all your apps• Force.com, Heroku, Mobile, and Third-Party• Single place to enable/disable apps• Rapidly trial, develop and deploy• One-click Enablement

Mobile Ready• Dedicated Mobile Policies• Enterprise Federation for Mobile Apps• Salesforce, IT or ISV developed• Pre-integrated Mobile SDKs

Page 24: Salesforce Identity Workshop

Standard: Broad Open Standard Support

Single Sign-On• SAML 2.0 Identity Provider• SAML 1.1 / 2.0 Service Provider• OpenID Connect

API Access• OAuth 2• OAuth 2 SAML Bearer Tokens• OAuth 2 JWT Bearer Tokens

Cloud Directory & Provisioning• SCIM • SAML Provisioning

Page 25: Salesforce Identity Workshop

Extensible: A Full Identity-Enabled Platform

Enterprise Class Workflow• Graphical Drag and Drop processes• Declarative • Fully pluggable

Broad Declarative Options• Extensible Fields• Declarative validation rules• Drag and Drop layouts

Run Code• Full programming language• Batch Apex • Apex Callouts• User Triggers• Apex Crypto

API Enabled• Automate from off platform

Page 26: Salesforce Identity Workshop

Integrated: Enterprise Integration

Enterprise Class Integration• Leverage your existing authentication systems• Single Sign-On for Web, Mobile and API• Best practice experience from 13,000 Tenants

Broad Provisioning Support• Manual • SOAP / REST • Batch• SAML Just-In-Time • SCIM provisioning

Active Directory

SAML & SCIM

Page 27: Salesforce Identity Workshop

Transparent: Centralized Reporting

Centralized Reporting• Transparency into access and utilization

Customizable• Drag and drop reporting engine

Analytics and Dashboards • Leverage Salesforce Analytics to develop your own reports and dashboards

Page 28: Salesforce Identity Workshop

Brandable: Run your own Identity Services

Fully brand-able for Customers & Partners • Run your own IDP• Build federated Support offerings• Build your customer Social Profile• Cloud-enable your products

Social • Pre-integrated with Facebook and other Consumer providers

Page 29: Salesforce Identity Workshop

Salesforce PlatformCloud based, multi-tenant, enterprise class PaaS

Page 30: Salesforce Identity Workshop

1,000,000Salesforce Platform Developers

Page 31: Salesforce Identity Workshop

9 BillionAPI calls last month

Page 32: Salesforce Identity Workshop

Mobile Social Identity Data Marketplac

e

The Salesforce Platform

Page 33: Salesforce Identity Workshop

SecurityIdentity, data security and user services

Page 34: Salesforce Identity Workshop

User Profiles

Groups, Queues and Hierarchies

Permission Sets

SSO, SAML, OAuth 2.0

Connected Apps

Key Concepts for Data Security

Page 35: Salesforce Identity Workshop

http://developer.force.com/join

Page 36: Salesforce Identity Workshop

Identity Provisioning

Page 37: Salesforce Identity Workshop

Browser

Page 38: Salesforce Identity Workshop

REST API

• POST/GET/PATCH/DELETE on User endpointhttps://instance.salesforce.com/services/data/v27.0/sobjects/User

{ "Username" : "[email protected]", "Alias" : "davec", "Email" : "[email protected]", "EmailEncodingKey" : "UTF-8", "FirstName" : "Dave", "LanguageLocaleKey" : "en_US", "LastName" : "Carroll", "LocaleSidKey" : "en_US”, "ProfileId" : "00eE0000000Lst0IAC", "TimeZoneSidKey" : "America/Los_Angeles”}

• http://bit.ly/user-json

Page 39: Salesforce Identity Workshop

Workbench

workbench.developerforce.com

Page 40: Salesforce Identity Workshop

SOAP API

• Pass users to create(), retrieve(), update(), delete()

// For example, in Java...User[] users = new User[2];

users[0].Username = "[email protected]";users[0].Alias = "davec";// populate other fields

users[1].Username = "[email protected]";users[1].Alias = ”patp";// populate other fields

SaveResult[] results = connection.create(users);

Page 41: Salesforce Identity Workshop

SCIM

• Standardized REST APIhttps://identity.my.salesforce.com/services/data/v26.0/scim/v1/Users

{ "userName": "[email protected]", "name": { "familyName": "User", "givenName": "Demo” }, "emails": [{ "primary": true, "value": "[email protected]" }], "groups": [{ "value": "00eE0000000FK6tIAG", "display": "Full Time Employees” }], "schemas" : [ "urn:scim:schemas:core:1.0", "urn:scim:schemas:extension:enterprise:1.0" ]}

Page 42: Salesforce Identity Workshop

‘Just in time’ (JIT) provisioning

• SAML 2.0, Auth Providers

• Identity Provider must supply a set of mandatory attributes in the SAML Assertion• ProfileId

• UserName

• LastName

• Email

• Many other optional attributes• FirstName, Phone, Manager etc

Page 43: Salesforce Identity Workshop

Single Sign-On:SAML

Page 44: Salesforce Identity Workshop

SAML 2.0

• Single sign-on across domains/enterprises

• OASIS standard (March 2005)

• Widely supported• Google Apps since October 2006

• salesforce.com since Winter ’09 (October 2008)

• Active Directory Federation Services (AD FS) since version 2.0 (May 2010)

Page 45: Salesforce Identity Workshop

SAML 2.0 Roles

Page 46: Salesforce Identity Workshop

SAML 2.0 Protocol

BrowserIdentity Provider Service Provider

GET /somethingHTTP/1.1 302 Found

Location: http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383

GET http://idp.ex.com/saml?SAMLrequest=hf7893b…&RelayState=HKFDhh383

200 OKSAML Assertion in HTML FORM

POST /acsSAML Assertion

HTTP/1.1 302 FoundLocation: http://sp.ex.net/something

Set-Cookie: token=value; Domain=.ex.net

Authenticate

Page 47: Salesforce Identity Workshop

SAML 2.0 Assertion

<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/></Assertion>

Page 48: Salesforce Identity Workshop

Single Sign-On Between Salesforce Orgs

bit.ly/multi-org-sso

Page 49: Salesforce Identity Workshop

Social Sign-On:Authentication Providers

Page 50: Salesforce Identity Workshop

Authentication Providers

• Three pre-built connectors

• Sign-on from social providers • Facebook, Janrain (Twitter, LinkedIn etc), other Salesforce orgs

• Automatically create and update users and contacts

Page 51: Salesforce Identity Workshop

OAuth 2.0

Page 52: Salesforce Identity Workshop

OAuth 2.0

•oauth.net/2

•Authorization for RESTful APIs

•Evolution of Google AuthSub, Yahoo BBAuth, AOL OpenAuth etc

•Standardized as RFC 6749/6750

•bit.ly/oauth2-force

Page 53: Salesforce Identity Workshop

OAuth Roles

Page 54: Salesforce Identity Workshop

Authenticate

OAuth 2.0 Protocol – Implicit Flow

BrowserClient AppAuthorization Server

(login.salesforce.com)

https://login.salesforce.com/services/oauth2/authorize?response_type=token&client_id=XYZ…

&redirect_uri=myapp://oauthGET /services/oauth2/authorize? response_type=token&client_id=XYZ…&redirect_uri=myapp://oaut

h

302 FoundLocation: myapp://oauth#

access_token=…&refresh_token=…

&instance_url=…&id=…&signature=…&issued_at=…

GET /oauth#access_token=…&…

Resource Server(na1.salesforce.com)

GET /services/data/v25.0/…Authorization: Bearer 00D5…

200 OKData

Page 55: Salesforce Identity Workshop

OAuth 2.0 Protocol – Authorization Code Flow

BrowserAuthorization Server

(login.salesforce.com) Client AppGET /something302 Found

Location: https://login.salesforce.com/?

response_type=code&client_id=…&redirect_uri=…

GET /?response_type=...

302 FoundLocation: https://app.cl.com?

code=… GET /app.cl.com?code=…

Resource Server

Authenticate

POST /tokencode=…&grant_type=authorization_code&client_id=…

&client_secret=…&redirect_uri=…

GET /dataAuthorization: OAuth 00D5…

200 OK{ “access_token”: “00D5…”}

200 OKData

200 OKSome Content

Page 56: Salesforce Identity Workshop

Enabling org-level policy with OAuth 2.0

• Central Authorization Server• https://login.salesforce.com/services/oauth2/

• Alternative URLs bind to org• My Domain

• https://gluecon.my.salesforce.com/services/oauth2/

• Force.com Site• https://gluecon.secure.force.com/services/oauth2/

• Community• https://gluecon.force.com/attendees/services/oauth2/

Page 57: Salesforce Identity Workshop

Server to Server Authorization

• SAML 2.0 Bearer Assertion• Exchange SAML Assertion for OAuth token

• http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer

• JSON Web Token (JWT)• Assert identity via signed JSON object

• http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

• https://developers.google.com/accounts/docs/OAuth2ServiceAccount

Page 58: Salesforce Identity Workshop

Summer ’13

Page 59: Salesforce Identity Workshop

SAML

• Multiple Identity Providers• Support single sign-on for internal + external users

• Single Sign-On Configurable via API• Packaging, automation

Page 60: Salesforce Identity Workshop

Salesforce Communities

• Public or private, branded spaces for your employees, customers, and partners

• Subset of features and data from internal Salesforce org• Membership, branding, login options, etc are configurable

• Advanced customization via code

• Replaces Partner Portal & Customer Portal

Page 61: Salesforce Identity Workshop

Winter ’14

Page 62: Salesforce Identity Workshop

Winter ’14 and Beyond

• Native two-factor authentication• Standards-based – OATH

• Identity Bridge• Easy integration with Active Directory

• SSO and Provisioning

• SCIM• Currently in pilot

Page 63: Salesforce Identity Workshop

User Management and Provisiong

Automated User Management• Manage your Users in one place • Automate provisioning processes across clouds

Secure De-provisioning• Single place to de-activate users• Quickly and automatically shut them off everywhere

Pre-Integrated• Identity Connectors to popular platforms• Standard SCIM Connector

Fully Extensible• Graphical Workflow Engine• Plugin code directly to the Cloud• Flexible workflow rules, triggers, fields, validation, etc

Winter ’14 and Beyond

Page 64: Salesforce Identity Workshop
Page 65: Salesforce Identity Workshop

Backup – A Deeper Dive into a SAML Assertion

Page 66: Salesforce Identity Workshop

SAML 2.0 Assertion - Issuer

<Assertion ID="_20f7…" IssueInstant="2011-03-28T18:23:25.539Z" Version="2.0"> <Issuer> http://adfs-dc.my.example.com/adfs/services/trust </Issuer> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

Page 67: Salesforce Identity Workshop

SAML 2.0 Assertion - Signature<Assertion> <Issuer/> <Signature> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <Reference URI="#_20f7fb27-6bb1-4801-aaab-25b4ff862d2f"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>UrcVwqLcdqMvtJUkxiIw9CBN1h8=</DigestValue> </Reference> </SignedInfo> <SignatureValue>ITY8KT…</SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>MIIC6D…</X509Certificate> </X509Data> </KeyInfo> </Signature> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

Page 68: Salesforce Identity Workshop

SAML 2.0 Assertion - Subject<Assertion> <Issuer/> <Signature/> <Subject> <NameID> [email protected] </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="_2Qwip…" NotOnOrAfter="2011-03-28T18:28:25.539Z" Recipient="https://login.sf.com/?saml=…" /> </SubjectConfirmation> </Subject> <Conditions/> <AttributeStatement/> <AuthnStatement/>

</Assertion>

Page 69: Salesforce Identity Workshop

SAML 2.0 Assertion - Conditions<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions NotBefore="2011-03-28T18:23:25.537Z" NotOnOrAfter="2011-03-28T19:23:25.537Z"> <AudienceRestriction> <Audience> https://superpat.my.salesforce.com </Audience> </AudienceRestriction> </Conditions> <AttributeStatement/> <AuthnStatement/>

</Assertion>

Page 70: Salesforce Identity Workshop

SAML 2.0 Assertion – AttributeStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement> <Attribute Name="User.Email”>

<AttributeValue> [email protected]

</AttributeValue>

</Attribute>

<!-- Also need LastName, ProfileId, UserName

for JIT Provisioning --> </AttributeStatement> <AuthnStatement/>

</Assertion>

Page 71: Salesforce Identity Workshop

SAML 2.0 Assertion - AuthnStatement<Assertion> <Issuer/> <Signature/> <Subject/> <Conditions/> <AttributeStatement/> <AuthnStatement AuthnInstant="2011-03-28T18:23:25.501Z"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </AuthnContextClassRef> </AuthnContext> </AuthnStatement>

</Assertion>