Identity Only License
All other licenses already include identity but if internal users dont need to access salesforce for anything other than logging into a custom app in SF. This license can be used.
Contractually, Each Identity Only licensed-user is limited to 10 custom objects.
External Identity License
this can be used for external users like customers and partners who dont already have experience cloud license. users can access at least 10 custom objects and some standard objects.
can automate creation of users/contacts on user registration.
users can update their info by using self service.
It’s included for free with all paid community user licenses in Enterprise, Performance, and Unlimited Editions.
Single Sign On and SAML
SSO: Authentication method that allows users to login to different applications with same user credentials
SAML: standard authentication protocol that allows identity and service provider securely exchange user information to enable authentication between services.
SSO Flow (High level)
- User tries to login to access an app or URL (service provider)
- SP makes a SAML request and user is redirected to the Identity provider(IdP)
- User enters their credentials on the IdP
- IdP verifies the user, parses the SAML request and sends a SAML response with a signed assertion to the SP
- SP validates the signed assertion is legit and identifies the user and user is logged in
SAML SSO on Salesforce as SP - What are the Key information needed from IdP?
- Issuer ID - unique identifier of the IdP
- Authentication certificate
- SAML Assertion parameters - like User ID Type, and attributes,
- IdP login URL
Can use an XML to import all of this info at once in SF SSO setup
SAML SSO on Salesforce as SP - High level Set up steps in salesforce
identify common unique User parameter that will be used to identify a user - like username(email) or federation identifier. this may need some user updates or data cleanup
1 . Enable mydomain
- Enable SAML in SSO Setting
- Create the actual configuration by using the XML received from IdP or manually entering the values needed
- Customize the login screen so users can see the login(SSO) option
- Enable users to login through SSO- make sure at least one or more admin users have login without SSO disabled
SAML SSO on Salesforce as SP - what are the Key Attributes Needed in Setup?
- Issuer ID - unique URL that identifies the idP(entity Id of IdP)
- Entity ID - this is to enable SP-initiated login. use mydomain sf link so the IdP knows to redirect to SF
- Authentication certificate - this is received from IdP
- Request Signing certificate - this can be generated in SF and Reuest signature method
- SAML attributes
- Identity Type: match against either the Salesforce username
or the federation ID.
- Identity location: use either the NameID in the SAML assertion
or another attribute. - SSO Start Page or IdP login URL - to receive SAML request
- Custom logout URL - configure a URL to which the user is sent after logging out
IdP Initiated Login
There is a login from company’s intarnet or portal from where users can access salesforce. In this case, the IdP only sends a SAML assertion to relying party(SP) and SF validates the assertion. User is logged in.
SP Initiated Login
When users have a direct link to Salesforce or the service provider, when they try to access a resource, they are first directed to the IdP login page, a SAML request is sent out and then SAML assertion is received. this is SP initiated.
IdP knows to redirect from prior set up of mydomain as entity ID in SAML settings
Salesforce as Service Provider
when users can login to salesforce by using their existing credentials from identity provider or authentication provider.
- Identity Provider with SAML: SAML is an open standard authentication provider that SF uses for authentication. these can be Microsoft Directory(AD), Ping, etc
- Use Authentication provider: These are third party applications that support authorization, limited third party data access and authentication protocol - usually open id. In this scenario, SF is also called the relying party (similar to Service Provider term).
Can be used in different forms in salesforce.
Use a predefined authentication provider. like facebook, google
Set up an authentication provider that supports OpenID Connect. like Amazon, paypal
Create a custom authentication provider for a third party that supports OAuth 2.0
Salesforce as Identity Provider
users can log in to an external service provider or relying party with credentials from Salesforce org.
For this use case, do one of the following:
1. enable sf org as a SAML identity provider and integrate a service provider as a SAML-connected app.
2. Use OpenID Connect to integrate a relying party with Salesforce org. - also needs a connected app. SF doesn’t need to be enabled as the identity provider
Single LogOut (SLO)
When users logout of one application, they are automatically logged out of all connected applications. This improves security and usability.
Salesforce supports the following: can be initiated from idp or sp
- SAML SLO as an identity provider or service provider
- OpenID Connect SLO as an identity provider or relying party
Delegated Authentication
this is similar to SSO but in this case one system relies on another system to validate user credentials while logging in and users must login to differnt apps spearately. they can still use same credentials.
When a user tries to log in to org, Salesforce calls web service to validate the user credentials.
General Steps:
1. Enable delegated authentication for the org.
2. Build web service.
3. Specify delegated authentication gateway URL.
4. Enable permissions - Is SIngle Sign on Enabled.
5. (Optional) Record login attempts.
this can be controlled per user or profile by enabling
Salesforce no longer manages the policies for user passwords, such as when passwords expire or the required minimum length. Instead, the delegated authentication endpoint’s service enforces password policies, if any.
