Category: security control

Single sign on Using SAML, SSO SAML impementation

How to set Single sign On Using SAML.

  1. User must establish Saml Identity Provider : Here we send Single Sign On request to Salesforce.
  2. Provide information to identity provider : Here we have to give Login, Log out URl’s
  3. Configuring Salesforce.

 How does Salesforce Trust Identity Provider ?

To establish Single Sign on Salesforce must be connected to Identity Provider.In order to establish relation between Salesforce and Identity Providers salesforce must trust the identity provider. Following is the process is done.Single sign on Using SAML

  • During Configuration, Identity provider gives a digital certificate to salesforce  and in run time Salesforce uses the certificate to validate the digital signature  given by identity provider.

Enabling Salesforce to be Service Provider.

To enable Salesforce as a Service Provider we must do 2 important things.

  1. Download digital signature certificate from identity provider(IdP).
  2. Upload digital signature certificate to salesforce.
  3. Configure salesforce.

 Identity Provider-Initiated SAML Flow during run time.

The user will sign by using Single sign on in to the Idp. The Idp will return a page containing form with saml assertion. Then the user submits SAML assertion to sales force to login. Then the Service Provider (Salesforce) checks the digital signature and grants sessions id.

Single sign on Using SAML

Service Provider-Initiated SAML Flow.

This is the situation where user clicks on the link where to access something in the salesforce and redirect the user back to Idp Successfully.

Single sign on Using SAML

 The end user requests a page at a custom domain for salesforce. Salesforce says you are not logged in. Then the user is logged in to Idp credentials. Then the Idp redirects the user to salesforce with SAML Assertion. Now Salesforce redirects the requested page with session Id to the end user.

Now we are going to create a new Single Sign On in salesforce.

Go to Setup => Administer = > Security Control = > Single Sign On Settings.

Single sign on Using SAML

Enable SAMl. By enabling SAML we can create new Single Sign ON. Edit it and check SAMl Enabled.

Single sign on Using SAML

Save it

Single sign on Using SAML

Now select New button.

Single sign on Using SAML

Before going to fill SAML Single Sign-On Setting details we should have some data . Go to the following URL and Download the Digital certificate which is to be uploaded .

GO to http://sfdc-tandc-saml-ip.herokuapp.com

Single sign on Using SAML

Issuer : mockidp.

Entity id : https://saml.salesforce.com

Single sign on Using SAML

Now go to Configure Section shown below.

Single sign on Using SAML

Complete all the details as shown below.

Single sign on Using SAMLSingle sign on Using SAML

Before login Logout From login.salesforce.com

Saml, Saml 2.0, Security Assertion Markup Language

Saml, Saml 2.0, saml Tutorials

Saml, Saml 2.0: In this Training tutorial we are going to know clearly about   what is Security Assertion Markup Language , How does saml work,  identity providers, Security Assertion Markup Language Service Providers, assertion, Security Assertion Markup Language Authentication,Security Assertion Markup Language Authorization.

What is SAML ?

SAML means Security Assertion Mark Up Language and it is based on XML (Extensible Markup Language). Security Assertion Markup Language allows users to communicate about the authentication decision between one service provider and another service providers. Salesforce supports Security Assertion Markup Language for Single Sign On from  external or portal identity provider.

How SAML Works ?

Security Assertion Markup Language  is mainly based on trust. Here we are enabling Security Assertion Markup Language in salesforce for single sign on . Enabling Security Assertion Markup Language means we are creating connection between Service Provider and Identity Provider. We  can set Service Provider to connect with Identity Provider and the identity provider is connected to User. Then the Service Provider will trust the end user.

What is SAML Assertion?

 SAML assertion makes the request essential to provide access to the end user. It is directive from the Idp.  Attesting that the user is legitimate.

They are four key pieces of information in Assertion.

  1. Digital signature provide by Idp.
  2. Issuer: The name of the service Provider.
  3. Entity ID : The name of the service Provider.
  4. The Subject: Salesforce.com user id.

What is SAML Identity Provider(IdP) ?

Identity Providers are those  which provide online resources by providing authentication to users over the network . Sometimes Identity Provider is also called as identity Service Provider or Identity Assertion Provider. Salesforce can be the Security Assertion Markup Language Identity provider.

What is SAML Service Providers (SP) ?

Service providers (SP)are those who provide resources like web services to a user over the internet by Single sign On. Salesforce can be a SAML Service Provider which can be accessed from another authentication server.

Salesforce Identity.

Salesforce is a center which provides us many managed, standards-based, authentication and authorization services.  Salesforce has many features below are the  some of the services they provide.

  • Salesforce as SAML IdP.
  • Salesforce as SAML SP.
  • OAuth Connected Apps.
  • Canvas Connected Apps.
  • Single sign on For communities , portals.

Single Sign On, SSO Login, Single Sign On Login

Single Sign On, SSO Login, Single Sign On Login

Single Sign On, SSO Login, Single Sign On Login:  In this tutorial we are going to study clearly about Single Sign On,how  to implement SSO in salesforce, what is single sign on, how does single sign works,  single sign on definition, Different types of Single sign on, benefits on single sign on, Federated single sign on, Delegate single sign on , Managed service providers, What is saml, saml 2.0 specifications, saml authentication, saml identity providers, saml assertion.

what is single sign on ?

SSO or Single Sign on is the process that allows all networks users to access all authorized network resources through single username and password with out having different usernames and passwords for every resources in the network.

Suppose in an organization there are different number of systems, applications  and resources which are to be accessed by every user. To access those resources in that organization the user must login to that application with that username and password. If he wants to access more number of resources it may be difficult to remember those passwords. To eliminate such type of issues SSO is implemented.

Benefits of single sign on

When coming to the benifits of Single sign on we can observe many benifits when Single Sign On is implemented. The following are the benefits to your organization with single sign on.

  1. It reduces Administration costs : No need to remember all usernames and passwords. Salesforce provides resources and external applications just logged in without asking to enter username or password.
  2. Leverage existing Investments : Many of the companies uses LDAP data base to manage their users identities to allow authentication to their systems in their organization. Suppose with the user is removed from LDAP system the user is immediately removed and no longer able to login to their systems.
  3. Time Saving.
  4. Increased User adoption : User who uses Salesforce are more comfortable to send email messages that contains links to information to salesforce.com.
  5. Increased Security.

Different types of Single sign on Implementations.

Single Sign On or SSO can be implemented by two ways .

  1. Federated Authentication.
  2. Delegate authentication.

What is Federated Single Sign on Authentication.

In salesforce, if Federated single sign on Authentication is enabled then the salesforce does not validate user’s password. Instead of validating user’s password salesforce verifies an insertion in the HTTP POST request and allows single sign on if the assertion is TRUE, if assertion is false salesforce does not allows SSO.

What is Delegate Single sign on Authentication.

Delegate Single Sign-On authentication is the second type of Single sign on in salesforce. If this type is enabled in salesforce allows web services to your organization to establish authentication credentials to the users instead of validating the users passwords.

Authentication Providers.

Authentication providers are those who provide authentication credentials to the users from external service providers. Authentication provide credentials to the users with profiles containing login IP range restrictions, Session Id’s

Single Sign On

Here we are required to setup new Authentication providers  to establish connection. The process of authentication will be like below steps.

  • The users tries to login  in to Salesforce using third party identity.
  • Then login request is redirected to the third party provider.
  • Then the user will be approved to access.
  • The Authentication provider redirects the user to salesforce.
  • Now the user is logged in to salesforce.