1. SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com

2. 2 The Scenario Outlook Browser Mobile

3. 3 Key Considerations  Must be Seamless  No Impacts to the intended Functionality  Focus on Usability  Comply with Security Standards –User credentials cannot be stored in any applications  Reusability wherever possible  Allow for Scalability

4. 4 SSO Mechanisms  DA –SF Legacy way to accomplish SSO –Customers have to build a Web Service that will authenticate requests that are delegated by SF –User Profiles need to be enabled for SSO –Delegated Authentication configuration to point to the Delegated Authentication Web Service hosted by the customer  SAML –SAML is a technology that enables SSO between two disparate systems (Web and Desktop) –SF supports SAML 1.1 and SAML 2.0 Support since Summer ’08 –Supports browser post profiles –Cannot be used to accomplish SSO for desktop/ outlook/ mobile clients (DA/ OAuth2 is a better alternative)  OAuth –Open standard for authorization (OAuth!) –Stop the password anti-pattern –Explicit grant of permission by user The Valet key concept –Credential is per-service-provider Revokable without changing password –Browser based authentication for rich clients Make it possible to participate in SSO

5. 5 The Browser Scenario Browser Identity Provider (Corporate Portal) 3. Post SAML 4. User Session 1. User Request 2. Validate and Generate SAML Token

6. 6 The Outlook Scenario Outlook Identity Provider User Session Intermediary Service SAML Token DA Service True/ False User Credentials (context based) SAML Token (Login API) DA Redirect

7. 7 The Mobile Scenario Mobile NT Authentication Services NT Login Credentials DA Service True/ False DA Redirect User Session

8. 8 Summary  Been in production for 2 years  Supports 20 K users