Suchin Rengan Principal Technical Architect Salesforce.com

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

FI-WARE Testbed Access Control temporary solution.

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Implementing and Administering AD FS

Attacking Session Management Juliette Lessing

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

WSO2 Identity Server Road Map

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Copyright ©2012 Ping Identity Corporation. All rights reserved.1.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Identity on Force.com & Benefits of SSO Nick Simha.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.

Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

1 Maryland ColdFusion User Group Session Management December 2001 Michael Schuler

Dr. Mustafa Cem Kasapbaşı Security in ASP.NET. Determining Security Requirements Restricted File Types.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Integrating and Troubleshooting Citrix Access Gateway.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

GUDURU PRAVEEN REDDY.NET IMPERSONATION. Contents Introduction Impersonation Enabled Impersonation Disabled Impersonation Class Libraries Impersonation.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

The OWASP Foundation guarding your applications Koen Vanderloock

Combining ArcGIS for Server & ArcGIS Online Julia Guard and Matt Monson.

DNS DNS changes required to validate domains in Office 365 UPN – User Principal Name Every user must have a UPN UPN suffixes must match a validated.

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Secure Mobile Development with NetIQ Access Manager

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.

2V0-621 VMWARE CERTIFIED PROFESSIONAL 6 – DATA CENTER VIRTUALIZATION Study Guide Question Answer.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Ask the Experts – Building Login-Based Sites in AEM

Azure Active Directory - Business 2 Consumer

Agenda Introduction Security flow for a request Authentication

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Interact Cloud.

Federation made simple

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Web Caching? Web Caching:.

Addressing the Beast: Single Sign-On II

2018 CV0-002 Exam Braindumps - CompTIA CV0-002 Exam Questions RealExam

KMIP Entity Object and Client Registration

Mary Montoya, CIO Bogi Malecki, Project Manager

Everything you need to know about implementing AD FS

INTEGRATIONS WITH Single Sign-On

Presentation transcript:

Suchin Rengan Principal Technical Architect Salesforce.com SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com

Best Practices (Delegated Authentication) Implement DA mechanism only if SAML/OAuth is not deemed appropriate Delegated Authentication needs custom development and thereby maintenance and support Delegated Authentication is not an industry standard Implementation considerations such as result must be returned within 10 seconds of request, else the request fails Recommendation is not to enable this on System Administrator’s profile, since during an outage, there needs to be way for Sys Admins to log in

Best Practices (Delegated Authentication) Implement using existing skill set within organization Java/.NET skills Make sure appropriate testing has been performed to handle large number of concurrent logins Host the Delegated Authentication web service on a high available platform Incorporate fault tolerance, load balancing and failover strategies Reuse token/ credentials that adhere to corporate standards Leverage existing credential store and services that can validate/ authenticate tokens

Make sure the IDP is on a high available environment Best Practices (SAML) Make sure the IDP is on a high available environment Incorporate fault tolerance, load balancing and failover strategies Use Federation Id instead of Salesforce username as subject Id for performance Identity based on login and no mapping required to know Salesforce username Login post is org specific and hence no time needed by Salesforce to resolve org instance If using username then pass it in Attribute instead of Subject, this helps accomplish posting token to an instance URL

Best Practices (SAML) Be proactive with regards to certificate (Salesforce and client) expirations Schedule maintenance window prior to expiration to refresh certificates

Disabling users from directly logging into SF if SAML is enabled Best Practices (SAML) Disabling users from directly logging into SF if SAML is enabled Implement Delegated Authentication service that will always return a ‘false’ Use MyDomains feature to restrict users from logging in directly Implement custom logout, error pages to present custom messages instead of defaults Leverage the corporate branded pages as appropriate with messages indicating whom to contact in case of errors

Best Practices (SAML) Check for any time skews that may lead to inconsistent timeout/ session creation issues Salesforce.com allows a maximum of three minutes for clock skew with your IDP server, make sure your server's clock is up-to-date Perform periodic testing to make sure that the time skew is within couple of minutes A quick process can be written to fetch times from the IdP and SF (getServerTimeStamp() ) and get the difference to make sure it is within limits