Presentation is loading. Please wait.

Presentation is loading. Please wait.

Suchin Rengan Principal Technical Architect Salesforce.com

Published byJulia Jenkins Modified over 10 years ago

Similar presentations

Presentation on theme: "Suchin Rengan Principal Technical Architect Salesforce.com"— Presentation transcript:

1 Suchin Rengan Principal Technical Architect Salesforce.com
SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com

2 Best Practices (Delegated Authentication)
Implement DA mechanism only if SAML/OAuth is not deemed appropriate Delegated Authentication needs custom development and thereby maintenance and support Delegated Authentication is not an industry standard Implementation considerations such as result must be returned within 10 seconds of request, else the request fails Recommendation is not to enable this on System Administrator’s profile, since during an outage, there needs to be way for Sys Admins to log in

3 Best Practices (Delegated Authentication)
Implement using existing skill set within organization Java/.NET skills Make sure appropriate testing has been performed to handle large number of concurrent logins Host the Delegated Authentication web service on a high available platform Incorporate fault tolerance, load balancing and failover strategies Reuse token/ credentials that adhere to corporate standards Leverage existing credential store and services that can validate/ authenticate tokens

4 Make sure the IDP is on a high available environment
Best Practices (SAML) Make sure the IDP is on a high available environment Incorporate fault tolerance, load balancing and failover strategies Use Federation Id instead of Salesforce username as subject Id for performance Identity based on login and no mapping required to know Salesforce username Login post is org specific and hence no time needed by Salesforce to resolve org instance If using username then pass it in Attribute instead of Subject, this helps accomplish posting token to an instance URL

5 Best Practices (SAML) Be proactive with regards to certificate (Salesforce and client) expirations Schedule maintenance window prior to expiration to refresh certificates

6 Disabling users from directly logging into SF if SAML is enabled
Best Practices (SAML) Disabling users from directly logging into SF if SAML is enabled Implement Delegated Authentication service that will always return a ‘false’ Use MyDomains feature to restrict users from logging in directly Implement custom logout, error pages to present custom messages instead of defaults Leverage the corporate branded pages as appropriate with messages indicating whom to contact in case of errors

7 Best Practices (SAML) Check for any time skews that may lead to inconsistent timeout/ session creation issues Salesforce.com allows a maximum of three minutes for clock skew with your IDP server, make sure your server's clock is up-to-date Perform periodic testing to make sure that the time skew is within couple of minutes A quick process can be written to fetch times from the IdP and SF (getServerTimeStamp() ) and get the difference to make sure it is within limits

Download ppt "Suchin Rengan Principal Technical Architect Salesforce.com"

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Implementing and Administering AD FS

Implementing and Administering AD FS
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.

Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.
WaveMaker Visual AJAX Studio 4.0 Training Authentication.

WaveMaker Visual AJAX Studio 4.0 Training Authentication.

Similar presentations

Ads by Google