SSO(Single SIGN ON) is a very vital concept and as a fresher to IT industry many of us struggle to understand the definition and importance. The aim of the blog post is to help you to understand what SSO is and how easy it is to configure in salesforce.
SSO (Single Sign On) allows the end users to provide their credentials once and obtain access to multiple resources. The key point of the concept is that the users are not prompted for their credentials anew on access to participating resources until the
active session is terminated.
The participating resources are typically related, but still remain independent.
Specifically, each system may have own authorization system, providing system-specific roles to the end users.
We will be using an IDP simulator axiom on heruko to simulate federated SSO concept with salesforce as the service provider .
There are four ways we can have single sign on with salesforce and get authenticated .
- Delegated SSO
- Federated SSO
- JIT SSO (Just in Time SSO)
I am not going to explain each one of these as this is not the aim of this blog ,having said that i have few good reference link which you can refer to understand the difference between each of them
The above link is an awesome webinar which explains all the four ways and there advantages and disadvantages
2)There are some blog posts on developer.force.com and these blog posts are very interesting read
One of them,(first link a) uses salesforce as IDP and also as a service provider ,so two orgs are connected and explains the concept of SSO.These are valuable resources to spend time reading and configuring .
Now let me take some time to describe Federated SSO at high level .The above diagram will help me explaining the concept of Federated SSO.
In federated SSO uses SAML and we have an IDP(Identity Provider) and a Service Provider(SP).
The user makes a request to Force.com for a specific resource: This request may happen in a variety of ways for a variety of reasons. For example, the user may be following a bookmark, clicking on a link from an email, of allowing their browser to auto-complete.
- Force.com detects the user needs to authenticate and redirects the user to their SAML Identity Provider: Since the user doesn't present a session cookie, they need to authenticate. An organization-specific hostname allows the user's Org to be discovered, and they are sent over the SAML protocol. Along with a SAML Request, a form parameter called RelayState is passed along to the IDP. This captures the location of the resource the user originally requested
- The user accesses their IDP and authenticates. This authentication is performed by the IdP giving the customer complete control over the authentication process. A variety of popular techniques may be used, such as LDAP, a web access management system, Integrated Windows Authentication, or a 2-factor system such as SecurID.
- Once authenticated, the IDP sends a SAML Response back to Force.com. This response happens via the user's browser, and includes the RelayState originally sent by the Service Provider. The echoing of RelayState is critical to the success of the protocol, as this is what allows the user to be returned to the originally requested resource.
- Force.com processes the SAML assertion and logs the user in. The digital signature applied to the SAML Response allows verification that the message is from the Identity Provider, at which point the user is authenticated. They are granted a session and redirected to their original request.
Now come the actual part of practically simulating
Here i will be using axiom a heruko app built just for learning, testing, and troubleshooting single sign-on solutions for Salesforce.com
1)Configuration in Salesforce Environment
This is very simple and let me go through this step by step with screenshots
a)So first step is to register a domain in my domain and set the redirection policy (Navigate to Domain management>my Domain in your salesforce instance
b)Next step is to enable SAML 2.0 and configure the parameters for SAML SINGLE SIGN ON Settings
Once you enable SAML 2.0 as in below screenshot,the next step will be to download the certificate from axiom tool and upload in the SAML single sign on settings .Here are the screen shots to help you
So i hope screen shots are clear to understand .So its basicallyits feeding the entity Id and SSO start page got from the axiom screen back to the salesforce and then in the below video i am going to demonstrate how easy it is now to simulate the whole behavior.Its no point more speaking in words i felt instead decided to put a video