Upload
julia-jenkins
View
215
Download
1
Embed Size (px)
Citation preview
SSO Best PracticesSuchin RenganPrincipal Technical ArchitectSalesforce.com
2
Best Practices (Delegated Authentication)
Implement DA mechanism only if SAML/OAuth is not
deemed appropriate– Delegated Authentication needs custom development and
thereby maintenance and support
– Delegated Authentication is not an industry standard
Implementation considerations such as result must be
returned within 10 seconds of request, else the request
fails
Recommendation is not to enable this on System
Administrator’s profile, since during an outage, there
needs to be way for Sys Admins to log in
3
Best Practices (Delegated Authentication)
Implement using existing skill set within organization
– Java/.NET skills
Make sure appropriate testing has been performed to
handle large number of concurrent logins
Host the Delegated Authentication web service on a high
available platform
– Incorporate fault tolerance, load balancing and failover strategies
Reuse token/ credentials that adhere to corporate
standards
– Leverage existing credential store and services that can validate/
authenticate tokens
4
Best Practices (SAML)
Make sure the IDP is on a high available environment– Incorporate fault tolerance, load balancing and failover
strategies
Use Federation Id instead of Salesforce username as
subject Id for performance– Identity based on login and no mapping required to know
Salesforce username
– Login post is org specific and hence no time needed by
Salesforce to resolve org instance
– If using username then pass it in Attribute instead of Subject,
this helps accomplish posting token to an instance URL
5
Best Practices (SAML)
Be proactive with regards to certificate (Salesforce and
client) expirations– Schedule maintenance window prior to expiration to refresh
certificates
6
Best Practices (SAML)
Disabling users from directly logging into SF if SAML is
enabled– Implement Delegated Authentication service that will always
return a ‘false’
– Use MyDomains feature to restrict users from logging in
directly
Implement custom logout, error pages to present
custom messages instead of defaults– Leverage the corporate branded pages as appropriate with
messages indicating whom to contact in case of errors
7
Best Practices (SAML)
Check for any time skews that may lead to inconsistent
timeout/ session creation issues– Salesforce.com allows a maximum of three minutes for clock
skew with your IDP server, make sure your server's clock is up-
to-date
– Perform periodic testing to make sure that the time skew is
within couple of minutes
– A quick process can be written to fetch times from the IdP and
SF (getServerTimeStamp() ) and get the difference to make
sure it is within limits