SSO Best PracticesSuchin RenganPrincipal Technical ArchitectSalesforce.com

2

Best Practices (Delegated Authentication)

Implement DA mechanism only if SAML/OAuth is not

deemed appropriate– Delegated Authentication needs custom development and

thereby maintenance and support

– Delegated Authentication is not an industry standard

Implementation considerations such as result must be

returned within 10 seconds of request, else the request

fails

Recommendation is not to enable this on System

Administrator’s profile, since during an outage, there

needs to be way for Sys Admins to log in

3

Best Practices (Delegated Authentication)

Implement using existing skill set within organization

– Java/.NET skills

Make sure appropriate testing has been performed to

handle large number of concurrent logins

Host the Delegated Authentication web service on a high

available platform

– Incorporate fault tolerance, load balancing and failover strategies

Reuse token/ credentials that adhere to corporate

standards

– Leverage existing credential store and services that can validate/

authenticate tokens

4

Best Practices (SAML)

Make sure the IDP is on a high available environment– Incorporate fault tolerance, load balancing and failover

strategies

Use Federation Id instead of Salesforce username as

subject Id for performance– Identity based on login and no mapping required to know

Salesforce username

– Login post is org specific and hence no time needed by

Salesforce to resolve org instance

– If using username then pass it in Attribute instead of Subject,

this helps accomplish posting token to an instance URL

5

Best Practices (SAML)

Be proactive with regards to certificate (Salesforce and

client) expirations– Schedule maintenance window prior to expiration to refresh

certificates

6

Best Practices (SAML)

Disabling users from directly logging into SF if SAML is

enabled– Implement Delegated Authentication service that will always

return a ‘false’

– Use MyDomains feature to restrict users from logging in

directly

Implement custom logout, error pages to present

custom messages instead of defaults– Leverage the corporate branded pages as appropriate with

messages indicating whom to contact in case of errors

7

Best Practices (SAML)

Check for any time skews that may lead to inconsistent

timeout/ session creation issues– Salesforce.com allows a maximum of three minutes for clock

skew with your IDP server, make sure your server's clock is up-

to-date

– Perform periodic testing to make sure that the time skew is

within couple of minutes

– A quick process can be written to fetch times from the IdP and

SF (getServerTimeStamp() ) and get the difference to make

sure it is within limits