SSO Best Practices - PowerPoint PPT Presentation

1 / 7
About This Presentation
Title:

SSO Best Practices

Description:

SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com Best Practices (Delegated Authentication) Implement DA mechanism only if SAML/OAuth is ... – PowerPoint PPT presentation

Number of Views:322
Avg rating:3.0/5.0
Slides: 8
Provided by: BODI5
Category:

less

Transcript and Presenter's Notes

Title: SSO Best Practices


1
SSO Best Practices
  • Suchin Rengan
  • Principal Technical Architect
  • Salesforce.com

2
Best Practices (Delegated Authentication)
  • Implement DA mechanism only if SAML/OAuth is not
    deemed appropriate
  • Delegated Authentication needs custom development
    and thereby maintenance and support
  • Delegated Authentication is not an industry
    standard
  • Implementation considerations such as result must
    be returned within 10 seconds of request, else
    the request fails
  • Recommendation is not to enable this on System
    Administrators profile, since during an outage,
    there needs to be way for Sys Admins to log in

3
Best Practices (Delegated Authentication)
  • Implement using existing skill set within
    organization
  • Java/.NET skills
  • Make sure appropriate testing has been performed
    to handle large number of concurrent logins
  • Host the Delegated Authentication web service on
    a high available platform
  • Incorporate fault tolerance, load balancing and
    failover strategies
  • Reuse token/ credentials that adhere to corporate
    standards
  • Leverage existing credential store and services
    that can validate/ authenticate tokens

4
Best Practices (SAML)
  • Make sure the IDP is on a high available
    environment
  • Incorporate fault tolerance, load balancing and
    failover strategies
  • Use Federation Id instead of Salesforce username
    as subject Id for performance
  • Identity based on login and no mapping required
    to know Salesforce username
  • Login post is org specific and hence no time
    needed by Salesforce to resolve org instance
  • If using username then pass it in Attribute
    instead of Subject, this helps accomplish posting
    token to an instance URL

5
Best Practices (SAML)
  • Be proactive with regards to certificate
    (Salesforce and client) expirations
  • Schedule maintenance window prior to expiration
    to refresh certificates

6
Best Practices (SAML)
  • Disabling users from directly logging into SF if
    SAML is enabled
  • Implement Delegated Authentication service that
    will always return a false
  • Use MyDomains feature to restrict users from
    logging in directly
  • Implement custom logout, error pages to present
    custom messages instead of defaults
  • Leverage the corporate branded pages as
    appropriate with messages indicating whom to
    contact in case of errors

7
Best Practices (SAML)
  • Check for any time skews that may lead to
    inconsistent timeout/ session creation issues
  • Salesforce.com allows a maximum of three minutes
    for clock skew with your IDP server, make sure
    your server's clock is up-to-date
  • Perform periodic testing to make sure that the
    time skew is within couple of minutes
  • A quick process can be written to fetch times
    from the IdP and SF (getServerTimeStamp() ) and
    get the difference to make sure it is within
    limits
Write a Comment
User Comments (0)
About PowerShow.com