Professional Documents
Culture Documents
Lydia Mann
Curriculum Developer
Safe Harbor Statement
This presentation may contain forward-looking statements that involve operate; our ability to hire, retain and motivate employees and
risks, uncertainties, and assumptions. If any such risks or manage our growth; changes in our customer base; technological
uncertainties materialize or if any of the assumptions prove incorrect, developments; regulatory developments; litigation related to
the results of salesforce.com, inc. could differ materially from the intellectual property and other matters; and general developments in
results expressed or implied by the forward-looking statements we the economy, financial markets, and credit markets.
make. All statements other than statements of historical fact could be
deemed forward-looking statements, including: any projections of Further information on these and other factors that could affect our
product or service availability, customer growth, earnings, revenues, financial results is included in the reports on Forms 10-K, 10-Q and 8-
or other financial items; any statements regarding strategies or plans K and in other filings we make with the Securities and Exchange
of management for future operations; any statements concerning new, Commission from time to time. These documents and others
planned, or upgraded services or developments; statements about containing important disclosures are available on the SEC Filings
current or future economic conditions; and any statements of belief. section of the Investor Information section of our Web site.
The risks and uncertainties referred to above include - but are not Salesforce.com, inc. assumes no obligation and does not intend to
limited to - risks associated with possible fluctuations in our financial update these forward-looking statements, except as required by law.
and operating results; our rate of growth; interruptions or delays in our
service or our Web hosting; breaches of our security measures; the Any unreleased services or features referenced in press releases,
financial impact of any previous and future acquisitions; the nature of presentations or public statements are not currently available and may
our business model; our ability to continue to release, and gain not be delivered on time or at all. Customers who purchase
customer acceptance of, new and improved versions of our service; salesforce.com applications should make their purchase decisions
successful customer deployment and utilization of our existing and based upon features that are currently available.
future services; competition; the emerging markets in which we
Training Org Login
Org will be active for 30 days post Dreamforce
username password
Username: df13samlA+###@gmail.com
Password: Dreamforce2013
CRM ERP
Broad SAML Support
Application Launcher
Restricted/granted application access
Branded Login Pages
Multi-org Environment Hub
Integration with native platform capabilities:
– Visual Workflow
– Workflow Rules
– Apex Triggers
– Reports
Standalone Salesforce Identity licenses
Pre-built integration to use Active Directory as credential store
And much more…
Salesforce Identity as a
SAML Service Provider
SAML is Based on Trust
I trust you.
During configuration, the IdP shares its public key certificate with Salesforce.
During runtime, Salesforce uses the certificate to validate that the digital
signature originated from the IdP.
Exercise 1: Enabling Salesforce to be a Service Provider
Hands-on
Exercise
Identity Provider (IdP) Service Provider
The Issuer
The User Id
The Entity Id
Identity Provider-Initiated SAML Flow
Service Provider
Identity Provider (IdP)
3
2 User submits
Page returned SAML
contains form assertion to
with SAML login URL.
assertion.
1
User signs
in to IdP. 4
Salesforce
redirects to
start URL with
Session ID.
My Domain
Service Provider
Identity Provider (IdP)
1
User requests page
at a custom domain
for Salesforce.
3 2
If necessary, User
user signs in redirected
to IdP. 5
to IdP. Salesforce
redirects to
requested page
4 with Session ID.
IdP redirects user
to Salesforce with
SAML assertion.
Exercise 2: Single Sign-On to Salesforce
Hands-on
Exercise
Service Provider
2
User submits
SAML assertion
to Assertion
1 Consumer
The App Launcher 3
Service URL. SP redirects to
contains a form with
start URL with
SAML assertion.
new session.
Exercise 3: Sign-on to EchoSign from Salesforce Identity
Hands-on
Exercise
From Salesforce:
Identity Provider (IdP) • Certificate Service Provider
• Entity Id (Issuer)
• Login URL
From EchoSign:
• Assertion Consumer Service URL
• Entity Id
2
3 User redirected to
If necessary, custom Salesforce
user signs in sign-on URL.
1
to Salesforce.
User requests
custom
4 EchoSign URL.
Salesforce redirects to
Assertion Consumer
Service URL with
SAML Assertion.
Service Provider-initiated Single Sign-Off
2
EchoSign POSTs
sign-off directive to
custom Salesforce
sign-off URL.
1
3 User signs off
User redirected to of EchoSign.
custom Salesforce
sign-on URL.
Exercise 4: SP-initiated Single Sign-On/Off with EchoSign
SAML OAuth
Identity Provider Service Provider Service Consumer
Trust Trust
ERP
– Revocable
Web
Web Server Flow Applications
Service Provider
Desktop
Applications
User-Agent Flow
Mobile
Applications
Key OAuth Terms
2
If tokens don't exist,
begin the OAuth flow
3 to obtain tokens.
After successful Android Device
token grant, begin
business logic. Main Client
Activity Manager
1
Check local data
store for existing
OAuth tokens. Offline
Data Store
OAuth 2.0 for Mobile Applications: User-Agent Flow
1
Developer configures a
Connected App for the
mobile application.
2
A Consumer Key
is generated.
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…
Apply to
a Job
Browser
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…
3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
Browser
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…
3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.
User-Agent Flow Example: Salesforce Mobile SDK for Android
User-Agent Flow Example: Salesforce Mobile SDK for Android
2
1 A browser is launched to the
User launches the app Salesforce Login page with the
from the mobile device. Consumer Key passed as an
HTTP query string parameter.
https://login.salesforce.com
?client_id=3MV…
3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.
5
The mobile app is listening for the redirect to the
callback URL; it captures and stores the tokens.
User-Agent Flow Example: Salesforce Mobile SDK for Android
6
The user has now granted
revocable access to the
mobile app.
Exercise 5: Enable OAuth for Authentication
3
The user signs in to
Apply to Salesforce, then grants
a Job
access for this app.
df://jobapp
#access_token=…
&refresh_token=…
Browser 4
Salesforce redirects the browser
to the Callback URL with the
Access and Refresh Tokens.
5
The mobile app is listening for the redirect to the callback
URL; it captures and stores the tokens.
Refresh Token Flow Example:
Salesforce Mobile SDK for Android
1
Eventually the access
Android Device token expires; Salesforce
returns an error.
Main Client
Activity Manager Old Access Token
HTTP 401
Refresh Token
New Access Token
3
The Mobile SDK 2
Offline The Mobile SDK uses the
stores the new Data Store refresh token to request a
Access Token for
new access token.
later use.
Salesforce Identity and
OAuth Web Server Flow
Web Server Flow Example: Order Management Application
OM
https://login.salesforce.com
?client_id=3MV…
1
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application
OM
3
Salesforce redirects
to web app with
https://fake.om.com/ 2
?code=aPrxsmIEeqM9 Authorization Code.
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application
4
SC makes web service callout to Salesforce
Service Consumer with Authorization Code and Client Secret, Service Provider
receives back Access and Refresh Tokens.
3
Salesforce redirects
to web app with
Authorization Code. 2
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Web Server Flow Example: Order Management Application
4
SC makes web service callout to Salesforce
Service Consumer with Authorization Code and Client Secret, Service Provider
receives back Access and Refresh Tokens.
{..."access_token":"00Dx0000000BV7z!AR8...",
"refresh_token":"5Aep8614iLM.Dq661ePD...",...}
OM
3
Salesforce redirects
to web app with
Authorization Code. 2
User logs into
Salesforce,
1 approves app.
User requests
integration, SC
redirects to SP with
Consumer Key.
Key Takeaways