1 / 7

SSO Best Practices

SSO Best Practices. Suchin Rengan Principal Technical Architect Salesforce.com. Best Practices (Delegated Authentication). Implement DA mechanism only if SAML/OAuth is not deemed appropriate Delegated Authentication needs custom development and thereby maintenance and support

azra
Download Presentation

SSO Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SSO Best Practices Suchin Rengan Principal Technical Architect Salesforce.com

  2. Best Practices (Delegated Authentication) • Implement DA mechanism only if SAML/OAuth is not deemed appropriate • Delegated Authentication needs custom development and thereby maintenance and support • Delegated Authentication is not an industry standard • Implementation considerations such as result must be returned within 10 seconds of request, else the request fails • Recommendation is not to enable this on System Administrator’s profile, since during an outage, there needs to be way for Sys Admins to log in

  3. Best Practices (Delegated Authentication) • Implement using existing skill set within organization • Java/.NET skills • Make sure appropriate testing has been performed to handle large number of concurrent logins • Host the Delegated Authentication web service on a high available platform • Incorporate fault tolerance, load balancing and failover strategies • Reuse token/ credentials that adhere to corporate standards • Leverage existing credential store and services that can validate/ authenticate tokens

  4. Best Practices (SAML) • Make sure the IDP is on a high available environment • Incorporate fault tolerance, load balancing and failover strategies • Use Federation Id instead of Salesforce username as subject Id for performance • Identity based on login and no mapping required to know Salesforce username • Login post is org specific and hence no time needed by Salesforce to resolve org instance • If using username then pass it in Attribute instead of Subject, this helps accomplish posting token to an instance URL

  5. Best Practices (SAML) • Be proactive with regards to certificate (Salesforce and client) expirations • Schedule maintenance window prior to expiration to refresh certificates

  6. Best Practices (SAML) • Disabling users from directly logging into SF if SAML is enabled • Implement Delegated Authentication service that will always return a ‘false’ • Use MyDomains feature to restrict users from logging in directly • Implement custom logout, error pages to present custom messages instead of defaults • Leverage the corporate branded pages as appropriate with messages indicating whom to contact in case of errors

  7. Best Practices (SAML) • Check for any time skews that may lead to inconsistent timeout/ session creation issues • Salesforce.com allows a maximum of three minutes for clock skew with your IDP server, make sure your server's clock is up-to-date • Perform periodic testing to make sure that the time skew is within couple of minutes • A quick process can be written to fetch times from the IdP and SF (getServerTimeStamp() ) and get the difference to make sure it is within limits

More Related