single sign on (SSO)

single sign on (SSO)
===================
User just remember one username and password that will allow us to logon to all other different applications.

It's like having a magic key that automatically opens up all the other doors once you enter through one door.

Salesforce provides different options to configure single sign on.

1.Federated Authentication using SAML
2.Delegated Authentication
3.OpenID Connect

Main concepts in SSO

1.The concept of IDP/SP
2.The Concept of IDP Initiated login and SP initiated login.

IDP stands for Indentity provider and SP stands for service provider.

In IDP Init SSO the Federation process is initiated by the IDP sending an SAML Response to the SP.

In SP-Init, the SP generates an AuthRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with the SAML Response.

IDP initiated Login :
=====================
User can logon to IDP and then from there, clicks on links to access other systems(i.e SP).This is called IDP initiated login.

   user    ---->      Identity provider
                           |
   |
   |  SAMl Assertion
                          V
                        salesforce (SP)

SP Initiated Login :
=====================
User can go directly to an SP application to access the application.
In this case, SP will redirect the user toIDP login page where user will provider
his/her username and password, IDP will authenticate the user and pass control
back to SP asserting whether user is authenticated or not.SP will then allow
user to access the application.

Note : Identity provider is the instance where users have an active session.
And service provider is the one which identifies the certificate from
the identity provider saying the user is coming from the authenticated source.


                                              saml Auth Request
   user ---->  salesforce (sp)  ------>
                                              <-------   Identity provider
 saml assertion


Federated Authentication using SAML :
=====================================
1.Federated authentication uses SAML, an industry standard for secure integrations.Investing in SAML with Salesforce.com

2.org-wise level

3.Salesforce admins can enable.

Authentication and authorization between two entities : service provider and identity provider

The service provider agrees to trust the identity provider to authenticate users.

Note :

SAML stands for security Assertion Markup Language.

SAML is an XML-based protocol for exchanging identity and authorization information.

The SAML,which is basically XML documents that are going  to be exchanged. Some are going to be exchanged at setup time, and some are going to be exchnaged when you try to
login.

That XML has a packet of information that contains authentication information, but it's built into that XML data model essentially.

Just-in-time user Provisioning :
============================
The just-in-time provisioning is basically the idp has the authority to create or update user information inside of the service provider.


relay :
========
SP init does it carries your original destination that you were trying to get to as part of the relay state.

The RelayState is meant to direct the user after a successful login to a specific location in the application they're logging into. If you need to include query parameters,make sure they're URL encoded.

RelayState=var1%3Dvalue1%26var2%3Dvalue2

SAML Assertion Validator :
===========================
1. Available in single sign-on settings.
2. used to check for failed logins of sso.


Delegated Authentication Flow :
===============================
Delegated Authentication is specific to salesforce only(not industry standard)
where external webservice only retruns "TRUE" and "FALSE" saying Authentication is complete
or not.

1.Require salesforce support to enable.
2.Permission level.

Note:
when the user submits the login page with their credentials, Salesforce look up the user from the username.If Delegated Authentication(DA) is configured for this org and user,
we send the supplied password to the configured Delegated Authentication (DA)
endpoint for verification,otherwise we verify the password against the hash
we have on record for that user.Either way, if the password is successfully
verified,we create a session, issue the cookie, and redirect the user to
the requested page.


1. We can integrate with the LDAP server - Lightweight Directory Access Portocol or authenticate with the access token rather with the password.

2.We can also manage authentication at the permission level which gives us more flexibility.

3. with the above feature, we can set delegated authentication for particular users rest will use their salesforce credentials for login.

4.If user tries to login through online or API, salesforce checks permission settings and access settings after validating the UserName.

5.if user has enabled the single sign on permission setting then salesforce doesn't validates the login credentials.Rather it makes an web service call to org for validating the login credentials.

6. When above permission setting is enabled then salesforce no longer manages the password policies

ex : Password must be required minimum length.

7.Then delegated authentication comes into action, the endpoint service enforces the policies for password.

Note :
The webService validates username,password and Source IP

Source IP : The IP address that originated the login request.


security Modes :
================
1.Simple Passwords (User salesforce login page)
2.Tokens ( Private login page on your company webserver that may be behind your corporate firewall)
3.Mixed (use mobile and client apps)


OpenID Connect :
====================

OpenID Connect is a modern Identity Protocol that leverages OAUTH.

It provides an ID token and UserInfo endpoint.

you can use it for single sign-on (SSO).

Salesforce can act as an OpenID Connect client.

 ex: Sign in with Google.

Salesforce can act as an OpenID connect Provider.

Example Login with Salesforce.


OpenID Connect - for social Sign-on into the org.
 Login to salesforce org with Google+.

 Steps for social sign-on with Google+ into Enterprise Org.

 1. Setup MyDomain in the org.
 2.Configure an OpenID Connect type Authentication provider  pointing to Google.
 3.Set a google plus user ID field on user record - for account linking.
 4.Update a user record with a valid google plus userID.
 5.Configure enterprise branding page to enable Login with Google.
 6.Test Login with Google into the enterprise org.


OpenID Connect - For salesforce login into the community.

 Login to community with any Salesforce org.

 Steps for Single Sign On into Community with any Salesforce Org.

 1. Setup OpenID Connect Auth Provider pointing to a Connected  App in IDP.
 2.Registration Handler code can do user checks based on Email  or FederationID.
 3.Set the Community Login Page to use this Auth Provider.


 Authorization Request

 https://ogin.salesforce.com/services/oauth2/authorize

Authorization Response

https://www.example.com/oauth/callback/?

Token Request

Token Response

access_token
id_token

Note :
Client uses ID token to authenticate the end user.

The ID token is represented as a JSON Web Token (JWT).The JWT is singed using a JSON web signature and consist of three parts separated by "."

An ID token has the following syntax :

Base64(JOSE header).Base64(Payload).Base64(Signature)

Every Client must validate the ID-token it receives.It must validate the iss, aud and exp claims. The rest are optional if presented.

what OpenID connect adds?

1.ID token
2.UserInfo endpoint for getting  more user information
3.Standard set of scopes
4.Standardized implementation.

OAuth and OpenID Connect :
======================

Use OpenID Connect for (Authentication):

1.Logging the user in
2.Making your accounts avaialble in other systems

Use OAuth 2.0 for (Authorization) :

1.Granting access to your API
2.Getting access to user data in other systems.


Connected App :
=============

Consumer key is essentially the API key associated with
the application (Twitter, Facebook, etc.). This key
(or 'client ID', as Facebook calls it) is what
identifies the client. By the way, a client is a
website/service that is trying to access an end-user's
resources.

Consumer secret is the client password that is used to
authenticate with the authentication server, which is a
Twitter/Facebook/etc. server that authenticates the
client.

Access token is what is issued to the client once the client successfully authenticates itself (using the consumer key & secret). This access token defines the privileges of the client (what data the client can and cannot access). Now every time the client wants to access the end-user's data, the access token secret is sent with the access token as a password (similar to the consumer secret)

20 ways to share records in salesforce

1.profile/permission Set level object Settings (CRED)
2.Profile/Permission Set Level object Settings (View All,Modify All)
3.Profile Level System Permissions (View All Data,Modify All Data)
4.Organization Wide Defaults (OWD)
5.Record Ownership
6.Role Hierarchy
7.Teams
8.Queues
9.Sharing Rules
10.Groups
11.Manager Group
12.Territory Management
13.Sharing sets
14.Sharing groups
15.Super User Access
16.Manual Sharing
17.Programmatic/apex sharing
18.Visualforce with Apex
19.Implicit sharing
20. Master-detail Relationship

1.Profile/Permission Set Level Object Settings (CRED)

-> The first minimum thing that the user needs to have
'Read','Create','Edit' or 'Delete'(CRED) permission on
the object either through profile or permission Set.

-> In Fact the user's profile/permission set must have
these Object level Permissions(CRED) for other sharings
to work.

-> For profile tied to specific license types (e.g Community User Licenses),
you can't set CRED on some of the objects.
E.g. for "Customer Community" License, the 'Lead' object is
not available.

Note :
Different License Types
1.Customer Community License
2.Customer Plus Community License
3.Partner Community License

Customer Community Plus users have greater access to sharing
features.They can have up to 3 roles, and therefore are able to
utilize sharing rules.

Partner Community licenses features the same benefits as
Customer community plus, and also have access to sales- related
objects (Lead,campaigns and Opportunities).

Note :
There are no workaround for Customer Community Profile
user to access leads.
You need to upgrade to Partner Community License
(Opportunities,Leads,Quotes,Campaigns objects available).

2.Profile/Permission Set Level Object Settings (View All/Modify All)

-> The next option that you have is to grant 'View All' and/or
'Modify All' at the object level.

-> Once these permissions are granted to the user's
profile/permission set, they can view/edit all records in that
object, irrespective of the sharing model.

-> For profiles tied to specific license types,
view all/modify all options will not be available on some of the objects.

3.Profile Level System Settings (View All Data, Modify All Data)

-> Probably one of the most powerful permission that you grant
is to specify 'view All Data' / 'Modify All Data' at the system level
on user's profile.with this option the user will be able to view/modify
all records across all objects.

-> For profiles tied to specific license types,
view all data/modify all data system privilege is not available.

-> use this option sparingly and with caution.

4.Organization Wide Defaults (OWDs)

-> Another way to grant users access to records is by setting
the OWD to "Public Read only" or "Public Read/Write" for individual
objects.

-> When set to "Public Read Only" or "Public Read/Write ",
All users in your Org will have view/edit privileges
provided the user has CRED permissions on the object(s)
through profile/permission set.

5. Record Ownership

-> if the user is the owner of the record, they automatically
have read/edit/transfer privileges on that record.

-> However, if you have removed the object level CRED permission
from user's profile/permission set, then they won't be able to
view/edit the records EVEN IF they are owner of the record.

-> This can happen if the user's profile/permission set had CRED
privileges, they created some records and later CRED permissions
were removed.

6.Role Hierarchy

-> All the users who have above in the role hierarchy
chain of the user who has access to the records, will
automatically inherit the same permissions as their subordinates
on that record.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note :
Community users having 'Customer Community' license type
cannot be assigned a role and hence this rule does not apply
to them.

7. Teams (Account,case,Opportunity)

-> To share records in Account,Case & Opportunities,
you can enable teams and add user to the team.

-> For each user being added to the team, you can define
whether they canjust 'View' the record or 'Edit' the record.
In Case of 'Account Team' , you can define whether the users
in the 'Account Team' has access to the 'Cases' & 'Opportunities'
for that Account.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note : Community users having 'Customer Community'
license cannot be added to the team and hence this rule
does not apply to them.

8.Queues

-> you can create Queues in salesforce, assign the user to
the queue and set the queue as the owner of the record.

-> Users assigned to the queue will then automatically
have "Owner" like access to those records.

-> User must have CRED permissions on the object(s)
through profile/permission set.

Note :
1. you can't set the queue as the owner on the 'Account'
and 'Task' objects.
2.Community users having 'Customer Community' license
cannot be added to the queue and hence this rule does not apply
to them.

9. Sharing Rules

-> Create sharing Rules on the object. You can define the following
type of sharing rules.

1.Ownership Based Sharing Rule - Where you can share records
owned by a specific set of users with another specific
set of users.

2.Criteria Based sharing Rule - Where you can share records
meeting a specific criteria with specific set of users.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note : cannot be used for sharing records with Community
users having 'Customer Community' license type.

10. Groups

-> you can create Groups in salesforce and assign users
to the groups (you can also assign roles, territories or
other groups to a group).

-> Then use Sharing Rules to grant access to the records
to this group of users.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note :
Community users having 'Customer Community' license type cannot
be added to groups and hence this rule does not apply to them.

11.Manager Group

-> you can enable 'Manager Group' sharing option to share records
with the 'Manager' of user defined on the 'User' object.

-> Use Manager groups to share records with your management chain
instead of ll managers in the same role based on the role hierarchy.

-> Then use Sharing Rules to grant access to the records to this
group of users.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note : Manager groups can contain standard and chatter only users only
and doesn't include portal users.

12. Territory Management

-> Another powerful way to share records with users -
Create Territories and assign users to territories.

-> For sharing Account records, define the Account Assignment rule
on the Territories.

-> For sharing records in other objects, define sharing rules and
use Territories in the sharing rules.

-> User must have CRED permissions on the object(s) through
profile/ permission set.

Note :
Community users having 'Customer Community' license type
cannot be assigned to territories and hence this rule does not
apply to them.

13. Sharing Set

-> Use Sharing Set to share records with users having 'Customer Community' license type.

-> This is the only way to share records with these types of users.

-> User must have CRED permissions on the object(s) through
profile/permission set.

Note :
 -> Applicable only for community users having 'Customer Community' license type. 
 -> NOT applicable for any other user type.

 14. Sharing Group

 -> Use this option to share records created by 'Customer Community'
 license users with other internal/community users.

 -> Works together with Sharing Set.

 -> While Sharing Set is used to share records created by other
 usres with 'Customer Community' license users,sharing Group
 is used to share records created by 'Customer Community' license users
 with other users .

 -> User must have CRED permissions on the object(s) through
 profile/permission set.

 15. Super User Access

 -> Applicable only for users with license type 'Partner community'
 & 'Customer community Plus'.

 -> Used to share records created by the community user
 belonging to the same Account.

 -> User must have CRED permission on the Object(s) through
 profile/permission set.

 16. Manual Sharing

 -> Owner of a record/person higher in the role hierarchy
 of the owner/ System Administrator, can grant manual access to other
 users, groups, roles. This is done manually on record by record basis.

 Note : if you change the owner of the record or transfer the record
 to someone else, Salesforce will remove all the manual sharing.

 -> User must have CRED permission on the Object(s) through
 profile/permission set.

 17. Programmatic/apex Sharing

 -> You can also share records with other users, groups, roles programmatically.

-> This is usually done by defining a sharing reason and inserting a record in <object_name>__share object.

-> A use case is you want to share the ‘Job’ record with the Hiring Manager of that job.
So as soon as the hiring manager is assigned to the job record, the record should then automatically be shared with that hiring manager.
This is achieved by writing a trigger on the ‘Job’ object and using programmatic sharing

-> User must have CRED permissions on the object(s) through profile/permission set.

Note :
Cannot be used to share records with Community users having 'Customer Community' license type.

18. Visualforce with Apex


->If nothing else works, then you can create a Visualforce Page with Custom Apex Controller in "without sharing" mode
and grant users view/edit access to the record.

-> This option requires heavy custom development and maintenance.

-> Before going down this route, do ensure that you will not be flouting Salesforce licensing rules
when exposing records through this method.

E.g.

Salesforce Licensing model does not grant access to 'Lead' object to Customer Community Plus users.
If you are creating a Visualforce page with Custom Apex Controller
to expose lead object records to Customer Community Plus user, this may not be allowed.

19.Implict Sharing


->Salesforce grants implicit access to the records when you have access to other related records.

-> For example if you have access to a 'Contact', 'Case' or 'Opportunity' record,
Salesforce will grant you implicit read only access to the corresponding Account.
This is known as 'Implicit Parent'

-> Or if you have access to the Account through Role Hierarchy / Account Team
and have selected the option to grant access to 'Contact', 'Case' or 'Opportunity'
when defining Account Team or Role Hierarchy, then Salesforce will grant you implicit Access to
'Contract', 'Case', or 'Opportunity' records. This is known as 'Implicit Child'.

->User must have CRED permissions on the object(s) through profile/permission set.

20.Master-detail Relationship

->If you have objects in Master-Detail relationship, then the sharing rules defined on the master
automatically cascades to the object on the ‘Detail’ side of the relationship.

-> You cannot define separate sharing rule on the child object as the sharing rules are inherited from the Master.

-> This means that if a user has ‘View’ access on a record in the Master object,
he will also be able to view the corresponding child records in the detail object.

->User must have CRED permissions on the object(s) through profile/permission set.