Social Single Sign-On – Authentication Providers in Spring ’12
Given my background in single sign-on, the Spring ’12 feature I’m most excited about is the ability to use external ‘authentication providers’ to give access to Salesforce portals and orgs. Where the existing SAML-based SSO allows you to authenticate users within the enterprise for single sign-on into Salesforce, you will now be able to leverage third-party services such as Facebook and Janrain to log users in. One use case for this technology is allowing customers to access a portal via Facebook; another would be for small businesses, for which a SAML identity provider is out of reach, to use their Google login via the Janrain service to access their Salesforce org. You can even use another Salesforce org as the authentication provider, enabling some very interesting scenarios such as single sign-on to ISV customer support portals.
So how do you get this all working? Taking Facebook as an example, you will need to create a new Facebook App, then, in Salesforce, configure an Authentication Provider (Your Name > Setup > Security Controls > Auth. Providers) with your new Facebook app’s ID and secret. You can optionally provide an Apex class that implements the Auth.RegistrationHandler interface (documented in Spring ’12 Preview Release Notes [PDF]) to automatically map external identities into User objects, or have users link their Facebook ID to their existing Salesforce account (Josh demonstrates manual account linking from Facebook to Salesforce in the release preview webinar.) You can also configure SSO into the org itself or a portal.
When you save the Authentication Provider configuration, you’ll be given a set of four URLs:
Copy the callback URL over to the Facebook app’s Website URL and you’re all set.
As well as the callback URL, the Authentication Provider also provides URLs to link accounts, initiate single sign-on, and, usefully, test the configuration. The latter will run through the process of logging in at Facebook and prompt you to allow your Salesforce org to access a subset of your profile data:
The test URL just renders XML with the Salesforce org ID and the user info passed from Facebook:
The link URL will run through the same login/authorization at Facebook, but then prompt the user to login to their existing Salesforce account:
After logging in, the user is prompted to link their accounts:
Once the accounts are linked, the user can just hit the initiate SSO link to login to Salesforce via Facebook.
If, for some reason, the user, or an admin, later wishes to unlink accounts, there is a new ‘Third Party Account Links’ section in Personal Information that gives full control:
As an alternative to this manual link process, you can automatically provision user account by providing an Apex class that implements the Auth.RegistrationHandler interface, with methods to setup a new User record the first time a user signs in and to update the User record subsequently – ideal for implementing that customer portal!
I’m sure this new functionality will provoke many ideas and questions – I’m looking forward to your comments…