The following is the FAQ for Salesforce Identity: Identity Management Made Easy presented by Chuck Mortimore, Senior Product Management Director @cmort and Pat Patterson, Developer Evangelist @metadaddy.
The recording is available here.
Q: What is the major difference between Salesforce Identity and the “Identity Provider,” which already exists today?
A: Salesforce Identity is a larger effort to become a fully featured cloud Identity Provider, which includes making use of the existing Identity Provider (and service provider) features.
Q: Does salesforce.com dictate the list of websites that I can sign onto, or can users add sites themselves?
A: Your organization’s administrators can add sites themselves, while Salesforce will test and promote specific applications and partners. As long as the application is standards-based it can be managed.
Q: Can the sign-in dashboard support multiple Salesforce instances?
A: Yes it can support multiple Salesforce instances.
Q: Would a user log into our domain and get access to Salesforce without having to log into it in a traditional sense?
Q: Can you use app selector to switch between multiple Salesforce org IDs?
A: Yes you can use the app selector to move between multiple Salesforce orgs.
Q: Will there be enhancement of the apps limit for standard sales cloud, Enterprise Edition for example?
A: It’s not applicable here.
Q: Within Salesforce, can a tab be used to log into a Web app within an iframe within the tab?
A: Not always, but often this is possible.
Q: Would this be an example benefit of the attributes: For auto user provisioning, I use the additional attributes to determine the level of security for a newly provisioned user in another application.
Q: What happens if the user has already authenticated to an app, and then you remove access?
A: The next time they try and access the app, they are removed. Future versions might update the app.
Q: Is Janrain a third-party solution?
Q: Is passing address information as part of the XML encrypted, when passing information such as a Social Security Number as part of the XML?
A: It is signed, but not encrypted. We might add encryption in the future.
Q: Is the Identity Management feature available by default in Winter ’13 or do we need to get it enabled from Salesforce Support? Also, is it available in the Developer Edition?
A: It will be made available in 2013.
Q: If the URL is “identity.my.salesforce,” does that mean it’s a specific org like site.com, or is it already integrated in Enterprise Edition orgs?
A: This is a ‘My Domain URL - it is integrated into existing Salesforce orgs.
Q: How does logout work for various applications?
A: When you log out of the app, that app can choose to redirect you to log out of Salesforce. Global logout is not yet supported.
Q: Is single logout implemented?
A: Not yet.
Q: Do you support any custom login mechanisms, like forms-based authentication for integrating legacy apps?
A: No - only standards-based apps.
Q: Do you support custom authentication, for example simple form-based authentication?
A: Only standards-based authentication is supported now.
Q: You mention that behind the scenes of your portal you’re running either SAML or OpenID Connect. Do you see much adoption of OpenID Connect coming from enterprises outside of the social web?
A: Not yet, but that standard is still in an early stage – it’s not even completed yet.
Q: How do you do name-Id mapping?
A: We support a username, user ID or federation ID being sent as the ID.
Q: How does Force.com’s Canvas play into this Identity and Access Management?
A: Canvas allows you to pull UI in.
Q: Is there a beta version of Salesforce ID Management we can play with?
A: You can use the basic Single Sign-On engines today.
Q: Is Atlassian Crowd supported in the way you say Active Directory Federation goes?
A: Atlassian support is to be decided based upon Atlassian’s roadmap.
Q: Is Salesforce Identity available under the developer sandbox?
A: It will be.
Q: Is this in pilot today or Winter ’13?
A: It will be available in 2013.
Q: Can you make the app icons smaller to fit more into one page?
A: That will be possible, yes.
Q: Can you enable policy, like enforcing users logging in while only in the office, or coming from a specific IP address?
A: Yes – you can set a login IP range.
Q: Does Salesforce maintain the session for the user? If so, how do you handle idle timeout?
A: Salesforce does not maintain the session. Session settings remain specific to the app you are concerned with.
Q: Where can we sign up for Salesforce Identity? Is it available for sign-up now?
A: Salesforce as an IdP is generally available now. Other features in this webinar are forward-looking and might not be available immediately.
Q: Does Salesforce Identity implement Single Logout?
Q: Is a Salesforce user needed for this, or can Salesforce act as a middleman to facilitate access to different apps for your accounts/contacts, too? The use case would be to allow accounts/contacts (partners, customers, etc.) to log in via their (e.g.) Facebook account, and Salesforce would show them their own account in Salesforce, as well as provide SSO to Twitter, LinkedIn, etc.
A: A Salesforce user is needed.
Q: Can the app switcher be used for the applications behind the same SSO that Salesforce is using for authentication?
Q: What happens when an employee is terminated? How does inactivating the user kill access to all the Apps?
A: By deactivating the Salesforce user, that employee no longer gets access to Salesforce and cannot use the IdP-initiated flows. If the user has a username and password, this might need to be deactivated at the application separately. Perhaps you could use a callout from Apex code to perform the deactivation?
Q: Can it also be used to manage authorizations in connected applications?
A: Not currently.
Q: To clarify, Salesforce has been available as an IdP for some time now, right? Is the SSO aspect of this presentation, with Salesforce as the IdP linking the applications, available today?
A: The flexible attributes for Salesforce as an IdP went GA with Winter ’13, so the basics of the SSO are available today. Some of the UI features and other features discussed later in the webinar are forward-looking.
Q: Where do we enter the user credentials for external apps when the ID is different between Salesforce and the app?
A: You can store the external user ID in a custom field on the user object.
Q: In the beginning of the session, it was mentioned that user need not remember so many passwords. Commonly, users at orgs remember the LDAP password. Can we use that to sync it with Salesforce and then use Salesforce to log into other enterprise apps?
A: Yes. Salesforce can be an SP and an IdP at the same time, so in your scenario, users will perform SSO from LDAP to Salesforce, then Salesforce can act as an IdP for a plethora of other SPs that can accept OAuth or SAML.
Q: Does this work with mobile apps that don’t use salesforce.com APIs?
A: You can use it to authenticate users, even if you don’t use the Force.com APIs.
Q: So, Salesforce can act as IdP for users only, not for accounts/contacts, right?
A: Correct. Please note though that portal users have both a contact and a user record, and can perform SSO.
Q: Can you support an iOS app like Box?
A: Box would need to add OAuth against Salesforce Identity to their iOS app.
Q: Does the new Salesforce Identity support delegated authentication?
Q: What about going from a Salesforce to Salesforce instance? If we go to one instance, can we go back to other from the second instance?
A: You should still have the session active in the first instance, so there should be no problem going back and forth.
Q: I have one custom application that generates portal users. I have a second application that I need to enable users for the customer portal. Can I use Identity to validate? Keep in mind, a user might be a user in both applications.
Q: What kind of data can be stored for the user when authenticating into Salesforce? Are the fields configurable?
A: You can add arbitrary custom fields to the user object.
Q: Can you please point to the documentation for enforcing users to come from specific IP addresses only? Can users be grouped and different IP addresses assigned to them?
A: Look at this.
Q: Does the session timeout like in Salesforce?
A: That’s up to the individual service provider.
Q: Will delegated authentication continue to be supported with these capabilities?
Q: Does Salesforce Identity provide login authentication for desk.com multipass/SSO?
A: Not currently – we’ve been focused on standards-based applications.
Q: Can you please show or demonstrate how Single Sign-On works with SAP?
A: We can integrate with SAP via standard SAML-based Single Sign-On. Some SAP products provide additional integration, such as support for OAuth and API support for pulling data from Salesforce in BI On-Demand.
Q: Does this platform support integration with Luminis (Ellucian/SunGard product)?
A: You can use Single Sign-On with any service provider that is compliant with SAML or OAuth.
Q: Can we integrate with other collaborative services, like ClearSlide, and be able to launch from here? This is similar to Box except sales pitches to external customers.
A: You can use Single Sign-On with any service provider that is compliant with SAML or OAuth.
Q: Is there a list of Single Sign-On partners or can we use Single Sign-On with anyone? Let’s say I want do a single log with my YouTube account. That was not in the list shown.
A: You can use Single Sign-On with any service provider that is compliant with SAML or OAuth.
Q: In what release is this Single Sign-On going to be available?
A: SSO is available today for existing licenses.
Q: For SAP, do I need the Netweaver SSO components? Or will this work through the SAP GUI or its Web GUI?
A: You’d need Netweaver for the ability to accept SAML-based SSO.
Q: Is SSO compatible with Blackberry?
A: SSO is supported for Chatter for Blackberry.
Q: It sounds like each “icon” on the Single Sign-On page only corresponds to one user ID, so if I have several Gmail accounts, the ID will be linked to only one of my Gmail accounts, correct? Then what about some sites (such as banks) that have a second level user authentication process, such as sites that ask another security question after inputting passwords?
A: Salesforce Identity does not store and forward your user ID / password. It is only for standards-based Single Sign-On applications. If applications have second-level authentication processes, they can impose those if desired.
Q: “In order to enable your Identity Provider, you must first Configure a Domain Name.” What is the technical reason that this required?
A: Having a unique domain name helps a lot with Single Sign-On protocols. It allows Salesforce to uniquely address a specific Identity Provider, control its session independently, and recognize how to treat unauthenticated users.
Q: What type of license do users who do not use Salesforce apps need to be able to use Salesforce SSO?
A: There will be a special license for this.
Q: Can you use the same feature to do Single Sign-On between different Salesforce orgs?
A: Yes, you will be able to perform SSO between Salesforce orgs.
Q: Can you have different SSO settings for your Customer Portal and your org for employees?
A: We plan to introduce this in 2013.
Q: Do you support SSO to customer Web apps that are specific to our enterprise and expose these via the same portal?
Q: Can I use Salesforce Identity as a cloud-computing provider to manage SSO for our clients?
Q: Is there a plan to allow signing into various Salesforce orgs with the same email ID?
A: Through SSO – no direct login.
Q: I am setting up the Single Sign-On Settings for my company. Can I test the feature in Developer Edition?
Q: What are your feelings about SSO across native apps? For example, what if I have a Salesforce native client, Box native client, and WebEx native client running on my iPad? I don’t see this being addressed much, anywhere in the industry or standards. I mean SSO in the strictest sense ... you showed logon with native app using an IdP, but can I switch to other native apps and not be asked for a password again?
A: Not today – each one logs in independently.
Q: Can you use SSO for just customers and not your internal Salesforce users?
Q: Is it a must to use the new identity.salesforce.com in order to user Salesforce Identity?
A: No, you don’t need to use that specific URL, but you must choose a My Domain for the org that runs as your identity provider, and all of the SSO comes from that domain.
Q: Your demo showed SSO as being driven via a portal of sorts. Is the portal a feature, or is it required? For example, what if a user goes directly to Gmail or directly to WebEx using a Web browser URL? If it’s required, why?
A: It’s a feature. Some apps don’t support going directly to the app – it really depends on their level of support for SSO.
Q: Can admins add local SPs to the WebSSO portal?
Q: Will Single Sign-On work if an external application is embedded in a Visualforce page in an app?
A: It depends on the details.
Q: Some sites require users to change passwords every three months, for example. How does Salesforce Identity handle that when the current password expires?
A: It is not impacted, since passwords are not used in the Single Sign-On process.
Q: Can the SSO be setup to automatically create user IDs if they do not exist or is the user ID expected to exist in the app being logged into with SSO?
A: The attributes sent from Salesforce via SAML are configurable and flexible. See Security Controls -> Identity Provider from within Salesforce. It is up to the third-party application to support the “Just In Time” provisioning you are referring to, but if they do it should be possible.
Q: If, based on Salesforce security settings for your org, you have a required password change every 90 days, does that also change the passwords for the Single Sign-On apps, or vice versa? If there’s a password change required in one of the included apps, how does that affect the Single Sign-On via Salesforce?
A: The Salesforce password change will have no effect on any applications outside of Salesforce. Since IDM uses OAuth or SAML, Salesforce will not be storing any exterior passwords, so expiration of those passwords should not be a concern either.
Q: How does the My Domain feature help with SSO?
A: For a good article that shows the benefits of MyDomain in SSO, see here.
Q: Can SSO be used to log into multiple Salesforce accounts?
A: Yes! Using MyDomain, you can uniquely identify each org and set up SSO to each from one central org. Check out here.
Q: How does this apply to Salesforce to Salesforce SSO? For example, Salesforce (internal org) to a Partnerforce identity.
A: In general, yes, you can do SSO between Salesforce orgs – see here.
Q: Must I add an identity provider if I want to use the SSO?
A: You can use your own identity provider, or use Salesforce as your identity provider.
Q: Can we use Salesforce SSO to enable authentication of customers and partners into my portals using their preferred identity provider, assuming it is supported by Salesforce? (such as Google, FB, LinkedIn, Yahoo, etc.)
Q: What is the role of Active Directory Federation Services or PingFederate in SSO?
A: They can help connect your existing enterprise systems. For example, providing a SAML 2.0 interface for Active Directory and other enterprise directories.
Q: How do we SSO into Salesforce using our Windows login?
A: Using standard SAML SSO via Active Directory Federation Services or a third party product such as PingFederate.
Q: Most of the organizations have Microsoft Active Directory. Can you elaborate how to do SSO?
A: Use the SAML support in Active Directory Federation Services.
Q: We are planning on using Oracle IdM [JMJ6] for SSO and password reset integrating with Active Directory. Can Salesforce do that?
A: We don’t handle password reset for Active Directory, but we do support the other general use cases.
Q: Does Salesforce Identity integrate with Microsoft Outlook in particular?
A: We integrate with Active Directory through open standards, such as SAML. See this article.
Q: Does Salesforce Identity work across multiple Active Directories?
A: It can.
Q: Does that [JMJ14] mean if the Salesforce user does not exist and an Active Directory user logs in, do you mean the Salesforce user will get created on the fly?
A: Yes, it is possible to configure that via SAML Just-in-Time provisioning.
Q: Does Salesforce Identity use SAML 2.0?
Q: Does Salesforce Identity support SAML 2.0 or WS-*?
A: SAML 2.0. No WS-* support.
Q: What different specifications are supported? For example, SAML 2.0 etc.?
A: SAML 1.1 and 2.0, OAuth 1.0a and 2.0.
Q: Is OAuth a replacement for SAML or complimentary?
A: Complimentary. OAuth is for API / Mobile / Desktop clients. SAML is mostly used for web SSO.
Q: Is there any documentation for Google Salesforce SSO SAML Test?
A: Yes – check our docs.
Q: Is high XML knowledge required for learning to implement SAML?
A: SAML is reasonably technical, but generally, you can stay out of the SAML details.
Q: Does XML Structure for each SSO SAML configuration differ with each different company implementation?
A: Generally not.
Q: Approximately how long does it take to configure new IdPs based on SAML, OAuth, or OpenID? Is it entirely self help?
A: Salesforce can be configured as an IdP extremely quickly. Try provisioning two dev orgs and setting one up for SSO to the other! It ordinarily takes about an hour. The only caveat is that the My Domain can take some time to provision.
Q: OAuth supports that also?
A: Depends on the flow... Salesforce does support a “SAML over OAuth” flow, that might work for this purpose.
Q: Competing products in this space have extensions or other ways to use passwords from sites that don’t support these standards. How would we use this to connect something like FedEx.com, where we have many users using that one login?
A: Salesforce Identity supports standards such as SAML and OAuth – you would use a third-party product to bridge to other sites.
Q: How many apps are supported today?
A: Any app that supports SAML or OAuth.
Q: Is there a documentation or reference to set up OAuth 2.0 on Salesforce?
A: Yes: here.
Q: What’s the timeline on Oasis/SAML using REST/JSON etc., as was alluded to earlier?
A: There aren’t currently any plans for that, but OpenID Connect is similar in concept – look at this.
Q: Will the Salesforce SCIM interface allow me to provision users to Google Apps?
A: You will be able to provision users to Salesforce to SCIM, at which point, Salesforce can provision Google Apps.
Q: Will this work for Portal User SSO Management?
Q: You’re providing SSO and user provisioning/de-provisioning for several cloud-computing applications. Will users be able to use all of this functionality through the SCIM API?
A: You’ll be able to manage users.
Q: Are you supporting enterprise applications?
A: Salesforce Identity will support enterprise applications that support SAML, or you can use a third party federation product to bridge from SAML to the enterprise app.
Q: For the enterprise applications, this means these applications should be exposed to the cloud through firewall access?
A: Salesforce will need to communicate with these applications over the Web, so they will need to be visible to Salesforce.
Q: Does the site define the filters that are available, and the labels for the different apps?
A: You (the admin) define filters, labels, etc.
Q: How does enterprise password work here? Can Salesforce take the LDAP password set at org level?
A: We can do SSO against an identity provider in your enterprise that uses the LDAP password, or you can set up delegated authentication to have your users type their LDAP password at login.salesforce.com and have us validate it with a Web service at your enterprise – see here.
Q: How do I identity a user if I want to log into an enterprise app, for example SAP, from salesforce.com with enterprise app credentials?
A: If SAP allows for SSO via SAML or OAuth, it will work fine!
Q: Can you set it up for two or more different Gmail accounts?
A: Yes, you could set up two Gmail service providers and get the Google username from different fields on the user record.
Q: Does Salesforce ID management work well with Google’s “application specific password” feature on mobile apps and thick clients?
Q: Can I use Salesforce Identity for giving my users SSO with Google apps so they won’t need to provide Salesforce credentials when they are logged into their Gmail?
Q: We use Chatter internally. Our customers have their own Salesforce instances where they use Chatter. We have a private Chatter Group where we invited our customers. Few of them use it as they need to logout their Salesforce instance and log in with new credentials to access our Private Chatter. Will it solve this issue?
A: You should look at org-org SSO with authentication providers. This would probably solve the issue – see the case study from FinancialForce 32 minutes into this video.
Q: Are Chatter Free and Chatter External users available to be assigned to SAML apps?
A: As far as I am aware, yes. I believe the only user type that does not support SAML is self-service portal users.
Q: Can users that do not require Salesforce be authenticated via Salesforce Identity? That is, they’re not active or have no Salesforce license on the User record?
A: No, they will need to have a login to Salesforce in order to perform the IdP-based SSO. You might be able to accomplish this easily using Chatter Free licenses!
Q: How do you identify user1 in Salesforce to user1 in Concur?
A: The Concur user ID can be stored in a custom field on the Salesforce user object.
Q: Let’s say we need to add Concur in Single Sign-On in Salesforce. Do we need to install Concur apps in Salesforce.
A: You only need to configure SAML.
Q: OK, so that’s where the “formula” editor comes in, to send that to the third party? Thus Concur would see my email address and know that I’m user1 in Concur?[JMJ13]
A: In the Salesforce IdP settings you can define which attributes are sent in the SAML assertion via a formula-like interface.
Q: Can these apps be enabled via the permission sets?
Q: Can we use Permission Sets for service provider access?
Q: Can we give this to users via permission sets instead of profiles?
Q: Instead of using permission sets, can I grant access on an individual user basis? I can’t see a user-related list on the connected app page.
A: No – use a permission set.
Q: What about pricing? Is it part of Force.com user pricing?
A: To be announced.
Q: If we have a multi-org implementation, there is one Identity Provider and one Service Provider, and we have to create the same user in IdP and SP in both orgs. In this case, do the license fees apply for two users or just one user?
A: Both need a license – the fees can vary.
Q: Do we need a separate license for Salesforce Identity Provider?
A: Pricing and packaging is to be announced, but each user does need a license.
Q: Will Salesforce Identity Provider be available for customer portal user licenses as well?
Q: Can Salesforce Identity Provider be a part of the same simple license that we have for CRM?
Q: What about cost and pricing?
A: Salesforce as an IdP is available now with no additional licensing cost. For forward-looking features pricing, information is not yet available.
Q: At $15/user/month for one app or $50/user/month for Enterprise, why would I choose this over Okta ($0 for one app or $10 for Enterprise)?
A: We will announce cheaper pricing for SSO-only users.
Q: What type of user license would I need? My sales, support, and marketing teams all have Salesforce licenses, but the balance of my org does not.
A: There will be a new “SSO-only” user.