Social Single Sign-On with OpenID Connect

Tags:

Preview:

Click to see full reader

DESCRIPTION

Presentation from Dreamforce14 on using OpenID Connect with Google as the provider.

Citation preview

Social Single Sign-On with OpenID ConnectJames Melville

Technical Architect

@jamesmelv

James MelvilleTechnical Architect

What is Social Single Sign On?

• Ability to authenticate using social profiles

What is OpenID Connect?

• Identity Protocol built on OAuth 2.0

• Verify a user’s identity using authentication by another server

• Standard for sharing profile information

• Finalised February 2014

• Large backers:

What can I do with Salesforce & OpenID Connect?

• Provide users with a form of Single Sign On

• Allow users to login to Salesforce using other credentials– Internal Users– Community Users

• Use a variety of providers to authenticate users:– Google– Microsoft– Paypal– Ping Identity

User Benefits Business Benefits

Fewer usernames and passwords to remember Automate or Simplify User Creation

Quicker Login Reliable Source of User Details

Reduced registration effort Reduce helpdesk interactions

Why Use OpenID Connect?

How do I set this up with Salesforce?Using Google as the Identity Provider

• Register as an OAuth client with Google– https://code.google.com/apis/console

• Configure “Auth. Provider” in Salesforce– Setup -> Security Controls -> Auth Provider

• Define the logic for user management

• Use Auth Provider in My Domain / Community

https://code.google.com/apis/console
https://code.google.com/apis/console

How do I manage identities between systems?Implement a Registration Handler

• Define the logic to be executed when a user logs in– Create a registration hander in Apex– Use the profile information from the provider

• Unrecognised OpenID Connect profile– Match to an existing Salesforce user– Create a new user

• Previously logged in profile– Update profile information

Login Demo

What Else?• OpenID Connect is built on OAuth 2.0

• OpenID Connect Identity + OAuth 2.0 Authorisation = API Access

• Now use the Authorisation to access Resources

• Define access using Scope, as per OAuth 2.0

• Use APIs from the Identity Provider

API Integration Demo

Useful URLs• Google API Console:

https://code.google.com/apis/console

• Google API Documentation:

https://developers.google.com/drive/

• Apex Auth Docs:

http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm

• Demo Repository:

https://github.com/jamesmelville/OpenIdConnectDemo

https://code.google.com/apis/console
https://code.google.com/apis/console
https://developers.google.com/drive/
https://developers.google.com/drive/
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm
https://github.com/jamesmelville/OpenIdConnectDemo
https://github.com/jamesmelville/OpenIdConnectDemo

Features I’d like to see

• Ability to dynamically extend Scopes

• Inspect scopes already claimed

• Ability to create / update user credentials store

Recommended

OpenID Connect in the R&E World - meetings.internet2.edu · [ 2] OpenID Connect in the R&E World: What is the State of Play? •A strong and rising interest for using OpenID Connect
Documents
SoK: Single Sign-On Security – An Evaluation of OpenID Connect · SoK: Single Sign-On Security – An Evaluation of OpenID Connect Christian Mainka, Vladislav Mladenov and Jörg
Documents
Single Sign-On Security - Hackmanit...3 History of Single Sign-On OAuth 1.0 Oct 2007 OAuth 2.0 Oct 2012 OAuth 1.0 Rev A Jun 2009 OpenID Connect 1.0 Feb 2014 OpenID 1.1 May 2006 OpenID
Documents
OpenID Connect - TERENAOpenID Connect OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmission capability. tisdag 8 november
Documents
OpenID vs Facebook Connect vs FriendConnect
Technology
Introduction to OpenID Connect
Technology
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAuth 2.0
Software
Introduction to OpenID Connect - self-issued
Documents
OpenID Connect and Single Sign-On for Beginners
Technology
OpenID Connect Update
Documents
OpenID Connect Mobile Connect Profile Version 1.0 17 ... · GSM Association Confidential - Full, Rapporteur, and Associate Members Official Document PDATA.01 - OpenID Connect Mobile
Documents
SoK: Single Sign-On Security – An Evaluation of …...2017/01/30  · OpenID Connect is the OAuth 2.0-based replacement for OpenID 2.0 (OpenID) and one of the most important Single
Documents
06 - Kubernetes continued€¦ · OpenID Connect • Enables third-party authentication • Google, Facebook, Twitter, … • Kubernetes can use OpenID Connect together with RBAC
Documents
[MS-OIDCE-Diff]: OpenID Connect 1.0 Protocol Extensions... · 2017-06-12 · The OpenID Connect 1.0 Protocol Extensions specify extensions to [OIDCCore] (OpenID Connect Core 1.0)
Documents
OpenID Connect - Nat Sakimura at OpenID TechNight #7
Technology
O-Auth 2.0, OpenId Connect 1.0, Single Sign-On Subhojeet ...cs556dl/lecture-notes/AdvancedAuth...O-Auth 2.0, OpenId Connect 1.0 and Single Sign On are some web-based authentication
Documents
OpenID Connect Conformance Profiles v3 · 1 OpenID Connect Conformance Profiles v3.0 OpenID Connect Working Group, OpenID Foundation June 28, 2018 1. Introduction This document defines
Documents
OAuth 2.0 e OpenID Connect
Internet
[OSSParis 2015] The OpenID Connect Protocol
Technology
Introduction to OpenID Connect - self-issuedIntroduction to OpenID Connect October 20, 2020 Michael B. Jones Identity Standards Architect –Microsoft
Documents