Social Single Sign-On with OpenID Connect

Preview:

DESCRIPTION

Presentation from Dreamforce14 on using OpenID Connect with Google as the provider.

Citation preview

Social Single Sign-On with OpenID ConnectJames Melville

Technical Architect

@jamesmelv

James MelvilleTechnical Architect

What is Social Single Sign On?

• Ability to authenticate using social profiles

What is OpenID Connect?

• Identity Protocol built on OAuth 2.0

• Verify a user’s identity using authentication by another server

• Standard for sharing profile information

• Finalised February 2014

• Large backers:

What can I do with Salesforce & OpenID Connect?

• Provide users with a form of Single Sign On

• Allow users to login to Salesforce using other credentials– Internal Users– Community Users

• Use a variety of providers to authenticate users:– Google– Microsoft– Paypal– Ping Identity

User Benefits Business Benefits

Fewer usernames and passwords to remember Automate or Simplify User Creation

Quicker Login Reliable Source of User Details

Reduced registration effort Reduce helpdesk interactions

Why Use OpenID Connect?

How do I set this up with Salesforce?Using Google as the Identity Provider

• Register as an OAuth client with Google– https://code.google.com/apis/console

• Configure “Auth. Provider” in Salesforce– Setup -> Security Controls -> Auth Provider

• Define the logic for user management

• Use Auth Provider in My Domain / Community

How do I manage identities between systems?Implement a Registration Handler

• Define the logic to be executed when a user logs in– Create a registration hander in Apex– Use the profile information from the provider

• Unrecognised OpenID Connect profile– Match to an existing Salesforce user– Create a new user

• Previously logged in profile– Update profile information

Login Demo

What Else?• OpenID Connect is built on OAuth 2.0

• OpenID Connect Identity + OAuth 2.0 Authorisation = API Access

• Now use the Authorisation to access Resources

• Define access using Scope, as per OAuth 2.0

• Use APIs from the Identity Provider

API Integration Demo

Useful URLs• Google API Console:

https://code.google.com/apis/console

• Google API Documentation:

https://developers.google.com/drive/

• Apex Auth Docs:

http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm

• Demo Repository:

https://github.com/jamesmelville/OpenIdConnectDemo

Features I’d like to see

• Ability to dynamically extend Scopes

• Inspect scopes already claimed

• Ability to create / update user credentials store

Recommended