This document provides recommendations for choosing an authentication system for Salesforce, based on user experience, security and practical considerations.
salesforce_sso.pdf | 296 KB |
salesforce_sso.pdf | 296 KB |
Authors |
|
---|---|
Version | 1.0 |
Last Revised | 14-Apr-2021 |
Status | Draft |
Document Type | Single Topic Guidance |
Audience Level |
|
There are currently more than 60 implementations of Salesforce across the University. These platforms use a mix of native and centrally managed authentication services. The lack of a consistent approach to user authentication and authorization leads to increase risk.
In addition to the native system of user authentication and authorization, Salesforce supports Single sign-on (SSO), an authentication method that enables users to access multiple applications with one login and one set of credentials. The largest SSO system at Harvard is Harvard Key, although some Schools support alternative systems. Salesforce administrators should understand and choose an authentication system based on user experience, security and practical considerations.
Salesforce includes a variety of security related tools and configuration alternatives. These include:
These may be implemented with the Salesforce native authentication system or in combination with a separate identity provider. Each of these should be evaluated and implemented when appropriate in the context of business, technical and policy requirements.
Salesforce has an internal system of user authentication that utilizes usernames, passwords, and session management. Although functional, the user needs to create, remember, and manage another set of credentials. In add, the org administrator needs to manually provision and deprovision users.
Salesforce also supports single sign-on capability to simplify and standardize user authentication. There are two options to implement single sign-on—federated authentication using Security Assertion Markup Language (SAML) and delegated authentication.
Harvard Key is Harvard University's unified credential for accessing University applications and services with a single, convenient login name and password. The use of Harvard Key with Salesforce is an example of Federated authentication using Security Assertion Markup Language (SAML). Configuring Salesforce to use Harvard Key is beyond the scope of this advisory but documentation is available through the Identity and Access Management Program site and Salesforce.
Harvard Key currently supports Harvard employees, faculty, staff, students, and persons-of-interest (POI). Consequently, the use of the Harvard Key SSO system in Salesforce is limited to those user populations. A new Harvard Key service that will support a wider variety of roles, including executive and extended education students, is in development. This will support the use of the enterprise authentication system with Salesforce Communities and other broader user populations.
Although Harvard Key is the primary enterprise SAML identity provider, some schools support their own identity providers. Configuring Salesforce to use an alternative identity provide is similar to using Harvard Key.
The use of centrally managed authentication services and SSO provides several important benefits:
While the use of SSO does create a dependency on the authentication service, Harvard Key is highly available and rivals Salesforce itself in operational performance and uptime.
Harvard Key authentication services are available for web applications with two standard protocols: CAS and SAML 2.0.
SAML is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). This is done through an exchange of digitally signed XML documents. This process allows a Harvard Key user to login to Salesforce using their University username/password and relieves them of the need to re-enter their Harvard Key credential each time they access a different web application.
A simplified description of how the SAML protocol and process works includes the following steps:
A graphical representation of Salesforce authentication when using SSO is below:
SAML authentication relies on public key infrastructure (PKI) and uses digital certificates. These have an expiration dates and must be renewed prior to expiration. The Salesforce default for key expiration is 2 years. Updating certificates must be coordinated with the identity provider.
Often SaaS applications and platforms like Salesforce a user must exist (be provisioned) in the application before they are able to login using an SSO system. With Just-in-Time (JIT) provisioning, the identity provider passes user information to a Salesforce org in the SAML assertion to automatically create user accounts. If this option has value in your particular case, work with HUIT’s IAM services to determine which user information you want to pass to your org.
The use of a Harvard supported central authentication system is required by policy for Salesforce orgs that contain level three or higher data as defined by the Harvard Information Security Office.
The use of an external identity provider and a single sign on system results in improved security and a better user experience. Absent specific business or technical requirements, all Salesforces orgs should use a Harvard supported central authentication system such as Harvard Key.
User provisioning can be done manually but automated provisioning and de-provisioning provide additional value and can reduce costs. Salesforce administrators should work with IAM to understand the available provisioning alternatives.
Harvard Key presently supports Harvard affiliates only but the new capabilities of Harvard Key Light should be considered once the system is available (planned for 6/2021).
When central authentication is not used, the security controls available within Salesforce should be evaluated and used when appropriate.
https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_about.htm
https://en.wikipedia.org/wiki/Single_sign-on
https://developers.onelogin.com/saml
https://resources.docs.salesforce.com/230/latest/en-us/sfdc/pdf/salesforce_single_sign_on.pdf