Categories
Uncategorized

Salesforce Admin papers (four) Two-Factor Security of Authentication & Single Sign On

Benpian Reference:

https://c1.sfdcstatic.com/content/dam/web/en_us/www/documents/white-papers/2fa-admin-rollout-guide.pdf

https://blog.bessereau.eu/assets/pdfs/salesforce_single_sign_on.pdf

https://blog.bessereau.eu/assets/pdfs/salesforce_security_impl_guide.pdf

As a salesforce administrator, often have to pay more in consideration and draw a line for the user to ensure safe and fast user login. This part describes two things:

1. guarantee the safety of users more than account and password, you can also go through other ways to enhance security, such as two-factor authentication, abbreviated as 2FA.

2. Single sign-on to ensure that users can quickly and reduce user login account password to remember multiple systems.

A. Two-Factor Authentication (2FA)

After our previous Alipay not universal, if online shopping, online banking payment need to use, providing a bank card account password, but also a string of digits to complete a one-time delivery. Ensuring people know your account password situation still can not directly steal your money or fraudulent. 2FA has a similar function, that is, when after you enter the account password, you also need a certification logo to decide whether you ultimately can eventually landed. The logo is in your phone, when there are landing operation, you can always clear whether it is your login, if not, refuse to fall, increasing the security.

Follow these steps to use 2FA go to:

1. Set sesion security level

Setup search Session Settings, the Session Security Levels below, the two-factor authentication area on the right side.

2. Create the permission set configuration 2FA

After entering the label created permission set stored in the system settings, select the ‘Two-Factor Authentication for User Interface Logins’ option

3. Select the configuration 2FA assign user operation.

4. Download salesforce authenticator app. IPhone to app store, android phone to google play, because my phone is not google play environment, so some features may not be available.

Click Add account, there will be two words, in the permission set configured account login salesforce will jump to the middle page, enter the content later and salesforce authenticator binding, after login will be authorized in the mobile phone.

After binding operation, how to conduct unbundling operations? Our first thought was to remove this user from the permission set in. But this account has already salesforce authenticator binding, simply remove the permission set no avail. Correct operation is required to enter the user, there is a details page in App Registration: Salesforce Authenticator, you can click disconnect.

Two. Single Sign On

Single Sign On is not new for us, we are in the company may have more than one system, you need to remember different accounts between different systems increases the amount of trouble the staff, forget the password will also increase the administrator’s work. For the next several systems, the use of single sign-on has too many advantages.

Use Single Sign On will usually go through the following steps:

    The user tries to access salesforce;

    Salesforce identified the SSO request and generated a SAML request;

    Salesforce redirects the SAML request to the browser;

    Redirects the browser to request the external SAML identity provider;

    Identity provider verifies the user’s identity and packages the SAML assertion about the user’s authentication;

    Identity provider will send the results to the SAML assertion salesforce;

    Salesforce verify that assertion is correct;

    normal user can login and access Salesforce.

Here comes a few nouns.

SSO is an abbreviation for Single Sign On, meaning single sign-on.

Salesforce is the single point of SAML protocol used to log, called the Security Assertion Markup Language. Here again extended two concepts. Service Provider and Identity Provider. Identity Provider is used to authenticate users, and Service Provider to request user authentication if passed. After working for SAML principle when a user wants to access salesforce, Service Provider will send a request to the Identity Provider to verify whether the current user through, Identity Provider then query the database and other operations to return an assertion of the response to determine whether there is access. Here is a general description of SAML easy to understand, interested can view the document itself.

We continue to look at the picture below, after authorization by single sign-on we can access via an external Connected App Service, including Google, salesforce and so on. Here in detail the two concepts, Identity Provider and Servide Provider. For Google / Salesforce services, we can be understood as Service Provider, it can be understood as the middle of the Salesforce Identity Provider. When we got the authorization Identity Provider later, we will be able to directly access the corresponding External Service Service Provider configuration, no longer need to carry out landing operations of External Service.

The following examples below Salesforce 2 Salesforce Single Sign-On tells through a demo.

1. Enable My Domain: domain must enable the custom for the two org Salesforce enabled ways to see https://help.salesforce.com/articleView?id=domain_name_overview.htm&type=5.

Cipian in my two org addresses are:

https://zero-zhang-dev-ed.lightning.force.com

https://zhangyueqi-3-dev-ed.lightning.force.com

We use the above as an Identity Provider, the following as the Service Provider.

2. Obtain information about the Identity Provider. Here we can see the contents of the Identity Provider environment search identity provider, including the Issuer, Salesforce Identity and other information. If no enabled us to click Enable. Here we download down Certificate and metadata.

3. Configure Information Service Provide Single Sign-On: In the search for a single sign on SetUp Click Click New From Metadata, we download the file selection down in the Identity Provider environment metadata.

4. Other configuration items are reserved for the Identity Provider Certificate selected above Identity Providerdownload down the certificate, SAML Identity Type Select the items to save the Federation.

5. Servide Provider in, Setup will search for my domain to configure the Authentication Service put out.

6. Identity Provider environment configuration SetUp after searching App Manager Click New Connected App button under the Connected App. Lightning environment. Connected App Name naming us as Single Sign On Connected App, the name can be whatever you like, check Enable SAML later, configuration items, and Entity Id ACS URL. Entity Id corresponds Entity Id Single Sign-On Service Provider in configuration; ACS URL is acquired Login URL EndPoint Service Provider in the region. Subject Type save after selecting Federation Id.

7. After the Connected App click Manage Identity Provider after save or select Manage Profiles Manage Permission Sets to set who can perform single sign-on settings.

So far we have completed Salesforce 2 Salesforce Single Sign-On feature configuration. The following test.

1. We will configure user Identity Provider environments Federation Id 00000001 This account Profile for the System Administrator, the configuration on our Profile in.

2. We configured the same account in the Service Provider in Federation ID is 00000001. It should be noted that the Federation ID in the same system must be unique, if necessary SSO, you need to configure the same value in different systems.

3. After two accounts have quit, landing Identity Provider environment after landing. Open the browser and enter the domain Service Provider and choose landing approach below, after clicking will complete the single sign-on.

Summary: Part of the basics for Admin explain a bit Two-Factor and Salesforce-Salesforce Sign-On configuration Single, no knowledge of many of the details involved, interested to view the document in-depth study on their own. Articles in the wrong place welcome that, I do not understand welcome to ask questions, interested can play with Salesforce 2 Community of SSO configuration.

Leave a Reply