The Cloud Blog

Salesforce Single Sign-On - Lava Protocols

Written by Admin | Dec 9, 2014 3:36:46 AM

by Kana Sabaratnam, Former General Manager, Lava Labs

The dilemma in understanding technology has always been considering  the various options that we have. In considering single sign-on (SSO) for our organization,  we  had  to  understand the two permissible methods in Salesforce which are Delegated Authentication and Federation ID.

Having considered both options, we found that there are pros and cons to both systems  of implementing  single  sign  on  which is  worth  discussing. I hope this will be helpful  for  those  who  wish  to implement SSO for their organizations.

Delegated Authentication

We created a Google App that runs on the Google App Engine. Google App has a link to host SSO login and authentication. Like all other google Apps, it  requires users  to log in  to  google  using  their  email and  password.

Once  the  user  is authenticated, Google App’s home page will display the landing page to start the authentication process. This page will have a link to Salesforce. This link is an auto form submission that links to your Salesforce login page.

Clicking on the link will submit the form that contains your Gmail username as your username for Salesforce, and a dynamic token will be generated as your Salesforce password.

After  submitting  the  form to  Salesforce,  Salesforce  Delegated Authentication takes over. If the user is “single sign on” enabled, delegated authentication will send a soap type request from Salesforce to your Google App  link  specified  in the  delegated authentication gateway.

Once the request has been received, Google App will check the username and  password to see if  it  is  the  correct username  and  password  that  was submitted in the automated link. The password is a dynamically generated token from the login link page. This whole process should be completed in less than 2 minutes. Once the token is checked against the the secret format, the response is sent to Salesforce.

In considering SSO (single sign on) for  our organization, we had to understand the two allowed methods in Salesforce which are Delegated Authentication and Federation ID.

The  response  to  Salesforce  is  soap type response with the Authenticated value set as true or false. If the response is false the user will get a message indicating  that  the  Authentication Provider  is  down  or  not  responding. If the response is true, a new session is  created  and  the  user  logs  into Salesforce.

Conclusion

Our primary focus is cloud solutions. Therefore it is clear that Delegated Authentication was most suited. However, we are very much in-favour of the features available in sAmL such as; JIT and direct login on the service provider. we are hoping to have some solution soon so that the user adoption rates would be much more encouraging.

Lava is an authorised Salesforce Partner in Malaysia and has more than a decade of experience in cloud solutions which includes marketing automation, CRM implementation, change management, and consultation. We pride ourselves in not just being a CRM partner but in also understanding the needs of our customers and taking their business to the next level.