social single sign-on with openid connect
DESCRIPTION
Presentation from Dreamforce14 on using OpenID Connect with Google as the provider.TRANSCRIPT
Social Single Sign-On with OpenID ConnectJames Melville
Technical Architect
@jamesmelv
James MelvilleTechnical Architect
What is Social Single Sign On?
• Ability to authenticate using social profiles
What is OpenID Connect?
• Identity Protocol built on OAuth 2.0
• Verify a user’s identity using authentication by another server
• Standard for sharing profile information
• Finalised February 2014
• Large backers:
What can I do with Salesforce & OpenID Connect?
• Provide users with a form of Single Sign On
• Allow users to login to Salesforce using other credentials– Internal Users– Community Users
• Use a variety of providers to authenticate users:– Google– Microsoft– Paypal– Ping Identity
User Benefits Business Benefits
Fewer usernames and passwords to remember Automate or Simplify User Creation
Quicker Login Reliable Source of User Details
Reduced registration effort Reduce helpdesk interactions
Why Use OpenID Connect?
How do I set this up with Salesforce?Using Google as the Identity Provider
• Register as an OAuth client with Google– https://code.google.com/apis/console
• Configure “Auth. Provider” in Salesforce– Setup -> Security Controls -> Auth Provider
• Define the logic for user management
• Use Auth Provider in My Domain / Community
How do I manage identities between systems?Implement a Registration Handler
• Define the logic to be executed when a user logs in– Create a registration hander in Apex– Use the profile information from the provider
• Unrecognised OpenID Connect profile– Match to an existing Salesforce user– Create a new user
• Previously logged in profile– Update profile information
Login Demo
What Else?• OpenID Connect is built on OAuth 2.0
• OpenID Connect Identity + OAuth 2.0 Authorisation = API Access
• Now use the Authorisation to access Resources
• Define access using Scope, as per OAuth 2.0
• Use APIs from the Identity Provider
API Integration Demo
Useful URLs• Google API Console:
https://code.google.com/apis/console
• Google API Documentation:
https://developers.google.com/drive/
• Apex Auth Docs:
http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_namespace_Auth.htm
• Demo Repository:
https://github.com/jamesmelville/OpenIdConnectDemo
Features I’d like to see
• Ability to dynamically extend Scopes
• Inspect scopes already claimed
• Ability to create / update user credentials store