Salesforce Architecture Reference - Identity and Access Architecture Sp21 - for Information Purposes Only - V1.0 - Mark Cane - 2021-04-18

SALESFORCE ARCHITECTURE REFERENCE - IDENTITY AND ACCESS ARCHITECTURE SP21 - FOR INFORMATION PURPOSES ONLY - V1.0 - MARK CANE - 2021-04-18

Identity Management

Identity Management - Single Sign- on (SSO) 3rd Party Identity

Service Provider- Initiated SSO (SP- I) via SAML 2.0 and an External Identity Provider (IdP) Identity Provider- Initiated SSO (IdP- I) via SAML 2.0 and an External Identity Provider (IdP) Identity Provider- Initiated SSO (IdP- I) via SAML 2.0 with Salesforce as the Identity Provider (IdP) Identity Provider- Initiated Single Logout (SLO) via SAML 2.0 with Salesforce as the Identity Provider (IdP) Scenario - User accesses a protected Salesforce resource via Deep Link. Scenario - Automated User login when protected resources accessed directly from the IdP. Scenario - Salesforce User accesses external Web App via the AppLauncher. Scenario - Salesforce User logs out resulting in federated logout to Service Providers. Salesforce as Identity Provider

Salesforce (SP) Salesforce (SP) Salesforce (IdP) Salesforce (IdP) Access Management My Domain Service Provider Configuration My Domain Service Provider Configuration App Launcher Identity Store App Launcher Identity Store e.g. https://acme.my.salesforce.com Identity Provider Settings : e.g. https://acme.my.salesforce.com Identity Provider Settings : Salesforce Users Salesforce Users Login URL Entity Id 2 Connected App Connected App Required Identity Provider Certificate Not required Identity Provider Certificate Salesforce Identity

Service Provider Settings : Service Provider Settings : Identity Provider Configuration Identity Provider Configuration ACS URL + Entity Id ACS URL + Entity Id Identity Provider Settings : Identity Provider Settings : 1 5 3 Single Logout Url / Binding Issuer Issuer Customer 360 Identity Identity Provider Certificate Identity Provider Certificate

2 1 Salesforce Identity Connect (IdP) Salesforce Identity Connect (IdP) 1 1 - Unauthenticated User accesses a protected Service Service Provider Settings : 1 - Authenticated User accesses a protected Service Provider Service Provider Settings : 2 1 3 Provider (SP) resource via the unique My Domain URL. ACS URL + Entity Id (SP) resource via the IdP. ACS URL + Entity Id 4 2 - Salesforce loads the SP configuration for the mapped 2 - IdP generates a signed SAML Response with an Org, generates a SAML Request and redirects the browser Identity Connect supports one- way User data embedded SAML Assertion. 3 Identity Connect supports one- way User data External Service Provider (SP) External Service Provider (SP) to the Identity Provider (IdP) for authentication. synchronisation from AD to SF. AD Groups map to 3 - The IdP redirects the User to the SP. The SP validates the synchronisation from AD to SF. AD Groups map to 1 - Authenticated User accesses an external Service Provider (SP) Identity Provider Settings : 1 - SSO flows send Session Index from IdP to SP. Identity Provider Settings : 3 - User signs in securely. 5 assertion (via JavaScript POST to the ACS URL) and maps a registered as a Connected App listed in the Salesforce App 2 - Authenticated User logs out from the IdP (i.e. Salesforce). 1 Profile, Role, Permission Set and Public group. Profile, Role, Permission Set and Public group. Entity Id Entity Id 4 - IdP generates a signed SAML Response with an User via Federation ID or Username and creates a session. Launcher. 3 - IdP sends Session Index to SP via SAML request (GET) or SAML embedded SAML Assertion. The RelayState querystring parameter holds the target 2 - IdP generates a signed SAML Response with an embedded Identity Provider Certificate Response (POST) depending on Binding type. Identity Provider Certificate 5 - The IdP redirects the User back to the SP. The SP 3 resource requested by the IdP. SAML Assertion. 3 4 - SP logs out the user indicated by the Session Index. validates the assertion (via JavaScript POST to the ACS URL) 3 - The IdP redirects the User to the SP. The SP validates the and maps a User via Federation ID or Username and creates assertion (via JavaScript POST to the ACS URL), maps a User and 4 a session. The RelayState querystring parameter holds the Identity Store Identity Store creates a session. original resource requested. Note, Connected App User Provisioning supports Create, Active Directory Active Directory Update, Delete of SP Users via Flow & Named Credentials

3rd Party Identity

Delegated Authentication Authentication Providers (Social Sign- on) Salesforce delegates password management and validation to an external authentication method. Salesforce delegates user authentication to an external authentication provider such as Facebook or Google.

Google Standard Authentication Providers : Salesforce Apple Salesforce DMZ Corporate Network 1 - Customer accesses a public Salesforce Community. Application Facebook 1 - User logins to Salesforce via Login Page or API. 2 - Customer clicks the Login In with Facebook link on the Community Authentication Providers 2 - Salesforce validates the User record by username and login page. Github checks the [Is Single Sign- on Enabled?] Permission. Google 3 - Salesforce redirects the browser to the Authorize endpoint Url Consumer Key Client Secret 3 - If TRUE, then Salesforce calls the registered Delegated registered for the Facebook Authentication Provider. Janrain Authentication Web Service via the Delegated Gateway 4 - Customer logs in to Facebook (if no current session), provides consent Linkedin URL passing as parameters the Username, Password and and is redirected back to Salesforce. Login Page - Employee / Internal Google Source IP address. Salesforce does not store the password. 5 - Salesforce executes the Registration Handler Apex Class registered Identity Store Salesforce Note. The Delegated Authentication Web Service is a SOAP Twitter User Authentication for the Facebook Authentication Provider. The script may create a new Login with Google Google Users protocol based web service that implements the Delegated SOAP Web Service Authentication Salesforce user for the Customer or update the existing user. Registration Handler Authentication WSDL exportable from the Salesforce org. Provider 6 - Salesforce creates an authenticated session for the user. 3 The WSDL deﬁnes the contract for the delegated e.g. LDAP authentication ﬂow. Login Page 4 - Delegated Authentication Web Service validates the Delegated user credentials against the required authentication Identity Store Secure Reverse Proxy Authentication 4 User service and returns a TRUE or FALSE response. Salesforce Users WSDL 5 - For a TRUE response Salesforce creates an Credentials 5 Facebook Authentication Providers via Open Id authenticated session for the user. 4 Connect (OID) - examples: API Facebook Application Note. Delegated authentication requires Users to login to Login Page - Community / External 3 Paypal each service provider they access whereas Federated Amazon authentication does not. 2 Consumer Key Client Secret Login with Facebook Registration Handler 4

Identity Store Identity Store Active Directory Facebook Users

OAuth 2.0

Web Server Flow User Agent Flow JWT Bearer Flow SAML Assertion Flow Scenario - Web application integration. With this flow, the server hosting the web app must be able to protect the Scenario - Mobile application integration. With this flow the access token is encoded into the redirection URL, it can be Scenario - Server to Server integration (e.g. Middleware to Salesforce). With this flow a certificate signs the JWT request Scenario - Web Application integration where Web Single Sign- on (SSO) has been implemented via SAML 2.0. connected app’s identity, defined by the client ID and client secret. exposed to the user and other apps on the device. and no user interaction is involved, prior approval of the client app is required however. Grant Type = assertion Grant Type = authorization code Grant Type = implicit Grant Type = urn:ietf:params:oauth:grant- type:jwt- bearer

Salesforce Salesforce Salesforce Salesforce Connected App Connected App Connected App Connected App Identity Store Identity Store Identity Store Identity Store

Consumer Key Client Secret Salesforce Users Consumer Key Client Secret Salesforce Users Consumer Key Client Secret Salesforce Users Consumer Key Client Secret Salesforce Users

Authorization Server Resource Server Authorization Server Resource Server Authorization Server Resource Server Authorization Server Resource Server

Authorisation Endpoint Access Token Endpoint Protected Resource Authorisation Endpoint Access Token Endpoint Protected Resource Authorisation Endpoint Access Token Endpoint Protected Resource Authorisation Endpoint Access Token Endpoint Protected Resource /oauth2/authorize /oauth2/token /services/data/v51.0 /oauth2/authorize /oauth2/token /services/data/v51.0 /oauth2/authorize /oauth2/token /services/data/v51.0 /oauth2/authorize /oauth2/token /services/data/v51.0 5 2 2 4 1 5 2 3 2 3 4

1 - User initates access to a Protected Resource via the Web 1 - User initates access to a Protected Resource via the 6 1 - A JSON Web Token or JWT (pronounced JOT) is created 1 - A SAML Assertion is returned by the Service Provider Application. Mobile Application (e.g. access to Salesforce REST API). and signed via RSA SHA256 by an uploaded certificate. Initiated SSO authentication flow. 2 - Web Application redirects the browser to the 2 - Mobile Application redirects the browser (embedded or 2 - Server requests an Access Token by POST (JWT) to the 2 - Web Application requests an Access Token by POST 1 Web Application Access 1 Mobile Application Access Server Access Web Application Access Authorisation Endpoint with the Consumer Key (Client Id). Token external) to the Authorisation Endpoint with the Consumer Token Access Token Endpoint. Token (SAML Assertion) to the Access Token Endpoint. Token 3 - User authenticates and authorises access via the 2 Key (Client Id) as a querystring parameter. 5 3 - Salesforce grants an Access Token which enables access 3 - Salesforce grants an Access Token which enables access Authorisation Server, the browser is redirected back to the Refresh 3 - User authenticates and authorises access. Refresh to the Protected Resource. to the Protected Resource. specified redirect URI with an Authorisation Token. 3 Consumer Key Client Secret Token 4 - Salesforce grants an Access Token which enables access Consumer Key Token JWT SAML Assertion 4 - Web Application requests to exchange the Authorisation to the Protected Resource. Token for an Access Token by POST (Consumer Key + Client 5 - The browser is redirected back to the specified redirect Secret) to the Access Token Endpoint. URI with Access Token + Refresh Token. 5 - Salesforce grants an Access Token which enables access 6 - On token expiry the Mobile App exchanges the Refresh to the Protected Resource. Token for an Access Token by POST (Consumer Key) to the Access Token Endpoint.

Access Management

Risks addressed by MFA : Multi- Factor Authentication (MFA) Login Flows • Account takeovers Salesforce authentication requires identity verification via multiple factors. Post authentication Login Flows direct the User through a process which enforces strong authentication or collects user information. • Phishing • Spear phishing • Keyloggers Salesforce • Credential stuffing MFA with the Salesforce Authentication App Salesforce • Brute force and reverse brute force attacks 1 - Salesforce Administrator enforces MFA by User Profile permission • Man- in- the- middle (MITM) attacks 1 - User accesses the Salesforce login page and completes authentication. (Multi- Factor Authentication for User Interface Logins). 2 - Salesforce launches the configured Login Flow for the User Profile. Login Flow MFA Settings Session Settings Login Page 2 - User completes App Registration for the Salesforce Authenticator app. 3 - User enters additional information required to gain access to 2 3 - User accesses the Salesforce login page and enters the First Factor Salesforce, for example a secure token generated by hardware key. Employee / Internal (username and password). User Settings : Session Security Levels : 4 - The Login Flow validates the token via callout to an external identity 1 4 - Salesforce prompts the user to complete authentication via the service API and completes successfully. Action Registered Verification Methods Standard: Username Password, Authenticator app. Authenticator App 5 - Salesforce creates an authenticated session for the user. 5 - User accesses the Salesforce Authenticator app on their mobile device Enrolment for Lightning Login Lightning Login, Delegated Auth.. Login Page - Employee / Internal Screen Decision and takes note of the TOTP for the registered user account. High Assurance: MFA 6 - User enters the TOTP into the Salesforce login page to complete Action authentication. Registered User Account Login Page Profile Settings : Community / External Session Security Required at Login Allow Lightning Login Identity Store set to High Assurance TOTP (Time- based, one- time Password) Salesforce Users Manage Multi- Factor Authentication in API Multi- Factor Authentication for API Logins

Password- Free Authentication via Lightning Login Manage Multi- Factor Authentication in User Interface 1 - Salesforce Administrator enables Lightning Login by User Profile Multi- Factor Authentication for User Interface Logins 4 permission (Lightning Login User). Lightning Login User Login Flow Use Cases : 2 - User completes enrolment for Lightning Login. Universal Second Factor (U2F) Physical Key • Brand the login experience or control messaging Lightning Login - Employee / Internal 3 - User accesses the Salesforce login page and selects the Login Hint for • Collect and update user information the required user account. 4 - Salesforce prompts the user to complete authentication via the • Interact with users; ask to perform an action (surveys, accepts terms and conditions etc.) Authenticator app. Access Policies : • Connect to a Customer 360 Identity service or geo- fencing service Identity Store 5 - User accesses the Salesforce Authenticator app on their mobile device Features (e.g. Reports) set to require High Assurance • Enforce strong authentication (MFA; hardware, biometric etc.) Users and confirms the authentication attempt. Session Security Level. • Run a confirmation process (secret question) 6 - The Salesforce login page automatically completes authentication. • Granular access policies; notifications when a user logs in outside of hours. External Identity Service • Granular access policies; MFA when outside of corporate IP range. • Limit the number of concurrent sessions.