OpenID Connect The new standard for connecting to your Customers, Partners, Apps, and Devices April 9, 2014
Jan 26, 2015
OpenID Connect The new standard for connecting to your Customers, Partners, Apps, and Devices
April 9, 2014
#forcewebinar
Safe Harbor
Safe harbor statement under the Private Securities Litigation Reform Act of 1995:
This presentation may contain forward-looking statements that involve risks, uncertainties, and assumptions. If any such uncertainties materialize or if any of the assumptions proves incorrect, the results of salesforce.com, inc. could differ materially from the results expressed or implied by the forward-looking statements we make. All statements other than statements of historical fact could be deemed forward-looking, including any projections of product or service availability, subscriber growth, earnings, revenues, or other financial items and any statements regarding strategies or plans of management for future operations, statements of belief, any statements concerning new, planned, or upgraded services or technology developments and customer contracts or use of our services.
The risks and uncertainties referred to above include – but are not limited to – risks associated with developing and delivering new functionality for our service, new products and services, our new business model, our past operating losses, possible fluctuations in our operating results and rate of growth, interruptions or delays in our Web hosting, breach of our security measures, the outcome of intellectual property and other litigation, risks associated with possible mergers and acquisitions, the immature market in which we operate, our relatively limited operating history, our ability to expand, retain, and motivate our employees and manage our growth, new releases of our service and successful customer deployment, our limited history reselling non-salesforce.com products, and utilization and selling to larger enterprise customers. Further information on potential factors that could affect the financial results of salesforce.com, inc. is included in our annual report on Form 10-Q for the most recent fiscal quarter ended July 31, 2012. This documents and others containing important disclosures are available on the SEC Filings section of the Investor Information section of our Web site.
Any unreleased services or features referenced in this or other presentations, press releases or public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make the purchase decisions based upon features that are currently available. Salesforce.com, inc. assumes no obligation and does not intend to update these forward-looking statements.
#forcewebinar
Speakers
Pat Patterson Developer Evangelist Architect @metadaddy
Chuck Mortimore Vice President, Identity @cmort
Ian Glazer Senior Director, Identity @iglazer
#forcewebinar
Follow Developer Force for the Latest News
@forcedotcom / #forcewebinar
Developer Force – Force.com Community
+Developer Force – Force.com Community
Developer Force
Developer Force Group
#forcewebinar
Agenda
§ Introduction
§ Overview
§ Demo
§ Protocol
§ Roadmap
#forcewebinar
Have Questions?
§ We have an expert support team at the ready to answer your questions during the webinar.
§ Ask your questions via the GoToWebinar Questions Pane.
§ The speaker(s) will chose top questions to answer live at the end of the webinar.
§ Please post your questions as we go along!
§ Only post your question once; we’ll get to it as we go down the list.
Introduction: Ian Glazer
OpenID Connect: What is it?
#forcewebinar
Chapter 1:
OpenID Connect
§ Authenticate users without having to get your hands dirty with passwords
§ Learn about the person using your service using modern identity tools
§ Informed by a long history of identity standards
§ Based on OAuth2
#forcewebinar
Why should I care about OpenID Connect?
Identity Professionals Developers Business
§ Focus on business enablement
§ OIDC is SAML for our RESTful web-oriented architecture world
§ Support use cases the business cares about including mobile and social
§ Focus on the awesome – the user journey
§ Don’t have to deal with username, passwords, PKI, and LDAP
§ Strong credentials without all the mess
§ Engage with internal and external customers
§ Make it easier for customers to interact with you
§ Avoids having to issue your customers yet another set of credentials
#forcewebinar
Where identity and access management got started
Identity
#forcewebinar
Identity
And then cloud and mobile happened
#forcewebinar
Identity
Customers
Partners
Products
Where we must go
#forcewebinar
Use-Cases
Mobile Apps & Connected Products Social Sign-On
OpenID Connect Stack
OpenID Connect Stack
Too much? Start with the Basic Client
Just read this: http://openid.net/specs/openid-connect-basic-1_0.html
Or better yet… just use the Salesforce1 platform
OpenID Connect Relying Party Authentication Provider
(the Client Side)
OpenID Connect Provider Connected Apps
(the Server Side)
OpenID Connect: How Does it Work?
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authorization Request
https://login.salesforce.com/services/oauth2/authorize?!response_type=code&!client_id=3MVG9lKcPoNINVBLWJnB_Y...Lsn&!redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth%2Fcallback&!state=BLAH_BLAH_BLAH!
Redirect with Authz Request
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Redirect with Authz Request Authorization Request
https://www.example.com/oauth/callback/?!state=BLAH_BLAH_BLAH&!code=aPrxsmIEeqM9PiSOCErbySxQvb...5sdWyjE.DG_TNeow==!
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Token Request
Redirect with Authz Request
Authorization Request
POST /services/oauth2/token HTTP/1.1!Host: login.salesforce.com!Content-Type: application/x-www-form-urlencoded!!grant_type=authorization_code&!code=aPrxsmIEeqM9PiSOCErbySxQvb...5sdWyjE.DG_TNeow==&!client_id=3MVG9lKcPoNINVBLWJnB_Y...Lsn&!client_secret={client_secret}&!redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth%2Fcallback!
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Token Request
Token Response
Redirect with Authz Request Authorization Request
{! "id": "https://login.salesforce.com/id/00Dx0000000A9y0EAC/005x0000000UnYmAAK",! "issued_at": "1396919485288",! "scope": "id full api openid refresh_token chatter_api",! "instance_url": "https://na1.salesforce.com",! "token_type": "Bearer",! "access_token": "00D...u7Bpj72Q.SVBtEBjMK9kLPJWQibME_5M”, ! "refresh_token": "5Aep8614iLM.D...1UAD1OoIkStoE7T",! "id_token": "eyJ...fDXFOfHr0h02sn32pkyN6UPkQr.n_3YkyGEar GSlP5ptcTaroqMxZJvodKc1Y693SJPL2u...CeS8x.1F_zeFx8cEA6HEK",! "signature": "z9F5OBkazrIOy/i7mQ7kZwBkEVHBxjb8+5XPvnlk=",!}!
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Token Request
Token Response
Redirect with Authz Request Authorization Request
{! "exp": 1396919605,! "sub": "https://login.salesforce.com/id/00Dx0000000A9y0EAC/005x0000000UnYmAAK",! "aud": "3MVG9lKcPoNINVBLWJnB_Y...Lsn",! "iss": "https://login. salesforce.com",! "iat": 1396919485!}!
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Token Request
Token Response
UserInfo Request
Redirect with Authz Request Authorization Request
GET /services/oauth2/userinfo HTTP/1.1!Host: login.salesforce.com!Authorization: Bearer 00D...u7Bpj72Q.SBtEBjMK9kLPJWQibME_5M!
#forcewebinar
OpenID Connect – Basic Client Profile
End-User Client Auth Server
Authenticate End-User
Credentials/Constent
Redirect to Client
Authorization Response
Token Request
Token Response
UserInfo Request
UserInfo Response
Redirect with Authz Request Authorization Request
{! "sub": "https://login.salesforce.com/id/00Dx0000000A9y0EAC/005x0000000UnYmAAK",! "user_id": "005x0000000UnYmAAK",! "organization_id": "00Dx0000000A9y0EAC",! "preferred_username": ”[email protected]",! "nickname": ”user",! "name": "Pat Patterson",! "email": "[email protected]",! "email_verified": true,! "given_name": "Pat",! "family_name": "Patterson",! ...!}!
OpenID Connect: How do I get started?
#forcewebinar
OpenID Connect Stack within Salesforce
Auth. Providers Connected Apps
§ Client side implementation – Oauth & OpenID Connect
§ Configure our client, to become your app, with any provider
§ Fine-grained control over – just-in-time provisioning
– account linking
§ Server Side Implementation § Oauth & OpenID Connect (and SAML and Canvas)
§ Configure your client, to talk to our services, using your brand or ours
§ Fine-grained control over – Authorization
– Authentication Levels – Refresh Token Decay
– Application Policy – Attributes
OpenID Connect: What can I build?
Acquire Customers With Social Sign-On
Run your own Social Sign-On
Rapidly Build & Deploy Mobile Apps
OpenID Connect: What’s New?
#forcewebinar
What’s New?
§ OpenID Connect Services – Standard schema via User Profile service
– Signature based client authentication
– Custom Attributes
§ ID Tokens – Signed JWT
– Key Endpoint
OpenID Connect: What’s Next?
#forcewebinar
What’s Next?
§ Custom Permissions – Define your own Permissions
– Manage your Authorization Model using Profile and Permission Sets
§ Customizable ID Tokens – Identity for the Internet of Things
– Combine Device Identity with Customer Identity
– Design Center • Scalable
• Offline
• Spectrum of Authentication
• Fine Scoping and Delegation
OpenID Connect: How do I learn more?
#forcewebinar
Resources
§ Digging Deeper into Oauth 2.0 on Force.com – http://wiki.developerforce.com/page/Digging_Deeper_into_OAuth_2.0_on_Force.com
§ Inside OpenID Connect – http://wiki.developerforce.com/page/Inside_OpenID_Connect_on_Force.com
§ OpenID Connect Playground – https://openidconnect.herokuapp.com
§ Videos: – Social Sign-On: http://www.youtube.com/watch?v=D0YUTb-w1Yc
– Mobile Access Management: http://www.youtube.com/watch?v=UYDdmWhiwYw
Survey
Your feedback is crucial to the success of our webinar programs. Thank you!
http://bit.ly/openidsurvey
#forcewebinar
Q & A
#forcewebinar
Pat Patterson Developer Evangelist Architect @metadaddy
Chuck Mortimore Vice President, Identity @cmort
Ian Glazer Senior Director, Identity @iglazer