function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
phiberoptikphiberoptik 

SSO Implementation involving LDAP Server

For those who have experience with implementing SSO between Salesforce and LDAP, on a scale of 1-10, what would you rate the following:

 

Level of complexity

 

Level of technical knowledge required (beyond point-click Admin experience)

 

 

And how long do you estimate it takes to complete?

 

Thank you,

 

 

cal r.cal r.

8-9

 

Lots of intermediary servers needed to be set up and lots of fine grain issues like encryption/security/message integrity/etc.

 

When it works, it's beautiful. Getting there is walking on coals.

phiberoptikphiberoptik

Wow, that complicated? With the Salesforce documentation out there specifically related to SSO, I would have thought it was a bit more straight forward. Not simple, but certainly not one of the more complex projects to take on.

cal r.cal r.

Well, our implementation might be more complicated than the simplest way possible. With delegated sign on, or one of the new SAAS SSO services, it might be easier (though the former isn't really "Single Sign On").

 

This is what our implementation looks like, and we used mostly open source tools, so it took quite a bit of work.

 

Active Directory -> Generic LDAP server -> Local Single Sign On server (CAS) -> SAML federation server -> Salesforce and other SP's.

 

So the end effect is that our 40k users can use their existing desktop AD credentials to sign in to any single web application just once, and is logged in for all other services. Beautiful.

 

We've had different pieces implemented earlier, so it wasn't a one shot massive project. But each step along the way has it's own set of complications, caveats and security concerns. For example, just looking at it from a 40k feet view, each step needs the be ensured to be absolutely secure, or the whole security premise breaks down.

phiberoptikphiberoptik

Your implementation sounds fairly similar but I know the one I am referring to will involve delegated authorization.

cal r.cal r.

Ok, then you just need to program an authentication service that complies with the salesforce delegated auth. spec.  It will need to accept an username and password and authenticate against your LDAP.

 

Though this is not really single sign on, because the user still needs to log in every visit and there is no sign in federation going on.

 

mk2013mk2013

Hi,

I am a newbie to security and tasked with implementing the SSO for salesforce. My use case is similar to yours except that we have DB server authentication instead of LDAP. We are using CAS server for SSO. After going through documentation it seems the Federated authentication is the one I should be going for. Can you please give me any pointers like from where to start?

 

Thanks,

Mike miller 442Mike miller 442
Can some one  tell me advantages and disadvantages of SSOgen vs Oracle  SSO?

https://www.ssogen.com/ 

any suggestions and questions please ?

Thank you,
-Ruby.