Automating User Management and Single Sign-on for Salesforce.com

For both IT and end-users, managing access to salesforce.com presents challenges. However, users don’t want or need another password, in addition to the ones for their desktops, laptops, mobile devices, or other SaaS applications. Salesforce.com adds yet another password, one that typically expires on a regular cycle, making it more difficult for users to access the application when they need to.

 


 

The Growth of Salesforce.com in your Organization

Salesforce.com is one of the most successful, business critical on-demand applications. The company was started with a simple premise: “Why can’t a sales system be as simple and easy to use as Amazon. com?” Over the years salesforce.com has expanded to provide services for other CRM categories, extended into collaboration (Chatter), and developed a platform (force.com) that spawned the creation of hundreds of partner applications.

In fact today, in many organizations, the entire sales and customer support team, external customers and partners (via salesforce.com Portals) and, with the services such as chatter, every employee in your company is a user. With this growth comes the need to ensure these users have seamless access via single sign-on and that their accounts within salesforce.com are created, updated and deactivated on an integrated cycle with the rest of the systems in IT.

 

Salesforce.com User Management Challenges

For both IT and end-users, managing access to salesforce.com presents challenges. Users don’t want or need another password, in addition to the ones for their desktops, laptops, mobile devices, or other SaaS applications. Salesforce.com adds yet another password, one that typically expires on a regular cycle, making it more difficult for users to access the application when they need to. Users are forced to come up with elaborate schemes to create passwords they can actually remember, or worse they resort to writing passwords down on sticky notes or storing them in insecure spreadsheets. And if those schemes fail, IT spends countless cycles managing password resets just to keep the users productive.

Within IT you are likely already managing users and their access to core network resources with an internal directory such as Active Directory. Why spend time and effort duplicating a directory just for salesforce.com? And once you create users in salesforce.com, why spend time manually creating them in the other systems integrated to salesforce.com like your quoting tool and product configurator?

Manually adding, changing, and removing users from salesforce. com and other systems consume time and are prone to errors. Organizational productivity is impacted if a salesforce.com user isn’t created in a timely manner and security and budget issues arise when an account that is no longer needed is not cleaned up. An additional concern for IT associated with managing these user accounts and passwords is that of compliance. Your auditors and compliance experts are asking your team to document and report on user account creation, user access and user de-provisioning. Automating user management and centralizing passwords using single sign-on makes it far simpler and less time consuming to ensure you meet your audit and compliance needs.

This paper provides insight into both the salesforce.com technology and 3rd party tools and solutions you can use to address these single sign-on (SSO) and user management challenges. Managing multiple stand-alone user directories that are not integrated with Active Directory can easily lead to a set of untenable security and access management challenges. Seamless integration with AD is a must for any solution used to manage access and authorization to your SaaS applications.

 

Collaborate with IT to Manage Users and Access

As you think through the best options for automating user management and single sign-on for salesforce.com, it’s important to consider what IT is best at, and what the salesforce.com administrators know best. The right way to handle core IT functions like user and account management for salesforce.com is to let the experts in your IT organization manage this centrally and efficiently. This leaves salesforce.com administrators free to focus on application setup, administration, and optimization; ultimately driving better business results.

 

Using Salesforce.com User Management APIs

Salesforce.com provides industry leading capabilities to not only secure your data but also to integrate with other systems to achieve SSO and automate user management.

First, let’s cover User Management or how user accounts are created, updated and removed from salesforce.com. Many companies do this manually through the salesforce.com web interface, but Salesforce.com also provides an API for these functions.

The User API is fairly comprehensive and includes almost all fields on the User object. A developer can write a program or script to automate all common user management options and could even drive that creation and deactivation of users off of changes in your company network directory (like Microsoft Active Directory). The User API can also access users across salesforce.com ’s customer portal force.com, allowing you to develop software that could “register” a customer portal user before your customer logs in.

There are a few limitations to what you can do with this API. You can set the password, but you can’t read the password value. There is also a specific command to reset the password to a value salesforce. com automatically generates and then emails to the user. You can’t tell from the API if a user has been locked out of salesforce.com and you are also unable to unlock a locked user— this must be done from the salesforce.com web interface. You also can’t delete users using the API or web interface. Instead you can control if a user is “Active” and able to log in using the “IsActive” field. When a user is deactivated, they are no longer able to log in, but the administrator can still change data record ownership and assignment rules to ensure a smooth transition to other users. Deactivated users also don’t consume a user license so you can reuse those immediately.

 

Using Salesforce.com APIs for SSO

Salesforce.com supports an API called Delegated Authentication and the federated single sign-on standard, SAML (Security Assertion Markup Language). While both are associated with Single Sign-on and have some similarities, they also have significant differences.

Lets start with what they have in common. Both work independently of other salesforce. com security features like Security Token and Computer Activation / Activation link.

Your users will have to activate computers and use their Security Token as before. Both are just enabling technologies. You’ll need to write or obtain additional systems or libraries to implement a complete solution–and of course maintain that solution over time.

Now lets look at the differences. For starters, SAML is an industry standard. Delegated Authentication is proprietary to salesforce. com. SAML is enabled by default on all salesforce.com orgs and just needs to be configured via the administrative inter