Salesforce Identity Q and A

From IIW

Session Topic: Salesforce Identity Q&A

Tuesday 2G

Convener: Pat Patterson, Chuck Mortimore

Notes-taker(s): Vikas Jain

Q. What's Salesforce plan around user provisioning, SCIM support?

  • A. We currently support Just-in-time provisioning through SAML and Facebook. We plan to add SCIM support in the next couple of releases. Right now watching the market adoption for it.


Q. Will responsibilities be provisioned too?

  • A. Yes


Q. Does Salesforce handle multiple Identity providers?

  • A. Yes, it will be out in Summer '13 release


Q. How does Salesforce whitelist the IdP

  • A. Through explicit metadata exchange with the IdP


Q. For Google, can we trust specific google app domain names

  • A. Yes, you can do it through the custom code in the Auth registration handler.


Q. Can Salesforce allow login through trusted identities that are identity proofed?

  • A. Not today, but we are looking into it.


Q. What are you doing for sessions?

  • A. We are adding session levels (aka assurance levels). We are going to allow authentication that yields a particular session level, step-up authentication, etc.


Q. Are you finding any existing assurance profiles that you plan to use or is it just Salesforce assurance levels?

  • A. Salesforce assurance levels.


Q. Can Salesforce Identity be reused to login to other web properties?

  • A. Yes, Salesforce can act as Identity Provider today such as to Docusign.


Q. Can Salesforce convert OAUTH to SAML?

  • A. Yes, Salesforce can broker incoming identities from one protocol such as OAUTH, and convert it to other protocols such as SAML as outgoing protocol.


Q. Will the NSTIC trust framework help Salesforce?

  • A. Customers today are using bilateral agreements. In some cases, they have established their own little trust framework by using RNS attribute in SAML assertions. That said, we are watching NSTIC trust framework.


Q. What's Salesforce direction on SAML metadata exchange?

  • A. There's currently metadata export. We have stories in the backlog to have metadata export through addressable URL. Then, we plan to look into metadata import.


Q. Can Salesforce can go out and acquire attributes from other attribute providers?

  • A. We can accept attributes from authentication flows such as SAML and OpenID.


Q. Is Salesforce designed as one IdP or N IdPs?

  • A. N IdPs for SAML, one IdP for OAUTH. But, for OAUTH we allow policies that each IdP can establish control.


Q. Access to federal govt resources with Salesforce as an IdP?

  • A. Defintely as an SP. As an IdP if federal govt customers are using it, we aren't aware of it.


Q. Is OpenID connect on the roadmap of Salesforce?

  • A. We've it in pilot, and will be releasing GA version in couple of releases.


Q. Does Salesforce provide APIs to revoke the tokens when a user leaves the company.

  • A. Salesforce doesn't expose API to revoke OAUTH tokens remotely, but it exposes API to deprovision (disable) the user after which access to all Salesforce resources are disabled.