Chapter 6: Integrating with Other Applications
• •
“Configuring SAML Settings for Single Sign-On” in the Salesforce.com online help The Single Sign-On Implementation Guide in the Salesforce.com online help
Implementing Single Sign-On for Clients Problem You want to use single sign-on with a desktop client, such as Outlook Edition, Lotus Notes Edition, or Office Edition, so that your users only have to log into an environment once—instead of having to login more than once to access different services and resources in an environment. Note: This recipe assumes that you are familiar with enabling single sign-on.
Solution There are three main approaches for using single sign-on to authenticate Force.com clients: •
Use the network password, such as an LDAP password for authentication using the clients. End users would enter their Salesforce.com usernames and LDAP password into the login dialog box, and delegated authentication would be performed. Note: Force.com never logs the LDAP password, and clears it out of memory as soon as it has passed on in the SOAP message to the single sign-on service.
•
•
Use a client application registry setting that can designate where Force.com directs the login request. By making this URL an internal URL, a customer can provide a proxy for the username and password, verify it locally, then pass a one-time use token (such as a SAML token) to Force.com for verification. This is then passed back to the customer for validation. Use a customer-built proxy that requires NT Lan Manager (NTLM) authentication. Once NTLM has passed, the proxy can send the Salesforce.com username and a one-time use token to Force.com, which gets passed back to the customer for validation. This approach has the benefit of not having to configure a username and password for all clients that are deployed. Only the registry setting needs to be changed. Note: You do not need to implement a proxy service to make client applications work if your single sign-on listener supports tokens and passwords. Users can configure their passwords in the client application. In this case, the network password temporarily passes through the Force.com servers. This password is not logged anywhere, and is cleared out of memory as soon as the outbound SOAP message has been sent.
222