Understanding Salesforce Security & Identity: When to Use Single Sign-On & OAuth Introduction
In this blog, we aim to provide clarity on Salesforce security and identity, focusing on when to use Single Sign-On (SSO) and OAuth. This knowledge is crucial for navigating through different scenarios of accessing Salesforce, whether through direct login, SSO, or OAuth.
When to Use Standard Login, Single Sign-On, or OAuth
Direct Login:
Scenario: A user, through a browser, intends to access Salesforce to view its pages.
Access Method: Direct login into Salesforce or Single Sign-On through a third-party identity provider, facilitating seamless access without re-authentication.
OAuth with Mobile Apps:
Scenario: A user employs a mobile app to access Salesforce data through API, not by rendering native Salesforce pages.
Access Method: OAuth is used here, especially when the interaction is via mobile devices, which may include phones or tablets using browser technology. This approach allows mobile applications to interact securely with Salesforce APIs.
OAuth with Third-Party Servers:
Scenario: A user utilizes a browser to communicate with a third-party server that requires access to Salesforce data on the user’s behalf. Examples include email plugins or other systems integrated with Salesforce.
Access Method: OAuth, with a specific protocol known as "Web Server with PKCE" (Proof Key for Code Exchange), is used for secure access.
OAuth Flows for Different Scenarios
Client Credentials Flow: Designed for a client process (like external servers doing batch loads or exports) accessing Salesforce with a designated integration user account.
JWT, SAML Bearer Assertion, and SAML Assertion Flows: These flows are for scenarios where a client process needs to operate on behalf of a specific user, without the user being directly involved. Here, the process impersonates a designated user, maintaining the security context of that user’s files.
Device Flow: This flow is initiated by a device requiring human intervention for approval. For instance, a smart TV application prompts the user to input a code for access approval.
Asset Flow: Useful for Internet of Things (IoT) devices that need to connect with Salesforce for reading or writing data.
Recap & Conclusion
In essence, your access method depends largely on the scenario:
For direct access to Salesforce via a browser, use direct login or Single Sign-On if you have an identity service.
For indirect access through mobile devices, third-party servers, or automated processes, OAuth is the preferred method. Here, you must decide whether OAuth will operate on behalf of a human user or an integration user account.
In subsequent articles, we'll delve deeper into each scenario and use case to provide a comprehensive understanding.
Stay Tuned
Embark on your Salesforce Identity journey with confidence! For more insights and tips, stay tuned here on www.SteveTechArc.com and to the @SteveTechArc YouTube channel. Subscribe and enhance your understanding of Salesforce Identity.
Helping change the world by sharing integration info with fellow Architects and those on their Architect Journey!
STA 3.9