okay good morning everybody for those of you that were in the previous session I thank you for sticking with us for another 40 minutes today we are going to be talking about seamless authentication with force comm canvas how you can leverage canvas to not only give you context into Salesforce and give you the Salesforce ooofff but also get into your canvas application automatically do you have to show you our safe harbor for those of you who have not seen it over the past four days this is saying Salesforce is a publicly traded company and as such if you are making purchasing decisions please make those decisions based on what is generally available in the product today and not what is forward-looking functionality if you have any questions about what is forward functionality versus what is GA in the product that we’re showing today feel free to ask me at the end and I can definitely tell you I’m almost positive everything we’re showing you today will be GA today so we shouldn’t have any forward-looking statements although we may who knows my name is J Hurst I’m a senior product manager with Salesforce comm on our platform side specifically for force comm canvas with me I have Chris jolly our principal developer on force.com canvas this is the brains behind everything we’re going to see today and everything that we’ve delivered with canvas sorry rest of the canvas team ok so providing the seamless login into multiple applications through canvas or through any other system out there can be difficult ultimately you want to provide a very streamlined interface for your end-users you want them to be able to access multiple applications without having to get a bunch of popups and login here log in there remember this password you want to be very simple and easy for them so by show of hands how many of you have multiple applications working with Salesforce today great you’re in the right place how many have attempted to manage to login into your application through force comm canvas a couple people ok how many of you would like to make that more seamless and easier for your end users ok great so let’s jump right in with canvas authentication one of the things to note is that there are two sides that often occasion with canvas we’re allowing you to bring your external application into Salesforce and we allow you we give you the login into Salesforce itself so your app can call back into Salesforce as the running user we manage that through canvas seamlessly however a lot of people don’t understand that there’s another side getting into your application in the first place so the we provide signed request Oro web flow this is what we do to give you access into Salesforce now logging into yours can be handled in a number of ways for every developer here there’s probably ten different authentication schemes out there and how you determine who the end-user is from no authentication or basic authentication user user password sam’l some homegrown SSO there’s a ton out there and there’s a lot of ways to manage it but really like I said the end users just want the access they just want to be able to get the data where they need it they don’t want to have to worry about remembering passwords left and right so when we think about canvas with OAuth web flow this uses our standard OAuth 2.0 this is very baked in with our connected apps framework so if you’ve ever done a connected apps or you’ve used even the Salesforce one application you’ll see that very first time you get the allow or deny do you want to give this access this application access to your app your Salesforce instance and to act on your behalf think of it as a valet key you can give them access to some of the functionality that’s determined based on that flow but not all of the functionality they don’t get unrestricted access now the canvas app and this in the OAuth flow o auth web flow the canvas app manages that authentication so rather than signed requests where we give you the authentication the first thing you’re going to get from us is a get and you’re going to have to kick the user into the web flow so by setting the OAuth web flow as your access method you’re saying I want to manage the authentication into Salesforce myself really don’t recommend this a lot for new applications because sign requests frankly is just a bit easier but if you have an existing application that already connects into the Salesforce you’re already using connected app and a framework to get into Salesforce this is an easy way in we allow it as well essentially what happens is after the OAuth flow happens after your application has kicked the user into the flow the users accepted it then your app can make a kava script call through the SDK to say give me the context of who the user is so essentially the first thing you do is establish authentication establish a trust then you ask for details on the other hand canvas with signed request think of this as o on the server side so we do the OAuth for you you don’t have

to manage it back and forth we generate it all on the server side when the user accesses a canvas app and then we post it all to you instantly so with that post what you do is you break it down we have methods to allow you to do that and instead of having to afterwards do it get context we give you the context on upfront including the OAuth token again this is lot less chatty you don’t have to do the OAuth flow you don’t have to have the user approve it they just get the access right away preferred and default method okay so what we’re gonna do is we’re gonna jump right into the demo I’ve Cristalli here to help us out he looks excited about it but we’re gonna do is we’re gonna show you the standard signed request example you probably seen it but we’ll just set the stage ah thanks thanks for all what’s that thanks for all coming on a last day early morning talking about security so guys are dedicated took me a bit to get up alright so yeah we’re gonna talk about so the sign request is what ultimately we give to that third party we give you a big post a big JSON post so you’re in there you have user context information organizational context information context about the page you’re on maybe the account they’re viewing stuff like that and but most importantly in there where you guys are concerned about is we give you an OAuth token and a new as of I can’t remember what release but it’s in there now we also give you a refresh touken we didn’t used to do that kind of got security to approve us to do that but we give you a know a refresh token your admins can still revoke that at any point in time but the nice thing about that is if your OAuth if your OAuth token expires you can use your refresh token to get a new new OAuth token if you’re not seeing your refresh token in the sign request it’s because you didn’t set your OAuth scopes correctly there’s an OAuth scope that says please give me an OAuth token I forget the name of it but it’s it’s essentially has the word refresh token in there and that’s the one you have to assign to your app so if you’re not seeing that make sure that that you do that that’s going on here escape escape thank you what do you want the browser okay little funky here so I’m going to show you a demonstration let me first talk about some of the other things we’ve added I want to set the stage for the demo so we talked about that sign request how that gives that third-party app and OAuth token for talking back to Salesforce well that’s cool but ultimately you want to authenticate into your website and there’s a lot of different ways to do that sam’l happens to be one of them and Salesforce completely supports sam’l so we’ve got that set up where you can click that and I’m going to show you a pretty cool example of that working there’s also other third-party types of single sign-on too but what we found was that the number one reason why we kind of didn’t support that was because typically when you do a single sign-on you go to a URL it doesn’t have the cookie it bounces you over here it maybe makes you authenticate there then bounces you here and bounces you there and then finally bounces you to the page with the cookie but the problem is with all that bouncing around in those redirects those are gets so now you’ve lost your post you’ve lost that sign and ultimately I’ve lost my client ID and I’ve lost my OAuth token so we’re giving you two new methods in the SDK refresh sign request and repost and they take no arguments so if you say refresh sign request it’s a little JavaScript call it’s real quick it gets you back the sign request on demand now is it is secure if you go over it’ll only give it for that domain that is the same domain as the canvas URL if on your thing you have a link and you go to evil comm it will not allow you to get that that will not allow that domain to get the sign request so if you’re doing any hops around that’s the reason why you can’t get it you have to stay on your same domain the URL the path can be different but ultimately the domain has to be the same that’s the only one we will give the sign the Refresh sign request to so the Refresh sign request call is more of a JavaScript thing it’s okay I want to do this from JavaScript and get the sign request and then I can decode it and get access to everything my mouth token most importantly we also give you another

method called repost repost that will ultimately then repost back to the the canvas URL in that case if you’re doing more of a server-side approach it’s more ideal there so we’re posting back to the canvas app if you’ve got server-side code that processes that sign request that’s useful for that so again two new methods to help you out we’re not guaranteeing this will work with every single sign-on solution but with those two methods it’s really going to help your ability to make sure you can you can get your sign request again and you didn’t lose it so but now the other thing I want to show you is I’ve there’s a great blog and I think we have the URL at the end of this where we walk you through essentially the exam and enhance the example that we’re gonna do but there’s a good blog post that’ll walk you through setting up sam’l both identity provider and service provider so there’s two ends to the sam’l there’s the the identity provider that says hey this is Chris and the service provider trusts the identity provider so he says hey this is Chris you believe them and you ultimately sign it in if you go out there there there’s lots of implementations of sam’l there’s some there is some open source code there but ultimately you download the certificate from the identity provider on to the service provider and with that certificate and when they send you that you know that this hey this did come from that person and I trust them so when they tell me it’s Chris I’m gonna believe it’s Chris and then I’m gonna authenticate in on my side now there’s nothing unique with sam’l that will automatically log you in you if you’re writing this yourself out on Heroku or something you ultimately have to do the login yourself but it’s really that that the identity providers saying hey this is Chris trust me go ahead and login so again there’s a great blog out there that’ll let you it’ll walk you through how to set all that up this isn’t a sam’l presentation this is more how we can use sam’l or some of the different single sign sign-on so the first step with doing sam’l is you’ve got I’m going to do say I’m gonna do an example where we’re using Salesforce the Salesforce because since Salesforce allows you to set an org up as an identity provider and it also allows you to set up an orgasm as provider it just gives a nice example where I can talk to one to the other so what I’m gonna do is I’m gonna have my main parent org be the identity provider and that is going to have a canvas app in it that is going to reference a visualforce page in the service provider org so that visualforce page and the service provider org is going to show up in my identity provider org and so now I’m kind of combining the results of two orgs so this is a little bit of an example of how I can kind of combine the data of two orgs and surface that so and to Chris’s point it’s key to remember so the service provider org they’re using today is a Salesforce org this could also be a Heroku instance out there it could be your own internal application it could be anything that knows how to speak sam’l and that trust Salesforce as an we’re using Salesforce both as a IDP and the SP and separate orgs just because it does some cool demos at which we’ll see but also it’s a little easier to set up from end to end because you don’t have to program a sam’l as writer we kind of do that for you but every time we say a service provider just know that this could be a non Salesforce application okay so to do this the first thing you need to do is sam’l and canvas are both part of the connected app stuff so were you going to create apps I’ll go in there I’ll scroll down to my apps I’ll edit my app I just called my my service provider app whatever you want this is their this is the this is what’s new so you set up sam’l within here and ultimately I’m that whole blog we’ll walk you through how to do this it’s it’s it’s straight it’s not you’ll do it but it’s not you might not know what you’re doing but it unless you’re a security expert but it does squawk you through step by step on how to setup the sandwich the other tricky thing here that is not in that blog is at least I ran into it is it tells you to put the domain of the visualforce page in there actually the domain of the app now if you look at you have to set up my domain 3 chat and what I set up was jolly at IDP and I also have a jolly SP and normally my domain for that is jolly SP dev my domain not salesforce.com but if

I put the URL in there for the the start URL and the canvas URL it looks a little different and the reason being is visualforce pages are served up from a separate domain so the easiest way to do that is hit the URL to write the visualforce page directly from the service provider look at the new URL see that and copy that in there that’s one thing that’s not in the blog that I ran into that was just threw me for a snafu but if you do that it works it works fine and the blog will be updated by the that’s in the process now okay so what we’re doing here is we’re setting up sam’l I’m gonna I’m selecting this Federation ID and what that means is there’s a lot of different ways to link up users so if I have Chris at my toe at IDP comm over here and Chris at SP comm over here how do i how do I know that these are the same users and there’s different ways you can use username you can use user ID I’m using what’s called a federation ID so when I go over to the users if I look at my users manage users I actually just have a user here called Pat and if I go in there I have a federation ID of Pat one two three four and then over on the service provider side if I have that same Federation ID it that’s how it goes ah these are the same two users now there’s other ways to do this like I said email address whatever I just chose Federation idea but but this is a key step with sam’l specifically in authentication you have to tell the identity provider and the service provider how they’re connecting the users together and you do need a user in each side this case we have a user from Salesforce which canvas is using but ostensibly there’s going to be a user in your canvas app as well so how do you let them the system know that they’re the same person and in this case we’re using Federation ID so these are my normal if you is anybody is everybody already set up a canvas app before and like the kind of old canvas apps are okay um so here’s where I normally set up my canvas app and what’s new here is this sam’l initiation method and it can take none identity provider or service provider initiated the false none but if you choose identity provider the first thing we’re gonna do is we’re gonna send the first request off to the identity provider which happens to be the parent org in this case and then that will ultimately end up doing the redirect and with the trust and all that stuff to your service provider if you say service provider it’s the service provider initiated so I first do a request to them if you don’t have the appropriate cookie it starts bouncing you around identity for for Salesforce the Salesforce orgs I any provider words better because they both work but service provider you have to at least you have to just able the login page because there’s if when you set up a service provider you can set the different ways on how I want to don’t want to use Twitter when he’s linked in do I want to use the login page do I want to use the identity provider so if the only option is identity provider it doesn’t provide anybody with that option the reason being if you don’t disable the login page on the service provider it will then try to iframe in that login page on the main parent org and the login page just cannot be iframe then there’s restrictions there it won’t let you iframe in a login page for security reasons so if you if you set this up as a service provider and you’re like what the heck’s nothing showing up here you don’t even get an error in the console log you do on Chrome I think but not the other debuggers you have to disable the login page so identity provider if you’re going Salesforce the Salesforce works better now if your service provider is your own organization or your own it might not have those limitations and service provider might be the way to go but you have two options there on which way to go and we we are fairly smart here so as you saw Chris and set up the sam’l pieces up top if you don’t have sam’l set up on the top section of this you won’t actually be able to set the sam’l initiated method so we’ll only enable it if there’s Sam old definition up top yep and the other thing to note here my visualforce page is served from the domain of visualforce so and how do you find that out well you you can go over the service provider hit the visualforce page and watch the URL change above cut and paste that and throw that in there again that’s the part that’s not in the blog just to reiterate that and because it can be frustrated okay so I’ve got my canvas app set up blah blah blah an identity provider initiated what do I okay what I want to do on the service provider side so I’m using a different browser here because a different login let me make that a little bigger the service provider side so one thing on

the service provider side you go under security controls and you go into single sign-on settings and this is where you set up the my sam’l this is all part of the sam’l configuration again that blog walks you through in detail about this I have to choose I choose chose Federation ID you will upload the certificate of the IDP through here okay so that’s what you kind of got to do to get the service provider set up again the blog goes through that the only other thing I really have over on the service provider side is I don’t have an app I don’t have a canvas app because I’m just referencing a visualforce page there so if I go to develop I go to pages I can see I’ve got actually got two visualforce pages here and we’ll start off with the kind of a simple one and if we want to just drop into some of the code here what we can see is I just got I’m just going to provide this is a very simple to get the point across you don’t have a laser deep yeah okay thank you I’m just displaying this is a visualforce page so doing this notation you can get the first name last name of the or the user the org and the API session ID this is all the information in my service provider orcs in oh yeah okay I got an API session key I can call API on that side and then this is the identity provider stuff well I haven’t filled that in yet what I’m gonna do after the bouncing goes around I’ve lost that so I’m gonna have this little button here that calls refresh time request and what is refresh time request oh well it’s up here and all I’m calling is refresh time requests I give it a callback so this is an asynchronous call I get a callback with my sign request if the status is 200 I can split up my sign request parse it and then I update my display with this with the siren request object and all I’m doing here is doing a document you know get element ID replacing the inner HTML with the OAuth token and stuff like that so let’s just quickly run this and and see what it looks like and so what we’re trying to do again with this just to set the stage what Kris goes is from the identity or provider org you’re going to open the canvas app we’re going to automatically log in to the service provider org generate a visualforce page in that org and display the visualforce page inside of the identity provider work so it’s a simple example on the what it looks like but essentially what we’re doing is we’re connecting to orgs displaying visualforce from the second org into the first org and allowing the user to interact with it so you can start to do you can start to picture some really interesting things here where you have multiple org and you’re sharing visualforce pages and information between them okay so I’m logging I’m vlogging on his admin logging in as my special user that I’ve set up with the Federation ID I’m just gonna go to the chatter tab where this is I’m gonna log this in I’m gonna hit this URL this is now invoked the SERP the visualforce page or the other Oh org and brought it in now I showed you how I had all that information and I’ve got to click this now to update my refresh time request and boom I get it that’s a little JavaScript call comes back and I’ve got now I’ve got an OAuth token for my identity provider and I’ve got a lost token or an API session whatever for my service provider I’ll show you another more a better example here but so what’s a real use case for this I might want to how about if I want to like combine I’ve got two organizations anybody here have multiple organizations within Salesforce okay common request is I want to kind of combine some of that data how about a chatter feed that that pulls my chatter from this org my chatter from that or it kind of does a quick little bubble sort and displays that chatter in order from the different or kind of a combined feet all right I also don’t want to have to hit the refresh time request I want that to happen kind of automatically so I’ve got a different example for that on a log out log back in as my admin I’m gonna go down to my canvas app and I’m just gonna change the visual force page to

he’s got a new visualforce page I also need to change the start URL up here in the sample settings the same thing alright so let me log out as yeah I’m in log back in his mind and now I go to my chatter tab now I hit this new campus kind of app that’s a different vision same canvas app a different visual forest page I’ve coated this up for mobile we’ll show you an in mobile in a second but now I’ve got different posts from different orgs so if I go over to my man let me log out here let me go in as my service provider and I’m just gonna I was there just to show that this does it really work but I share a post now I go back to my identity provider and I linked that up I should see that this does really work in there so I was able to kind of combine chatter feeds from both into one other now this isn’t limited to chat or you can use any of the API whether you could bring in accounts leads would ever combine them to whatever so this is kind of the first step towards you know getting a little bit of cross org pollination going and that where their power will really come out in this is if you think about if you start to tie in our inventing mechanism where you can send a message from a canvas app into the parent org now you can start to actually pass information from your visualforce page in org to to make a record change in org one so you can start to really combine data together combined functionality and start to blur the barriers a little bit between your organization’s in this example you can also do the exact same thing with your own application so one thing I want to just walk you through this to just show it on mobile what I’m gonna do is add this to it well I’ve already got the mobile nav here so that’ll show up on mobile on the left-hand side the only other thing you got to do is with this is you go to mobile navigation I’ve got it right there so that’ll show up underneath the Hamburg of the stage left it’ll show up it should show up is the fourth one down there so that’s how you make think that’s one of the ways to make something show up in mobile it’s gonna cancel out of there and then I’m actually going to go to mobile and if I go to this hamburger here I’ve got that there and I click on it and it should show up so now I’ve got a nice little mobile app for card of combining my chatter feeds from two different orgs again you could put whatever you want in here okay let’s look at the little bit of the code I’ve got a and I make this big anyway blow that up so if you want to go to this link here can’t blow that up you just put it word or something you can add it to the you guys see that make it bigger 500 there we go so if you go there I’ve got the example of this little little bit of people are rocking out next to it that’s the that’s the code for this so if you want an example of how I did that and ultimately what I did was let’s just go down to the bottom I’m just calling the refresh sign request right soon as the document is ready so I’m using I can use cam there’s a doc there’s a canvas arm ready but there’s also a jQuery on ready just tells me when the document is ready so inside I declared a couple different functions I say get my service provider posts I have get my ID the identity

provider posts I have a quick little bubble sort there sort by date and I have something that updates my results just puts dibs in my little thing there but then this is the Refresh time request that I’m calling soon as the page is loaded because I’ve lost that once I’ve done the identity provider kind of redirects and the only thing I’m setting up here these are some jQuery deferred type kind of things so I can say when my service provider posts are asynchronous and so are my identity provider posts so I send off to requests wait for those wait for the last one of those two requests to finish they both get sent off at the same time and when they’re done ultimately I do a bubble sort on them and then I update my results so some code there as is feel free to for you to do it the cut the codes a little bit the similar for the identity provider I use the client the canvas cross domain bridge to get there so this is similar to the jQuery AJAX call but this one if you’ve tried to make an AJAX call or an xhr from within that domain it would the cross domain would fail and that’s why we forgive you this this part of the sdk it will allow you to talk back to the parent domain so I make my API calls that way and then just through this is the way jQuery does it I set that up and I get my results that way so quick little demo there okay thanks Chris so hopefully that that kind of made a little sense and it we covered it it’s a big topic sam’l and authentication and how it really works and we couldn’t dive into the Nitty Gritty on how to set up sam’l but again the idea is that you have an identity provider who am I getting my identity from and you have a service provider Who am I getting the service from service providing provider is giving us a visual force page in this case and the identity provider is providing the single source of identity truth there so we kind of talked over this rather than showing the slide but essentially you can link visualforce pages between orgs like like Chris said we have a link to the the sam’l blog post which which goes through this in a very great deal of detail it’s a thing 12 pages long and one big long thing so and then we did the cross org visualforce set up okay so what did we learn today hopefully we learned how to manage authentication with force.com canvas both using the signed request coming into your canvas app so you can get back into salesforce and also how to start leveraging the sam’l functionality within Salesforce to automatically log into your org again there’s a ton of different authentication methods out there there’s no way we could support all of them so what we choose to support is for the Salesforce ID o auth sam’l and then anything that you want to use again we’re using browser technology so any way to authenticate into your application through the browser will continue to work so if you do have a login username password and that’s what you want to continue to use on your application you can do that the result will be that you have a user name password login screen when they first opened the canvas app if you want to use a more seamless method you can use sam’l like we showed we also have customers and partners who are using their own home rolled where they take something from the context like the user ID verify that that user ID exists in their system and then do an auto login on their system a lot of ways to do it there’s a session today at 11:30 in the dev zone where we’ll have a partner actually showing this they dive a little bit more into detail about how to actually do kind of a home roll authentication scheme that’s it so before we get to the QA we do have a couple more resources like I said we have the 11:30 session connected apps canvas on that one platform there’s another session right now so I don’t think you’re gonna make that one but we have our integration workbook in the dev zone it has a great example of a canvas app kind of gets you up and running with the standard warehouse application using Heroku and Salesforce we have our developer page there you can always email or tweet me and we do our recording every Dreamforce session this year so they all will be on YouTube later feel free to check this one out again if you missed something or feel free to check out all the ones that you couldn’t attend because we do have over 1400 sessions this year so with that I’ll open it up to Q&A if you have any questions please step to the mics in the center and we can get those turned on if

they’re not and fire away yeah at our organization we’re using Active Directory Federation services and when we go to our domain we get our credentials page from Active Directory instead of the login salesforce.com so our users don’t even have Salesforce passwords that are using our Active Directory and we’ve recently where we’re about to put in production our quote system which is web-based into our domain that is using Active Directory ntlm authentication so in our use case it took us three days going through the blog to get the sam’l where Active Directory Federation services so the the hardest part is there’s just so many options just finding the right blog to go to and setting it all up is it’s difficult so the the last piece that we need is we need the the canvas app to authenticate internally in Salesforce using the same token what would be the easiest choice for for path of making you know we’re going from Active Directory to Salesforce and Salesforce that’s authentic ated now we’re calling back into our domain and we’re getting credential pop-ups for our canvas app which means obviously it’s not working on mobile cuz Android doesn’t support that and you know so we need to figure out a way to pass that token all the way down to our site well can you give me a hint to what what we should use so if you’re passing a token if you need to actually get information if that Salesforce currently has if does Salesforce know how to get into your system or know we might need to talk a little bit after to get a little more context but essentially when we post to you if you’re using the standard signed request the options the two options that you have are either to take information from that post and leverage that information to to log them into your side which is custom to you so if you need it if their Salesforce had a token that your site understood you could inject that as a parameter and then then through the JavaScript SDK you break that parameter out and log in your system other things that I’ve seen is if there’s a browser cookie that kind of carries over the session when you’re going website to website there can be some issues because you’re you know going over secure connections you’re popping into iframes things like that so we could we can definitely connect after and then hopefully get a little a little more better answer I guess yeah well is it’s very relative right well I wish I had a button that could just say work with everything unfortunately they have invented it yet hi I joined the session little late but what got me excited was about you know this was talking about collaboration across we dissolves in forms chat right are you planning to create that as a product ready to support all the walks and my next question is like let’s say you have you know cross org collaboration how do you take that and expose that to an external application right because most of the time you know the users are not within Salesforce but there’s the outside within our own applications how do you envision that also getting you know in future take the collaboration across various orgs expose that into an external application sure so the first question how do we are we looking to productize cross our chatter I’m not on the chatter team I know that they’ve been really working to break this challenge out because we’re having more and more customers run into this there they are working on a very supported cross org solution which will not include canvas it’ll be completely native to the Salesforce code I don’t have information on any kind of release date or anything like that I definitely encourage you to reach out to the chatter team for that information I know it’s on the roadmap as far as kind of Calabrian all the collaboration from Salesforce and getting it out to your application is did I understand that correctly as I want to bring it into mine that’s correct that’s right so that’s kind of the reverse of canvas in a lot of ways canvas is designed to bring your you bring your applications into the Salesforce and allow Salesforce users kind of a full view if you’re not a Salesforce user it kind of predicates the removes the access for canvas so not sure that there’s a canvas solution there I think just plain old connected apps what you’d have to go through the OAuth flow yeah each one you want to bring in and then ultimately you get a refresh token once they’ve done that you’ll have the Refresh token you can store that on your side and you can do it from there on but but that that said it does require that that your end users have access in the Salesforce yeah but in case of the tokens right you have

your own session management as well and then you have the token so how do you combine both the sessions together in terms of that’s I think another front of my challenge as well it can be it can be difficult I mean this is this is kind of the modern problem that we’re seeing a lot especially with website mashups we got four seconds I’ll have to end I’m definitely interested in continuing the conversation if you want to hang out after but thank you everybody I would definitely appreciate your time and hopefully you had a great dream for us have a great day