good morning and welcome to this webinar on open ID connect the new standard for connecting to your customers partners apps and devices as is traditional with every Salesforce webinar we show you the safe harbor slide please do not make any stock or product purchases or decisions based on the content of this webinar we can and will make forward-looking statements refer to the information on our website particularly the investor section so with that I’m Pat Patterson developer evangelist architect at Salesforce I’m joined this morning by Chuck Mortimer vice-president for price management of identity morning everybody and a new new guy in town Ian Glaser a senior director on chest team either one and we’ll give you a chance to introduce himself in just a couple of minutes as always we are very social here at force comm we’re on twitter twitter handle is there please follow us and in fact you can tweet questions at us with the pound-force webinar hashtag we have a facebook community is there any of you are on Google+ you can find us there as well and this webinar in common with all of our webinars is being recorded and we will post the recording to the developer force YouTube channel in fact that’s a really good resource go to developer force find all past webinar recording sessions from Greenport little hints and tips that the Evangelist record and so on and finally there’s the LinkedIn group for those of you that like to network with your fellow professionals so a pretty straightforward of its agenda today will give the Ian a chance to introduce himself and then we’ll basically work through the high points of Open ID Connect we’ll have a bit of an overview we’ll look at the protocol we’ll have a demonstration and then we’ll show a little chuckle explain somebody thinking about where we’re going to take this feed these features in the future so we’re now here when you tell us a little bit about yourself where you come from and what you can be doing on Chuck’s team sure so I mean Glaser I’m about three weeks old here at salesforce.com but been in the identity industry for a long time you maybe remember me from such lovely standard service producing markup language most recently I was running the Gartner for technical professionals research teams setting the agenda I’ve got a long background in user provisioning role management with authorization and privacy I joined Chuck’s team at this organization to have some fun and get back building product looking for that very much all right next PML that was the full runs of skin right it was a forerunner to skip everyone loves to see I pronounce it spam all but you know hey fumble I guess so we hear your big stocks value uh you know I am and so you also may have known me from my foxtrots on Twitter and look forward to more of that in the future right lovely well you looking thank you okay so in in fact you’re going to pick us off your morning with a description of what Open ID Connect actually it right so I think those of you who have an identity background you will recognize a lot of the things in Open ID Connect as it really is built on a lot of memories of the past and in fact built on other identity standards it gives us as developers as identity professionals as businesses a way of understanding who our users are without frankly getting our hands very dirty in the identity match so because Open ID Connect is built off of an established standard of Roth 2 it gives people a way of authenticating users without having to deal with passwords and usernames it’s a token based protocol but just authenticating a user isn’t enough right so we’ve had a lot – for a while it’s widely used especially in mobile settings but just authenticating a user really isn’t sufficient we also like to know well who is that person using that mobile app who’s actually working what do you know about them and how can we enrich their experience based on that so what Obon ID Connect adds 200 auth is this sense of identity took essentially a way of getting attributes about an individual and do so using sort of modern identity tools you don’t have to roll up your sleeves and learn LDAP you can in a much more developer-friendly way understand who is that person using my mobile app and what can we do to enrich their experience so why you

should care about open ID connect well if you’re like me is an identity professional this gives you an opportunity to really focus on business enablement and by that we’ll talk about some of the use cases that it enables but these the kinds that generate revenue for the enterprise really achieve the mission you talk a little bit more about that in a second but you can think of open IV connect as sam’l for our modern era so gone are the angle brackets and in is JSON in is a restful representation of identity and so it’s a crude way of thinking about it but nobody connect really does give you a lot of the capabilities that sam’l does in terms of providing single sign-on experience the ability to move attributes about an individual about a user around but do so in a restful web oriented way if your developer reason why you care about open ID Connect is you get to focus on the awesome you get to focus on that user journey and you don’t have to deal with all the identity stuff usernames and passwords and figuring out what certificates you need for PKI dealings and LDAP you get an ability to have higher strong assurance about whom is it that’s on the other end the line who’s using this mobile app one of these connected products without having to dig deeply into all the identity infrastructure it frees you up to focus on the really great aspects of what you want to bring to bear for the business and regardless of whether you’re an identity professional or developer the reason why you care about open any connect is this is what the business wants to do incentive gives you a way of engaging with both internal customers and external customers and reduce the friction of those interactions so whether it’s the business is interested in saying look a water reducing card abandonment rate I want to be able to have people use their own credentials coming from different social networks and different credential providers and easily use them to interact with our services that whether that translates into a reduction in shopping cart abandonment or simply just an ease of use experience this is what open ID Connect can enable so we should just take a moment to think about how we got here when we started out identity was something that was owned by the enterprise that was managed on servers the enterprise zone and enterprise data centers and it was users sitting at fixed computers fixed endpoints working with those credentials working with those business services but then we had cloud mobile so now we have a large population of our enterprise that’s using devices that don’t have a fixed position that are likely not corporate owned and they’re consuming a mixture of services owned by the enterprise and hosted by the enterprise as well as those hosted else are using SAS but this isn’t the final point of where we are being able to enable a mobile workforce and a mobile customer base is good but we’ve got to reach further and many enterprises are in the midst of this transition of thing I want to bring everyone into a connected world based on identity whether it’s our customers or it’s our partners or even its things so we have products and services that are connected to have identity components and we want to move seamlessly manage all of the experience so all these different constituents can actually interact so I mentioned a little bit about the use cases that open ID Connect enables the first thing when I as I’ve talked about is social sign-on being able to take credentials from things like Google+ or Amazon and easily interact with whatever the services whether that you know in a retail setting or it’s poor business or Enterprise Services doesn’t matter bring a credential that you’re comfortable with we can make it work but the other use cases that are really keen of interest to the enterprise enabling mobile app so as we’re building out more and more mobile apps having a seamless single sign-on experience having a very simple way to get higher assurance about the end-user but not just stopping there and thinking about how do we connect all of the things that the enterprise interacts with whether it’s smart light bulbs to all of the other bits like a jet engine that we may have out there so open ID is built on other identity standards and it starts with OAuth 2 and the jaw and the Jose sweet so what this gives us is actually a fairly well cashed it out in deployed underpinnings for the stack on top of that then we have the open ID connect we leave the protocol suite and it can start very lean and mean a very simple way to accept open of these messages all the way up to more complex scenarios like

dynamic client registration so if you really into specs if you really enjoy canonical versions of things and your should then your muscle your may all make sense to you go and read all of this stuff for the vast majority of you you’re not going to do that what you’re going to do is if you’re probably start with a basic client if you just read one thing in the spec start with a basic client which gives you all of the pieces you need to really get going if you want to roll your own but for the vast majority you don’t want to do that we have something even easier for you which is you can just use what we built in the Salesforce one platform we’ve given you the capability of doing both OpenID connect relying party and being an open any connect provider so we’ll talk more about how this actually gets implemented but just know that through the product the services we provide you can deal with the client side of opener you connect and give you the server side I think with that Pat let’s talk a little bit about how this actually gets done all right so I’m going to run you through the protocol and as Dan mentioned this is nitty gritty detail it’s useful to know it’s there and kind of have an idea of what’s going on but most people listening to this are never going to need to interact with these messages directly and what how I’m going to run you through is we’ve got a client application okay maybe it’s some web app that you’re writing that wants to authenticate users in Salesforce so maybe you better login with Salesforce button on your website the end user is well the end user with is browser and the server is Salesforce in this example maybe that’s what these around be logging into Salesforce from a third party such as Google but this is the way we’re going to drive it this morning so essentially like the end user clicks on some button at the client website moving and is redirected to the authorization server and this is a kind of request that gets sent to kick off this process ok the URL is the authorization server Lea I walk to water ID service there and we are going through the authorization code below okay this is the variant of a walk to that we use in this scenario and we’ve got an identifier there for the client app that client ID and a redirect URI where we want the response to come back to we can also custom select state so as the client you might have some context where you want to keep when you get that reply back later and what’s going to happen is the authorization service can authenticate the end user and user is going to type in some credentials give some consent to release information to the client app and any also a redirect the client now this these couple of steps here are outside the protocol and that’s great thing we don’t specify how the authorization server authentication at end-user if you already got a login established so we can just use that if you are using username password that’s the most common case or a stronger credential this can all take place but as long as that authorization server has a good idea of who the end user is it’s good and they can reach you can redirect to the client with the authorization response now there’s that URL we pass there’s the redirect URL okay that’s where we wanted the reply to come back to there to state that gives us some context on what’s going on and this is an authorization code now this is traveling via the browser it’s a short-lived code but the client app is going to use one time to retrieve session information so what happens is the client passes that directly to the authorization server and because this is passed directly over what we might call the back-channel it window via the browser or the end user we can post that code that we just got the client ID and the client secret okay in this mode the client app and the authorization server have a client secret study authorization server is confident that it’s not handing out details that anybody that just happens to call it and then authorization server can respond with a token response and this is where we have basically assumed it well it’s not basically it is an oauth2 response if you familiar with the old protocol then you will know that everything that’s gone on so far is vanilla a walk to the depth is two differences here one is in this scope

element we have open ID as one of the scopes and we have this ID token now to put this on the screen I’ve elided quite a lot of it but if you were to look at one of these responses for real you see that you’ve got three strings about the numeric separated by periods and what this I need token comprises it’s actually not an opaque string in the same way the access token is it’s got some structure okay for the header a payload and a signature and if we basics before decodes that payload in the middle we actually see the the core of this ID token so this is what we’re passing around that actually represents an identity it’s got an expiry time it’s got a unique URL referring to the subject that the end user if you familiar with Salesforce you might recognize that an organization ID and a user ID in that URL so that we uniquely pins down this user and here’s the thing this is why open ID Connect exists this is why you can’t just use oauth2 it has a reference to the audience for this identity token okay that that client ID in that AUD field so this pins down this assertion of identity between the authorization server and the client app that means you can’t take one of these and impersonate the user at another app and so we’ve got issuer and the issue that time but the important thing here is that this this token is tied between these three parties the client the end user and your physician server and it’s been digitally signed so with that usually the next thing the Kline app wants to do is to take the access token and just make a regular web services request so this open ID connect user profile service so this is a well-known URL that the client can use with the again off to request better token that’s the access token it got a minute ago and in return the authorization server can send all the usual profile information concerning your user so in the case of Salesforce you get that same subscriber ID where you might get their user organization Aidid name email all that good stuff everything you need to interact with that user so that’s that’s the basic client profile in a nutshell there are some variations for mobile devices and will actually give you a URL at the end of the webinar there is an article that basically walks through this flow in if I if I may say so excruciating detail so we deflated well I did write it appreciate it is excruciating okay so is that we’ve taken as well Wintour of the messages that flow back and forth Chuck you’re going to tell us how we get started absolutely so one of the things – one of the things to remember from what we were talking about earlier is there are two different implementations of Open ID Connect in Salesforce one is the client implementation this is really how you can teach the Salesforce platform to be a open ID client of other platforms okay this is if you want to do something like social sign-on as we’re talking about is how you teach our platform to become an open ID clients and become a Google application or an Amazon application or a PayPal application or if you’re running your own open ID you connect provider your own 90 connect application you can even use this to connect to other Salesforce boards if you want to do because Salesforce is also it has a server-side implementation so off providers really is this way that you can take provide information to our platform and transform our generic client Open ID client into a specific client that we talk to a specific provider you can do a couple of key capabilities we’ll take a look at one is you can create and update users on the fly using this mechanism so as we pull attributes off of an open ID Connect provider talking to that identity service that Pat had just share with you we can ultimately use those attributes to create a user create a contact keep that data and think and help you acquire a customer or just-in-time provisioning user into your organization or into your community this will also allow you to link to existing users so there’s this framework available such that if you already have users in the system and you just want to associate them with a open ID connect provider account linking is provided such that you can look up a user look up a contact and trying to join between those two on the server

side implementation this is really where we’re acting as an open ID Connect provider this is built into a framework we call connected apps we’ll also be showing you this in a second this really allows you to run your own your own client and talk to our services you can either talk to them as a login with Salesforce flow those using the Salesforce login aegeon salesforce brands or what certainly unique about us is that you can also run our open IV Connect services as your own brand so if you want to do run your own open IV Connect service and provide login with your company name or just simply single sign-on across state your web properties this is something that Open ID Connect is great for and is built right into Salesforce in addition we’ve provided a number of key capabilities in the connected apps framework that we’ll take a look at authorization of users you can use the standard profiles and permission sets within Salesforce in order to authorize users or you can authorize users in a consumer style model where that user approves the application on their own we can control things like the authentication level required to access an app we may put you through step up authentication we can control how often a user has to log into the app controlling how often eight something called a repress token and OAuth expires and then we can put additional policy or put additional attributes into those identity responses I think the easiest way to learn about this is actually to start taking a look at some demos of what we can actually build them the first thing what we wanted to do is run you through a quick view of what you can do with social sign-on and a little more detail on off providers now we have in the past run a good webinar on social sign-on so if you really want to do deep dive on this topic get out there and check out the archives but we’re going to run you through a quick example of this so the first thing we wanted to show you is off providers so if your enforce comm set up quick finds always the easiest way to quickly find things if you just type in off we can get to off providers and once you’ll discover here is a generic framework for plugging in social providers and of course one of the things that we plugged in is a provider type of open ID Connect so I’m actually not going to bother going through and configuring all of this let’s just dive into a particular configuration now what we’ve done here is we’ve basically provided a generic Roth imaginer open ID client what you’re doing is teaching it to become a Google application teaching it to become an Amazon application teaching it to become a paid application by plugging in your metadata now in order to do this you have to go out to Google and register an application and what Google gives you back is information such as a consumer key or in the protocol this is really called a client ID your consumer secret is something called a client secret you also then have to provide the URLs three different URLs of your open ID Connect service there’s the authorization endpoint this is the server that is in charge of authorizing the particular request there’s the token endpoint this is where you can exchange things like an authorization code in the protocol Pat show you for a token response and then finally there’s user info endpoint this is that standardized identity schema you can also provide scopes what scope of access do you want these are some pretty basic ones that are standard within the open ID connect profile profile here I’m looking for profile information about the user their email address and their basic open ID but there’s also since it is configurable can be expanded into other things that are specific to a particular provider for instance here you might ask for access to the user’s Google+ feed or their calendar or the variety of different Google API is that exist there all you’re doing is really configuring and punching in new scopes here of assets that you’d like to ask for when you use this particular client so finally there’s one other important thing to understand there is something called the registration handler and the registration handler is a piece of code we generate for you but then allow you to customize and this really gives you two key things the ability to on-the-fly create or use links to users and we will give you all of the data that we’ve acquired from the open ID Connect provider and allow you to look up an account or look up the user or create a contact and create a user on the fly and we will also allow you to update that user on the fly and this really creates a scenario where simply pointing the user Google or Amazon for instance over open ID Connect can automatically create that user create a user and a contact in your CRM system and pull a piece of them and keep them up to date so just we very fast abusers are logging into your system or into your community is keeping your CRM data fresh and up-to-date so there are a few different URLs that you’ll want to pay attention

to one’s a test URL this is a good way to get started with all providers and your callback URL this is ultimately where Google’s going to send messages back to you had to put this into your registration flow once again you should go back and watch their videos or our previous webinars on this but the big one we’re going to take a look at now is the single sign-on URL that mean understood that you use off providers to create a generic to create a open ID Connect client to talk to a specific provider let’s take a look at what that feels like an action so one of the things that still force identity in the Salesforce platform is quite good at is allowing you to deploy your own branded login experiences so here we have a Salesforce community that’s been completely granted for our fictitious company Pacifica where we like to serve sometimes and what we’re doing here is we’re providing not only the ability to log in to this to drive things like forgot password where you’re just using the community and having a local identity with our communities even register here but sometimes you don’t want to actually create a new identity you really want to use these social sign-on capabilities well some open ID connect providers like these three across the bottom make this super easy so we were to simply click on Google’s we redirect to Google Google detects I’m already logged in and here what we’re doing is basically approving this app remember when I asked for those three scopes and our office providers I asked for our open ID I answer the email address and ask for the profile well you see what Google’s asking saying here is hey they want to know your identifiers their email address and your basic profile information so I’m going to prove this and we will pick up that open ID profile response and ultimately get this user signed into this community and it was just that easy so now we have a new user a new contact within the system we can do things like deliver applications to them but ultimately what that was was user didn’t have to go through a registration process didn’t have to create a new user ID and a new password that they’re going to forget with your system they can just lever credential they already know and trust and simply start engaging with you or connecting with your organization under tunas so just built into the platform open ID connect you can just get out there music check out Oprah off providers and social strata and this worth mentioning that social sign-on webinar is really really worth watching because we go to put in detail me makes me have special heads to the end of yes we’ve also got a video on that goes into deep dive and how to configure that and we’ll show you at the end of the slides here the next is what if we wanted to invert that we talked about on providers as being an open any connect client what if we wanted to be an open IV connector lots of great use cases for this you may want to provide single sign-on across your own applications for your own web properties deliver it use this to deliver to your customers so customers can actually log in using the system the platform you already use to sell the customer service to customers market to customers you can now use that to actually control identity and deliver use cases like single sign-on or your own branded login service you can really run a log in with Google or log in with you know Facebook style program under your own brand so in this case what we use is the connected apps framework this is once again where we’re asking is the server so connected apps is a way to create one of these applications within Salesforce so we’re taking a look at an application I’ve created we’ve gone into apps under create apps and we’ve created a new connected app and what you’ll see here is that the connected app is really giving us some basic metadata about this application what is its name its logo what scope of access that we want we’re really just getting a few key pieces of metadata registered for the system so that Salesforce has context of what is this application that’s that you’re building what is this application that’s trying to connect so now let’s go take a look at what would happen if you had an open ie Clinton’s Connect clients trying to connect to Salesforce instead of Salesforce being inclined so to do this we’re going to show you something we’ve been working on called the Open ID Connect playground and what this is really going to do is allow us to walk through some of these scenarios so what we really have here is a way to kind of walk through what Pat showed you before in slides allow you to play with it now a couple things to keep in mind here one this is still kind of pilot II so we’re still working out some bugs but this is out there you can check out the URL and go out and play with it the other thing to keep in mind is that Open ID Connect and that’s this complete capability is something that is in our spring release and if you follow our releases work at Salesforce which you’ll probably understand is we’re about halfway through rolling out spring release so this doesn’t will not totally

work until a little later this month when spring release is out for everybody with all of your alerts now if you happen to have an org on spring release and you’re using something called a minor main you can already point to this and get going so I’m going to do a few key things here one I’m going to point this at an org that I know is on spring release and specify my login those and then if you created your own open ID connect client you can go in and basically copy this client ID and paste it into the client ID field cinch up data if folks are on that pre well folks I could put that pre rel login URL in there instead it’s the instability we haven’t tested that but it’s probably where real okay looks good too much yeah give it to you somebody give it a try and let us know in the webinar and you get it the client secret from that page and now basically what you’ve done is you trained your clients to be a application that connects to stale sports in this case the open how do you connect playground but this might be your java application or your dotnet application or your mobile application if you want to do create one of these yourself we’ve put a little screenshot of what you put should put in here basically you need to make sure you have a callback URL a playground and just grab a couple of simple scopes like open ID and the email and profile scope within our platform so now if we start stepping through the sequence here we’ll see the first thing it does is ask us to login so we’ll login with Dukes mao its identity Lord and we’ll just get logged in here and you’ll see here that now we’re being asked to approve this application once again we’re kind of in its standard Ella flow our of an ID connect playground is requesting permission to access those scopes so this should feel a lot like when we were clients talking to the Google service right we asked for access to email and profile and Google said hold on a minute like you’re trying to connect with a service user are you really all you really want to do this you want to allow access to your information like this in this case we’ll say yes and click allow and now we get a callback okay after you remember in pass slides what we get to our callback URL is a code so we redirected the user to our authorization URL and you can look in this code and see how to construct an authorization URL properly and you’ll notice what we get back is a callback with this code the next thing we have to do is on the back channel we’re going to use our client ID and our client secret in order to prove that we are this particular application and exchange that code for a token response if I click Next the server go ahead go ahead and send that information we basically post that information up to the token endpoint and we get back that token response that patch showed you earlier and included in that is not only an access token we can use with our little demo or gear but also an ID token and if we appeal a part the ID token will notice that it has an audience of our client ID and remember when Pat was telling you like you need to make sure you’re using Open ID Connect on top of OAuth or something like single sign-on you really want to do things like validate that the audience matches your client that you can be sure that token you’re being presented was actually targeted to you so here we’re done this check and we can make sure that we’ve made sure that’s true and now we’re going to turn around use the access token to fetch the users identity and here you can see we have used the access token we’re hitting our general user info end points and you get standard open ID Connect schema back as well as some enrichment as the Salesforce platform does these attributes have copper all you know standard things that you’ll find in open ID connect we also provide back URLs that you can use your token ring there’s discovery for the various Salesforce api’s we also can provide personalization information that standardized and Open ID Connect you might need such as the language or the time zones that’s that the user prefers ultimately though what we want to do is take a look at how we can then go beyond this and start using connected apps to manage this so if we head back into setup and we look at connected apps here’s where we can edit the policies around this connected app there’s a lots of different things we can do let’s take a look at some of them one of them might be to make sure that admin users are pre-authorized so let’s go ahead and select pre-authorize now what does this mean this basically means that instead of going through that consumer aloft out flow where the users hitting accept allow this now administrators in this org are going to be able to determine who’s allowed to access act assess based pounds the authorization constructs you already understand within Salesforce profiles and permission sets so we save this and

now go back and try our flow again what we should see is that we are forbidden or denied access and we have a basically way up we have a bad at Al token because we’ve been kicked out if we go all the way back to the beginning and click Next you’ll see that we get an error back here that our OAuth app is denied this is the part where we said we’re still working on weeding out a few of the you know we’re still kind of pilot form because we don’t have all the error handling properly done but you’ll see in the URL we’ve we’ve got a error here so in order to rectify this area what I’d go in and do is well why don’t we actually authorize maybe some profiles for access to this app so I might go in and say full-time employees and identity users and identity admin and standard users and stuff Adams I decide those are the people that are allowed to use this application I save this and we’re actually going to save we’re going to add a couple more because I forgot I’m going to demo something a little later that’s probably going to want access as well and now we’ve authorized a number of profiles within the platform so let’s try and go through this flow again notice we immediately went through that flow and something materially different happened here we didn’t stop at Salesforce and you didn’t see that screen that said hey you need access to this application that’s because according to that policy we inverted the way that the open ID Connect service was working and basically said we’re going to track on the server to see whether your profile or your permission sets whether administrator granted you access to this application or not there are also a number of other policies we can put in place one of the things that you could do as you’re developing your application would be to go in here and pull up the developer view of this I might have said I support pin protection in my mobile application so I’m going to check this is the developer data and now if we head back to the manage side we can start looking at some of the policies you can apply to this application so for instance we can control how this application is behaved with IP restrictions we can do raise raise the authentication level with step-up authentication this might force user to use a two-factor client in order to login or we could put special session timeouts on this so if it’s a mobile app we can pass back attributes about what session timeout or pin length we might want so I’m going to put a five-minute session timeout and a pin length of four on this application and let’s go back step through our flow get a little further and we’re going to fetch that identity service and you’ll notice down here in the identity service we should have something new which is theirs now mobile policy claim that’s been included and this is instructing the client hey you need to put a screen lock and pin protection on this and what we’ll see is if you use our mobile sdk our mobile sdk is already hardwired up to our identity services and knows how to interpret and enforce these policies one other nice thing about open ID Connect is this ability to have custom claims not only around these policies that you can configure the server but also you may want custom attributes so for instance let’s say we want my custom attribute what we’re going to do here is basically construct a custom claim that we can pass back to the application so I can use the standard capabilities in Salesforce – let’s say I wanted to pass this user’s profile name and it’s hurt and of course you can use the formula language so I might say user profile type and now we’ve just we’ve come up with a custom attribute and as we save this what will happen is on the fly we’re going to calculate what the value of this custom attribute should be and pass that back through the identity services so if we reload our identity response which is feed is that we now have another new claim custom attributes and you’ll see my custom attribute and my user profile type is identity user so it’s really simple for you to not only do things like do single sign-on with open if I did open ID Connect but also pass critical attributes pass information like policy to your applications such that centrally in your identity provider you can control this gather information and share it out with your other web properties it’s a great great capability there but what you’re going to want to

do is go to developer.com slash mobile sdk and there’s a few key things you’re going to want to pay attention to so the development guide is a good place to get started also getting started guides there’s guidance on how to build native apps and hybrid laughs and if you’re really really interested all of this is open source if you wanted to go dig behind the scenes and see what we’ve done you can go out to github and Quercus and you know start hacking and I actually direct people to this this very github project that are building their own apps not like Sony team itself also those do they use that are wanting to implement all because this is great implementation of a lot in in iOS and really really useful result to have out there yeah so one of these you could do quickly as we wrap up is do you have one mega soda and should have the one I tested earlier and we can see the experience here when you fire up this notice is that you can also just point this at the same way I change that login URL you can point this at customer demoed 4.com or your own brand and once again those login services can run into mobile context so we could go ahead and once again login use an opening ID connect to Google and there we have a fully functioning mobile client yeah that spoke open ID connect to our service switch spoken open on you connect to Google and then came back with a a full response and I’ll be going to change my password and not always immediately my usual they used to drag it off the screen then yeah I was a little flustered by the demo not working lol oh okay so let’s come back to the slide show what’s new there’s a couple key things here obviously we’re talking a bit about social sign-on a bit about OAuth but one of the key things that we’ve done is finished up and gotten our Open ID Connect service up to the full standardized version of Open ID Connect and that manager introduced a few key things one is user profile service that runs the services to user info and this provides that standard schema we were looking at when we when we went through the playground and looking very slide we’ve also added in something we didn’t show today but it’s quite interesting which is signature based client authentication so you notice we were using something called client secrets in order to identify our application and this really uses a shared secret between you know our platform issues it you copied in your clients and you have to use the shared secret sometimes shared secrets aren’t the best though so what we’ve also enabled is the ability for you to go into your application and register a public certificate so if you come in to where you create your application and you say uses digital signatures you can go ahead and upload a PEM encoded certificate and then what you can do is two key things one you can use the OAuth assertion draft which we did not cover today but allow you to do server server to server to server communication by simply signing signing JSON messages or signing sam’l assertions or you can construct a sign to JSON defent Ockman something known as a job in order to use that instead of a client secret now this may sound kind of nice uses private and public keys and asymmetric cryptography you don’t have shared secrets but what’s really powerful here is that because you don’t have to have a shared secret you can actually use our API to dynamically create a client and on-the-fly begin connecting to our platform without having to have an administrator manually carry that shared secret back to your client the other thing the big thing that we’ve introduced here is these ID tokens these are once again a sign jot they’re basically a JSON document and you can use these to not only validate that the token was coming to your application by validated in that audience but you can also you do things like hand that back to your cloud infrastructure to have your mobile app identify the user to your back-end services for example and one of the things that we didn’t show you because it’s not quite live until spring is completely rolled out in our environment there’s also keen endpoint because there’s a signature on that you want to turn around and fetch our public keys well now you can publicly stretch our keys in order to validate the signature on one of these ID tokens that allows you to in a very scalable fashion validate these ID tokens in your back-end infrastructure without talking

to Salesforce all the time so finally we wanted to close with what’s next well we’re doing a few key things one is custom permissions one of things that our customers have been asking us for is as we’re building mobile applications or plugging other web-based applications in your platform we really like how your permissioning model works with profiles and permission steps and we’d like it to be consistent so not only do you want the ability to grant access to the application but this will allow you to have fine green permissioning within the application you want to build your mobile app and you know have control over whether user sees a particular tab or a particular function you’ll be able to define those permissions within Salesforce manage them with profiles and permission sets and we will handle those authorization decisions down to the client applications so that’s just in exactly the same way that does all totally became true right and you can use the profile exactly they’ll be a new open ID Connect claim which is called custom permissions and will render all of the authorizations decisions specifically for your connected app that’s something that we’ll go with in Pilot in our summer lease and BGA later this year and finally what we’re working on is customization of these ID token so the ID tokens are pretty simple at the moment but we see great potential to use these tokens for things like our it for concepts like the identity of things so what you’re really trying to do is take and connect a user to a device connect your customer to your car radio or your washing machine or the various things that are starting to get plugged into the internet well you need to make sure not only that you can identify that device but also associated with a customer associated with patients associated with a doctor or a driver and there’s a great use for the Salesforce platforms is where a platform that you use to manage your interactions with your customers so there’s a few key things we’re doing here when we’re going to use ID tokens because it provides a scalable and offline way that you can deal with these once again take those IDs open hand them to your quality infrastructure Leste’s are collecting telemetry data and you can validate the signature all day long on that by simply stretching our public key once we also want to provide a spectrum of authentication so being able to identify only at the device or potentially this is the exact device that i issue that token to this is that exact device that i issue that token to and I trust its manufacturer we’re not looking at you know a a clone of a particular device or some copyright problem and finally we want to provide the ability to provide fine scoping so that ID token can turn around and get a scoped delegated capacity to act against sales force and what that means is let’s say you’re watching machine had one of these tokens you you’re not going back to the internet it is it’s you know every day it’s sending up data I’m doing fine I’m doing fine I’m spinning and then your three-year-old dumps a bunch of sand in it that washing machine may want to stay file a case against a little technician inform the cloud that something’s going wrong and in that paid case you wanted to have the ability to talk to Salesforce to get that case blocked but you don’t want to have the full capabilities of your identity so fine scoping and delegation is another thing that we’re working pretty hard on so identity for the Internet of Things I feel like you’ve acronym coming on isn’t that ideal IOT I do you yeah there we go you heard it here first okay okay going to talk about where we learn more absolutely so we’ve got a couple of articles out on our wiki so the venerable digging deeper into OAuth 2 one for comm actually wrote about three years ago has had an update now it’s up to days of connected apps and all the features in spring 14 that definitely worth revisiting that if you want to know about the underlying protocol here I’ve also written inside open ID connect on 4.com and that basically walks you through the protocol and the configuration in just a little bit more detail than we did today it gives you sample responses if you’re actually writing against this protocol it’s really useful to have an ID what to expect coming back on the wire Chuck’s open ad Connect playground is available out there on the open ID connector over comm and I can confirm that it does work on green 14 pre-release orbs so if you have a pre rel login credentials you can move that straightaway and a couple of videos there link these awesome social sign-on video and we have one on mobile access management so touching on those issues how you work with mobile devices so with that we have some questions coming in and Charlie you so you showed my teeth net standards-based approach and dewlap can I look like Facebook credentials because they look quite the same model is the protocol point of view yeah so the author providers framework of one of

the providers we’ve added in the system is open ID connect so we also have some providers that allow you to plug into other services such as Facebook which is open ID Connect esque shall we say but not actually standardized so and you know we’re going to continue to go out and expand the capabilities of that framework and hit a couple of different ways of course working in the identity community to try and make sure that all platforms are adopting open ID Connect so sweet definitely seems to be a great amount of nurture around that but also you know tactically where we need to we fill in the white space and adapt to people’s proprietary systems and again it’s got to think the things here too is the ability to actually mediate called it right so that we’re not exposing some of the pain and suffering of open IDs protocols to you but we’ll take care of that back end and just let it roll right that is a nice thing about off providers is that you don’t really care what like huge pointed Facebook you pointed Google we’re sorting out all the protocol mishmash to you what you get back is just standardized set of attributes that pill sports has canonicalized for you into a into a standard schema so we deal with basics and even have to guess and I guess it does additional providers that people are really interested in they could squeeze in my view with people tako they got to follow me first well okay that’s fun to deal in okay so another question I think you actually answered this one the way through can we support multiple services without branding the login page yes you can support multiple authentication services well what’s the best way to describe it you do not have to brand the login page you do have to configure the login page and use my domain so my domain allows you to go in and check a few boxes and we will service different authentication options there that doesn’t mean you have to change its logo or changing them what we do need that might have main so that we have context of this is your particular order within the system and therefore we can look up your metadata and provide your particular options but it doesn’t require that you actually physically branded alright so just check boxes on the vitamin-a no codes apply checker box all declaratives really quick okay so a more techie one here so in most loads we’re getting back the access token and the Refresh token but we can actually have a scope in the in the protocol what was going on there how did we make sure that our Oaks access token got that so the scope that is acquired so you start in connected app that you register particular scopes you know we started out registering open ID connect and email and profile and then when we ran our mobile app we decided we better add in API and refresh token so when you create your connected app we really ask you to tell the service let’s go back that’s your clients going to need Wilson okay so she was going to finish on this one and we’re really low on fun if I have my own open ID connect IDP maybe other implemented one in my enterprise can I use that to connect my employees successful absolutely so the over 90 connect services work for those employee use cases and customer partner that isn’t what everyone whoever you’re trying to connect to is built for it now the difference here is we the way you shows them is slightly different pre employees you’re going to use my domain we’re going to set up your own you saw to use customer not – discourse calm you’ll have you know my large corporation or my little tiny SMB down at Salesforce calm and you can go into the my domain page check which off provider you want to use that might be a opening you connect off provider pointing at your own open ie connect service that’s run for your employees and instead of showing the login page we will automatically redirect over standard open ID connect over to that service awesome so with that I’d like you to I’d like to thank you both for joining you today thank you very much Chuck is always playing this suit and say I presented you and thank you and again welcome again thanks so much that all right thanks thanks for listening