Monday, 13 May 2019

Single Sign on Between Two Salesforce Org ( Federated Authentication (SAML) based SSO ) | SSO | SAML

Single sign-on is a process that allows network users to access all authorized network resources without having to log in separately to each resource. Single sign-on allows you to validate usernames and passwords against your corporate user database or other client application rather than having separate user passwords managed by Salesforce.

Options for Implementing SSO on


1) Delegated authentication

Using delegated authentication, does not validate passwords but instead uses an external Web service to validate user credentials. When a user attempts to login, the platform checks the user's profile to see if they are enabled for SSO. If so, it makes a Web services call to the the endpoint specified for the organization (environment), asking it to validate the username and password. The Web services checks the credentials against an identity store (for example LDAP or OpenID) and either returns "true" or "false". If true, the user is granted access to the application and proceeds normally. If false, the user is informed that their credentials are invalid.


2) Federated Authentication

As with delegated authentication, federated authentication does not validate the user's actual password on the platform either. Instead, the platform receives a SAML assertion in an HTTP POST request. The SAML assertion has a limited validity period, contains a unique identifier, and is digitally signed. If the assertion is still within its validity period, has an identifier that has not been used before, and has a valid signature from a trusted identity provider, the user is granted access to the application. If the assertion fails validation for any reason, the user is informed that their credentials are invalid. The rest of this article shows how to set this up.


About SAML

Security Assertion Markup Language (SAML) is an XML-based standard that allows you to
communicate authentication decisions between one service and another. It underlies many Web single sign-on solutions.


How to Implement SSO between two Salesforce orgs


To setup Single sign on between two Salesforce Org we need to setup one Salesforce Org as Service provider and other one as Identify provider
Identify provider (IDP) :- An identity provider is a trusted provider that lets you use single sign-on (SSO) to access other websites
Service provider (SP):- A service provider is a website that hosts apps.

Configuring Single Sign-On

Step 1 : Enable My Domain in IDP and SP Org

First step is to enable "My Domain" in both Salesforce org. This functionality will provide a unique name to your salesforce org.
  1. Click on “My Domain”

  2. Deploy each 'My Domain' to your users

Step 2: - Enable the Identity Provider in your IDP Org

Login to your IDP org and Navigate to Identity provider. Setup-> Security Controls -> Identity Provider.

In all new developer org your will found "Identity provider" is already enable like below screen

NOTE:- Make a note of Salesforce Identity endpoint URL which we will soon.

If you are using old developer org then you need to enable "Identity provider" and need to create Certificate like below screen

Step 3: Add Remote Site setting in SP Org

Now login to your SP org and add your Identity provider domain URL in SP org like below
Setup -> Security -> Remote Site Setting


Step 4: Enable Single Sign On in SP Org

  1. Enable Single Sign on. Navigate to “Setup > Identity > Single Sign-On Settings” and check “SAML Enabled” option.
  2.  Now provide SAML Single Sign on Setting detail. You can also download the certificate from step 2 with download certificate button and upload here with "New from Metadata file" button. But We will use New from Metadata URL here. Now we will use same URL which we coped in step2.
    Dont do any change in below screen. Do only one change that SAML Identity Type as Federation ID
    Make a note of Entity ID and Login URL from here. We will use same in IDP org Connected App

Step 5: Create Connected App in IDP Org

Now go back in your IDP org. And create one connected app with below step
  1. Create connected app, Setup -> App Manager -> New Connected App
  2. Now provide all required detail. Make sure on your connected App you need to perform below step
    1. Enable SAML
    2. Provide Entity Id (Use Entity ID from Step 4)
    3. ACS URL (Login URL from Step 4)
    4. Subject type should be Federation Id. 
    5. IDP Certificate as Identity Provider Label name
    6. Now once Connected app is ready. Click on Manage Button. Then Add the profile from related list.

Step 6: Update Authentication Configuration for my Domain in SP Org

Now go to SP org the navigate to My Domain (Setup -> My Domain). Then edit the Authentication configuration setting and select the IDP org in Authentication service.

Step 7: Test your configuration

Now its time to test our Single sign on.
  1.  Create one user in both org with same "Federation ID". 
  2. Then first login into Identity provider org. Then go your connected app -> Click on Manage . Then click on "IdP-Initiated Login URL" URL to check your Single sign on.
  3. Now all set. I hope Single Sign on is working fine :). But if you want to add a app in app App Launcher then edit your connected app and your IdP-Initiated Login URL in "Start URL" in above screen.
  4.  Now you can check SSO with App Launcher.

We did the same session in ApexHours as well with Atul. Please check below recording for SSO.

Agenda :-
  • Core Concepts
    • Single Sign On
    • Social Sign-On
    • Identity Provider
    • Service Provider
    • Authentication
    • Authorization
  • Advantages of Identity management
    • Centralized Control
    • Security
    • Policy Updates
    • Easy to use
  • Demo 1: Salesforce as Identity Provider
    • Steps to set Salesforce as IP
  • Demo 2: Salesforce as Service Provider
    • Steps to set Salesforce as SP
  • Other IDPs in market

If you want to learn about Azure Active Directory Seamless Single Sign-On with Salesforce please check this post .

Amit Chaudhary

Sunday, 28 April 2019

Salesforce Org Health Check | Security Health Check | Apex PMD Tools | Checkmarx

"It is health that's real wealth and not items of gold and silver", is something that very aptly applies to orgs as well. You do not need a org plagued with problem like CPU timeouts, Query timeouts and Row Lock errors. And the good part is that you simply yourself can be the doctor of your org.

The things can be as simple as checking the storage stats of the objects in your org or analysing the way your batches are scheduled and the time they take for execution. The next step after the analysis is complete is to provide remediation to the caused issues. And that is not too hard either. The main aim is to make small but necessary changes to the configuration of your system, while keeping the behavior intact and without compromising the performance.

We did one session in ApexHours with Saket Joshi on sale topic.

In that session we covered the frequency of performing these health-checks on your org to ensure scalability of the system. Once the issues are fixed, it is expected to have improved system performance and less issues caused because of either concurrency or data fragmentation.

Some Key Point :-

Your Salesforce org is unwell?

Identifying the wellness of your org

  1.     Performance Issues
  2.     Data Storage Limitations
  3.     Scalability and Planning
  4.     Record Locking & Contention

Symptoms of an Unhealthy Salesforce Org

Symptoms of an Unhealthy Salesforce Org

  1.     Storage Limits Exceeded
  2.     Frequent Issues
  3.     Record Locking & Contention
  4.     Unnecessarily Installed Packages
  5.     Concurrent and Ever-Running Batch Classes



  1.     Generate a report of issues found
  2.     Prioritizing the issues
  3.     Organizing the issues by complexity
  4.     Solutioning a quick-fix to the issues

Tools for Diagnosis

Some Common Tools for Diagnosis

  1.     Salesforce Health Checker ( URL)  
  2.     ApexPMD Tool ( URL )
  3.     Checkmarx Apex Code Scanner ( URL )  
  4.     Salesforce Accelerators (URL)   
  5.     Manual Org Assessment



1) Analyse and fix the record skew

  • Decentralization of records

2) Data Archival & Cleanup

  • Deletion of unnecessary data
  • Using third-party APIs (Amazon Cloud)

3) Fix the row lock issues

  • Avoid parallel processing
  • Using SOQL locks

4) Avoid the CPU Timeouts and/or Query Timeouts

  • Field Indexing
  • Using Async Apex for long running operations
  • Optimizing the query/report filters
  • Database refactorization

5) Uninstalling unwanted packages

6) Rescheduling the batches & schedulers

  • Analyse batch duration & change batch chunk size
  • Simultaneous running of non-related batches
  • Deciding the frequency

Here is recording of session.

Amit Chaudhary 
Capture.JPG  @amit_sfdc    @ApexHours
  Salesforce Apex Hours