StoneBlog.stonesoft.com

This is exactly the comment I heard from a prospect when I explained him what was a possible use case for Ticket Single Sign On, IMHO one of the most interesting features of StoneGate SSL VPN technology… included at no additional charge

To give him a realistic example, I asked him:
“Do you happen to use SalesForce in your company?”
I already knew the answer was yes but such small sales “segreti di Pulcinella” are useful to get immediate attention, therefore I use them quite often…

Of course he replied yes, so I began my story…

I told him: “we could offer you a solution to get rid of SalesForce username and password authentication, strenghtening the whole system, no matter how the web form to authenticate is structured or defined… since we will disable it completely!”

Conclusion of the meeting is likely to become a sales success soon, but let me share with you the details to allow you to replicate this success chez vous

Single Sign-On (SSO) is a session/authentication process allowing users to enter their login credentials once, having the SSL VPN system taking care from that moment on of subsequent automagic logins when accessing back-end resources registered in that SSO domain, as shown in the schema below:

The working logic is:

1. The connecting client authenticates to StoneGate SSL VPN Access Point and finds the resource for SalesForce within the dynamically populated portal. It is also possible to implement configuration for direct access to application.
2. The SSO login credentials belonging to the user are extracted and sent to StoneGate SSL VPN Policy Service.
3. A one-time usage token is generated.
4. The token and SalesForce username associated with StoneGate SSL VPN account are sent in a login request to SalesForce.
5. SalesForce sends a request to StoneGate SSL VPN Policy Service to validate the one-time usage token.
6. The token is validated and a response is sent back to SalesForce.
7. SalesForce replies to StoneGate SSL VPN.
8. StoneGate SSL VPN redirects the user to SalesForce resource.

High level steps to implement this cool and sexy configuration are reported below.

On StoneGate SSL VPN:

• define an SSO Domain with User name and Ticket as attributes
• add a trusted Server Certificate
• enable XPI Web Services on Policy Service
• configure the Web Resource for SalesForce SSO

On SalesForce:

• create a new profile enabling the API
• assign the profile to a user
• define the Delegated Gateway URL to point to Web Resource defined on StoneGate SSL VPN Access Point
• optionally, it is also possible to enable Outlook Plug-In Setup

And then… well, it just works

Now, do you agree with me that Ticket SSO is really a splendid idea?

Network Security. Simplified!

written by RoarinPenguin - 918 views \\ tags: authentication, integration, interoperability, SalesForce, Single Sign-On, SSL VPN, Ticket SSO