Bundling device definition with Ticket-SSO: secure yet usable access to SalesForce.com
(4 votes, average: 5.00 out of 5)
Loading ...First post of this new 2011, together with my best wishes for a happy new year.
In a recent post I illustrated how to configure StoneGate SSL VPN to perform ticket-based Single-Sign-On to SalesForce.com.
The interesting benefit of the solution is to keep secure authentication at home while granting secure authenticated access to SalesForce application in the cloud.
The solution described in that post, although powerful and secure, lacks a little bit in usability because the user must first login to StoneGate SSL VPN application portal, click the SalesForce application icon and voilà, he’s in.
This post details how to use Device Definition in StoneGate SSL VPN to improve greatly the overall usability, to reach a quicker and smoother result while keeping the security at maximum level.
Device Definition allows to detect a specific type of connecting device based on patterns identified in HTTP request such as Agent, OS, URL requested, path, etc.
We can therefore define a device type in Manage System – Device Definition based on the URL requested as shown below:
This will ensure that URL request for https://salesforce.mydomain.tld are treated differently from others, according to configuration in Manage Resource Access – Global Resource Settings – Client Access.
We will configure the Device Definition to point to specific pages for authentication and, once authentication is successful, straight to SalesForce with ticket-based Single-Sign-On.
We can retrieve the needed links (Authentication Page and Welcome/Application Page) by looking at default login menu on StoneGate SSL VPN Access Point and “building” the application link as described below.
Open the StoneGate SSL VPN Access Point page and move mouse over the authentication method, then copy the links to authentication methods to retrieve the authentication page link you are interested in (in the example StoneGate Password).
About the application links, supposing that your Web Resource to access SalesForce with Ticket-SSO is called MySalesForce, then the direct link to application will be:
https://sslvpn.mydomain.tld/https/MySalesForce
To define the Client Access parameters for Device Definition, we just need to strip from URL above the host part. We will have therefore:
Authentication link (Default Page): /wa/auth?authmech=StoneGate%20Password
Application link (Welcome Page): /https/MySalesForce
We can finally configure Device Definition Client Access in Manage Resource Access - Global Resource Settings - Client Access - Add Device Settings… as shown below:
Click Add to finalize the configuration.
Last thing to do is to add a DNS A or C record to point to StoneGate SSL VPN system when this URL is requested, to route correctly the requests.
The resulting configuration is that StoneGate SSL VPN will intercept the URL and, because of the Device Definition configuration, it will first direct the user to the authentication page configured and once authentication is performed it will allow straight access to SalesForce using Ticket based Single-Sign-On.
Secured Access to the Cloud, keeping Authentication at Home 
(6 votes, average: 4.67 out of 5)
but such small sales “
Recent Comments