Salesforce supports Single Sign On (SSO), user authorisation and user, server or device authentication through a number of standard protocols including OAuth 2.0, OpenID Connect, SAML and delegated authentication:
Articles outline considerations relating to supported technologies and implementation approaches:
Salesforce Single Sign On Flows - SAML, OpenID Connect and delegated authentication options to provide user SSO into Salesforce, or into another application using a Salesforce identity.
OAuth 2.0 Flows - OAuth 2.0 authorisation flows supported by Salesforce. These are split into those typically used for:
- Browser Access - those which are typically used to allow a user to authenticate and authorise in real time.
- Server Access - those usually used to enable a server application to get an OAuth access token without a user's direct involvement.
- Device Access - used for scenarios where integration is required with an IOT device, which may not provide a full browser supporting another OAuth flow.
OAuth 2.0 Login and Consent - Detail of authentication and authorisation steps involved in interactive OAuth 2.0 flows.
Salesforce Layered Flows - Illustrating how flows can be combined for a seamless user authentication experiences.
TLS and Salesforce - Overview of how Transport Layer Security (TLS) assists with authentication security, and how further protections can be introduced with mutual TLS.
The level of detail and presentation style in official documentation varies quite a bit, so the diagrams are intended to give a consistent representation and make it easy to see key differences.
For some of the flows, for example OpenID Connect, official Salesforce documentation is very light, so the flows are based on protocol specifications, third party documentation and observations of browser traffic.
I put these together originally while preparing for Salesforce Technical Architect certification. The scope and detail is intentionally high level and covers significant aspects to know for the CTA board. For detail around implementing these flows with Salesforce, the official documentation is usually best.
Authors, contributions and thanks
Many others have helped shape and improve the content in these sections.
TLS and Salesforce was co-authored with Martin Vyskocil, who suggested this to be covered and wrote the original draft. Charlie Guo and Gianluca Calcagni reviewed and contributed improvements.
Crystal Zhu recommended including information around the Client Credentials Grant flow and wrote this section.
Nicolas Vanden Bossche created the amazing Identity Flows Heroku App which describes and illustrates many of these flows in action.
Jesse Lingo created the fantastic diagrams showing how flows relate to one another in the context of the technologies involved. Read more about Jesse's work at Diagrams of Identity Flows in Context.
Early versions of most of this content was shared with the Salesforce Architect Trailblazer community in 2019, and was improved with input from many people, including Matt Morris, Charlie Guo, Nicolas Vanden Bossche, Shrey Tyagi, Melissa Shepard, Petr Svestka, Michael Eckert and others.
And I wouldn't have started with this road at all without the generous guidance and help from John Davies, who mentored and coached me through the CTA exam. I didn't realise how vaguely I understood identity concepts until talking these through in depth with John - these discussions helped me recognise that I needed to understand enough to be able to draw and explain flows myself, which led to the beginnings of the diagrams and notes here.
Thanks to everyone who's helped out. Any feedback or suggestions for changes please get in touch!