SAML Explained

So what is SAML? Well SAML stands for Security Assertion Markup Language and has become the predominant way that enterprises perform internet based Single Sign On (SSO) these days. Its been around for a while and there is plenty of documentation online that explains how it works. Still somehow every time I talk to someone about SAML and SSO, there is always some confusion. So here is an attempt at explaining the basic SAML flow in terms that you can hopefully remember.

Let's say that your rising kindergartner wants to join the soccer practice at school, what does he do? He goes to the teacher and asks if he could join the soccer practice. The teacher hands him a piece of paper and says please have your parents fill out this form and have them sign it. The kid brings that piece of paper to the parents, they look at it, consider his request, fill out the form, sign it and give it back to him, asking him to take it back to the teacher without messing with it. The kid takes the completed and signed form back to the teacher, who verifies it and lets the kid join the soccer practice. At the basic level this is exactly how SAML works -- just substitute the User for the kid, a Service Provider (SP) for the school teacher and an Identity Provider (IdP) for the parents.

Now, don't over think the analogy or expand too much upon it, I'm sure you can poke some holes; just use it to remember the basic flow of information. 

When the User tries to access a protected resource at the Service Provider, the SP will check the user's domain and will generate a SAML Request redirecting the user to the Organization's Identity Provider. The IdP will verify the identity of the user (by way of login, if not already logged in) and will generate a SAML Assertion (containing a Federated ID) and send a SAML Response back to the SP. The SP will verify the SAML Assertion (the Federated ID), log the user in and will provider access to the protected resource. Now, in all these different redirects the original URL to the protected resource that the User was trying to access will be preserved and passed in as the Relay State (not directly as a URL, but as some binding to it). Once logged in (after verifying the SAML Assertion), the SP will forward the User to the original request URL as maintained in the Relay State. Here is a picture of the flow (borrowed from article referenced below):

SAML 2.0 - Service Provider Initiated SSO

The above flow is known as the Service Provider initiated SSO in which the user first tries to access a resource at the SP and initiates the flow. A variation of this is the IdP initiated SSO where the user would login at the IdP and will click on a link to access the Service Provider. In that case, the IdP would generate the SAML Assertion when the user clicks on the Service Provider link and will take the user to the start page configured for the Service Provider. This start page at the SP should know how to validate the Assertion, automatically login the user and redirect to the home page. There is no Relay State involved here. 

The key to all this is that the Service Provider and Identify Provider have already established a trust relationship by setting up the required information, importing certificates, etc. at the time of setup -- similar to how the kid's school knows that you are the parent by requesting for the child's birth certificate, completed and signed forms etc. at the time of registration :) 

To understand in depth how SSO with SAML works in Salesforce.com, check out: 

http://wiki.developerforce.com/page/Single_Sign-On_with_SAML_on_Force.com

For setting up SSO in Salesforce.com, along with examples of SAML Request and Response, Just In Time Provisioning, etc., check out the SSO Implementation Guide:
http://login.salesforce.com/help/doc/en/salesforce_single_sign_on.pdf

Finally, for setting up SSO for Desktop and Mobile apps with Salesforce, check out:
http://wiki.developerforce.com/page/Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth

Enjoy!

Salesforce Certified Technical Architect - Part 2 Exam

This weekend I cleared the Salesforce Technical Architect certification part 2 exam and wanted to share my experience along with some tips and tricks. First of all, it's a great exam to take because of the breadth and depth of topics covered. As a technical architect you work on a number of areas over the years such as requirements gap analysis, technical architecture, design and development, deployments, data migrations, performance tuning and troubleshooting, SSO, Web Services, SSL, firewalls, etc. and in preparing for the exam you will need to recollect a lot of that experience and something like remembering the difference between 2nd and 3rd normal forms can come in quite handy (if you are wondering what are "normal forms", then you have some studying to do :) 

Now, if you are just starting to prepare then the first place to look of course is the official Study Guide and especially Section 5: Recommended Training and References. One of the first things recommended there is the Dev 401 training and if you are pursuing the Architect certification you must have cleared the Dev 401 exam and should be well aware of the basics anyway. If you happen to be Dev 501 certified (or trained) it's certainly beneficial but you don't have to be and having hands-on experience working with Apex and Visualforce will do just fine. Integration is another key area and the Dev 502 training I'm sure is quite useful but you can also refer to the online documentation and get enough information. Again, hands-on experience is a must because there were several questions around integration that required a lot of thought to answer. The rest of the resources refer to either online courses, webinars or technical articles - all of which are very good to know and highly recommended. 

The next section in the guide - Section 6: Exam Outline - is IMO the most important section that you need to focus on. If you can read through the objectives and feel like yeah ok I get this, then you are in good shape. If you are not aware of some of the concepts, then try to focus on those depending on how much weight is assigned. For example a fourth of the exam is about Platform Architecture concepts - which means you should know about a broad range of concepts and details around Salesforce and force.com Platform, such as how force.com multi-tenant architecture works, what are the different types of licenses and their nuances, the differences between going with a single-org or multi-org strategy, large data volume considerations, i18n capabilities, etc. If you have read through this section of the guide, my recommendation is, please re-read it and make sure you understand _every_ one of the objectives. 

The exam is 60 questions, multiple choice and you have two hours to complete. Most of the questions are quite long (6-8 sentences) and for a majority of them you have to choose 2 or 3 correct options out of 5. I would say the questions where you have to choose 3 correct answers are relatively easy compared to the ones where you had 2 correct choices because it is easier to eliminate the two wrong ones than to pick two right ones. A good number of them required re-reading the question and choices several (>3) times, the rest I was able to get through mostly in one speed reading (or two). I was stumped on very few (say 3 or 4) because they were quite specific and I just didn't know the answer and ended up guessing (I checked them after I got home and sure enough I had them all wrong :) 

Also you have to keep an eye on the clock because time just flies. I got through only about 7 or 8 questions in the first 25 minutes (ramp up time I guess!) but still managed to finish the exam with around 15 mins to spare and review some answers. So the key is if you have to re-read a question and still can't figure out the choices its best to just mark it for review and come back to it at the end. Otherwise you might miss out on some easy ones. The other thing is when you are stuck between two choices the answer is usually based on one or two key words in the question so you might have to just review it quickly again. Also be sure to read ALL the choices (especially for the one or two correct choices) as there can be subtle differences in the choices. I say this because I didn't find any question to be ambiguous and felt pretty comfortable with my answer choices after I reviewed them. Overall it was a good experience and wasn't as bad as I had expected. 

Good luck with the preparation!

UPDATE: Refer to the follow up post for references to the study materials.