Overview & Concepts

Overview and Concepts

Building a Unified IAM Infrastructure
In large organizations, consolidating Identity and Access Management (IAM) systems from different vendors across various locations is a daunting and often impractical task. This is especially challenging for corporate groups and companies that frequently acquire new subsidiaries, resulting in fragmented information systems. Consolidation projects are typically long, costly, and rarely yield the expected results, leaving behind a mix of well-integrated systems and legacy systems that still need to function.

RCDevs addresses these challenges by offering a federated approach to IAM and Identity Provider (IdP) management. The RCDevs solution federates multiple IAM systems, integrating them into a cohesive meta-IAM platform. This top-level meta-IAM provides a unified view of all the underlying IAM systems, allowing seamless integration with cloud or on-premises services like email, VPNs, and OpenID Connect (OIDC). With this approach, there's no need for complex IdP cascading or password management, simplifying the IAM consolidation process.

For example, consider a corporate group, MyCorp, which has acquired two companies—one using Okta and the other using local Active Directory (AD) systems—while MyCorp itself uses Salesforce. RCDevs creates a meta-IAM that aggregates these disparate systems into a unified platform. This enables cross-IAM application access policies, unified UPN naming conventions, and centralized IdP services across the entire organization.

WebADM and External IAM Integration
With the introduction of WebADM version 2.3.20, RCDevs enhanced its platform with native integration capabilities for external IAM providers. Support for Salesforce was introduced in version 2.3.22 of WebADM. This feature allows organizations to synchronize accounts and groups from their cloud IAM providers into WebADM’s LDAP tree. The synchronization is one-way—from the external IAM provider to WebADM—preserving group memberships and allowing external identities to be added to locally defined groups within WebADM.

This functionality is especially beneficial in scenarios like mergers and acquisitions, where multiple IAM systems need to be unified. By synchronizing identities from various sources, WebADM creates a centralized user directory, enabling consistent security policies, seamless IT management, and group-based access control across the entire organization.

The benefits of this approach include simplified identity management, enhanced security and compliance, flexible group management, cost efficiency, scalability, and an improved user experience through a unified access platform.

In summary, RCDevs and WebADM provide powerful tools for overcoming the complexities of managing multiple IAM systems, enabling a cohesive, secure, and scalable identity management infrastructure.

Actions/permissions required on Salesforce

To perform operations such as locking a user account, checking or changing a Salesforce user's password, and retrieving user and group information using Salesforce APIs from WebADM, you'll need specific API permissions. These permissions must be granted through a Connected App in Salesforce, and the application must have the appropriate permissions described later in this documentation.

Connected App Registration

From the Salesforce setup console, go to Platform Tools-->Apps-->App Manager.

App Manager

Click on the New Connected App button at the top right of the page.
In Basic Information section, provide the required information:

  • Connected App Name;
  • API Name;
  • Contact Email.
New Connected App

In API (Enable OAuth Settings) section, enable following settings:

  • Enable OAuth Settings;
  • Enable for Device Flow;
  • Callback URL: fill with https://login.salesforce.com/services/oauth2/success
OAuth Settings
  • Enable Client Credentials Flow.
OAuth Settings

Click on Save button.

Then, click on Manage Consumer Details.

OAuth Settings

This will require authenticating. You will receive an OTP by email that you need to provide to the authentication form.

OAuth Settings

Click on Verify.

This will display your Consumer details. Take note of the Consumer Key and Consumer Secret. They will be needed when configuring WebADM.

OAuth Settings

Permissions & Roles

The following section provides information on the permissions that need to be granted to your application for the different features available in the WebADM framework.

Synchronize Users and Groups Information

Use case: Synchronize users and groups from Salesforce within the WebADM Framework.

From the Salesforce setup console, go to Platform Tools-->Apps-->App Manager. Find the Connected App you created in the list, then click the corresponding ▾ button on the right and select 'Edit'.

Selected OAuth Scopes

In Selected OAuth Scopes section, add Manage user data via APIs (api) to the Selected OAuth Scopes.

Selected OAuth Scopes

Click on Save button.

Password verification with Salesforce

Use Case: Validate a user's password using Salesforce for authentication that started with OpenOTP and a synced Salesforce account.

Firt permission to give is the ability to WebADM to authenticate as a specific user. This can be done using the OAuth Username-Password flow. From the Salesforce setup console, go to Settings-->Identity-->OAuth and OpenID Connect Settings.
Enable Allow OAuth Username-Password Flows setting.

Selected OAuth Scopes

Then, you need to edit Policies of the created Connected App. From the Salesforce setup console, go to Platform Tools-->Apps-->App Manager. Find the Connected App you created in the list, then click the corresponding ▾ button on the right and select 'Edit'.

Selected OAuth Scopes
Click on `Edit Policies` button.
Selected OAuth Scopes

Then configure:

  • Permitted Users setting to All users may self-authorize;
  • IP Relaxation setting to Relax IP Restrictions;
  • Run As of Client Credentials Flow
Selected OAuth Scopes
Click on `Save` button.

User Account Lockout

Use Case: This permission is essential when using the Account Lockout feature in OpenOTP Badging. It is required if you've implemented an account lockout policy that prevents access when the user is not badged-in. The account will remain locked at the Salesforce level, until the user badges-in with the OpenOTP Token application or from the User Self-Service Desk web application.

From the Salesforce setup console, go to Platform Tools-->Apps-->App Manager. Find the Connected App you created in the list, then click the corresponding ▾ button on the right and select 'Edit'.

Selected OAuth Scopes

In Selected OAuth Scopes section, add Manage user data via APIs (api) to the Selected OAuth Scopes.

Selected OAuth Scopes

Click on Save button.

Password Reset/Update

Use Case: Passwords for Salesforce accounts synced in WebADM can be changed through the WebADM Framework. The system supports applying password policies, leak protections, and weak password detection to Salesforce accounts. Resetting a user's password from a third-party application requires admin rights due to the sensitivity and potential impact of this operation. In Salesforce, the permissions required to perform these actions generally involve administrative privileges.

From the Salesforce setup console, go to Platform Tools-->Apps-->App Manager. Find the Connected App you created in the list, then click the corresponding ▾ button on the right and select 'Edit'.

Selected OAuth Scopes

In Selected OAuth Scopes section, add Manage user data via APIs (api) to the Selected OAuth Scopes.

Selected OAuth Scopes

Click on Save button.

Salesforce configuration on WebADM

The Salesforce configuration on WebADM consists of:

  • Creating a Container, Organizational Unit, or Organization object in your LDAP tree where the Salesforce tenant will be synced.
  • Creating a WebADM User Domains and configuring the tenant information of your Salesforce tenant.

Container Creation

Let's first create the container where objects will be synced in.

Login on the WebADM Administrator Portal with a super_admin account, and click on the Create tab.
In this example, we create an OrganizationalUnit named Salesforce inside an existing Organization object named External Providers.

Container creation

Click Proceed and select the location of the OU. I created it within an organization object named External Providers, but you can place it wherever you prefer. Name your object, optionally provide a description, and click Proceed, followed by Create Object.
Your Organizational Unit should then be created and visible at the location you specified.

Container creation

Domain Creation and Configurations

Username/UPN Concepts

The WebADM User Domain creation involves configuring the following key settings:

  • The User Search Base
  • The UPN Mode and optionally the UPN Suffix when the UPN Mode is set to Explicit.
  • The Directory Synchronization settings

When configuring the UPN Mode, you are determining how the login name value will be synced in the login attribute.

Example for Clarification

Consider the UPN (User Principal Name) of a Salesforce account: testaccount@subdomain.salesforce.com.

  • testaccount is the UPN prefix.
  • subdomain.salesforce.com is the UPN suffix.

UPN Mode: Implicit vs Explicit

The UPN Mode can be set to either Implicit or Explicit. Here's how each mode works:

  1. Implicit Mode:
    In this mode, the testaccount value (the UPN prefix) will be stored in the login attribute. With this mode, users can authenticate using two different methods:

    • By providing username=testaccount and domain=suffix to the OpenOTP APIs.
    • By constructing a UPN with the UPN Suffix configured in the WebADM Domain object they belong to and logging in as username@upn_suffix.

This mode is the most flexible.
The UPN suffix can also be configured to work with the full UPN, even if it's not synced into the uid attribute.
With Active Directory backend configured with WebADM, you must set UPN Mode to Implicit. Explicit mode can not work, as the UPN prefix is synced into the sAMAccountName and the full Salesforce UPN is synced into the UserPrincipalName.

  1. Explicit Mode:
    In this mode, the full UPN (testaccount@subdomain.salesforce.com) will be stored as the login attribute. In this case, users must use the full UPN as their username to log in. The testaccount value (UPN prefix) alone cannot be used for authentication.

If the directory backend configured with WebADM is Active Directory, and you attempt to sync Salesforce accounts into Active Directory, the prefix of the UPN will be synced into the sAMAccountName attribute, while the entire Salesforce UPN will be synced into the UserPrincipalName attribute.

Now that you fully have the concepts, we can continue by creating the WebADM User Domain object and configuring the information for Salesforce.

Go to the Admin tab, select User Domains, and click Add Domain. Provide a common name to identify the cloud provider, such as Salesforce, and optionally add a description. Then, click Proceed followed by Create Object.

domain creation

The domain object will be created, and you will enter the User Domain configurator. In the first section, configure the User and Group Search Bases to point to the Organizational Unit (OU) you previously created. In the UPN Suffix field, enter your Salesforce UPN ending with salesforce.com. This information can be retrieved from your tenant.

Salesforce domain configuration

Scroll down to the Directory Synchronization section.

Salesforce tenant configuration
  • In the Provider setting, select Salesforce.
  • In the Tenant ID setting, enter your Salesforce subdomain;
  • In the Client ID setting, enter the Consumer Key of the Connected App;
  • In the Secret Key setting, enter the Consumer Secret of the Connected App;
  • Choose the Sync Options that best suit your preferences for password synchronization, ensuring they align with the permissions granted to the application.
  • Finish by setting the Sync Period. By default, synchronization occurs every hour.

When the configuration is complete, click Apply to save your settings. You will be redirected to the Registered LDAP Domains menu, where your Salesforce domain should appear with a Sync Now button.
Click this button to start the synchronization process.

Salesforce tenant configuration

If any objects cannot be synced for any reason, an error message will appear in the synchronization output. For more details, consult the WebADM Server logs.

Salesforce tenant configuration

Objects that have been successfully synced will appear in the left LDAP tree, as shown in the screenshot below:

Salesforce tenant configuration

That's it. The synced identities and groups can now be used with WebADM, along with its dependencies and integrations.