Changing Identity Provider without impacting the user experience


Your company wants to migrate from an on-premise Identity Provider to a cloud based identity Provider. In this scenario, I want to migrate users from OpenAM IDP to Salesforce IDP. Now, how can you switch to the new IDP (Salesforce) without impacting the user experience e.g the user should not reset his password.

Password Principle

Modern system are not storing directly the plain text password in their database or ldap store. Instead, a one-way cryptographic hash function is apply to the plain text password. This hash password is stored by the modern system.

Pre-required Steps

  • Export the user from OpenAM and import it into Salesforce using DataLoader and any ETL/EAI tools
  • Update the user object in Salesforce to add new custom fields:
    • SaltedHashPassword: store Salted Hash password from OpenAM (impossible to invert it back to it plain text password)
    • isPasswordCaptured: flag to indicate that the user has been migrated to the new Salesforce IDP
  • OpenAM is using SSHA e.g Salted SHA password as one-way cryptographic hash function. You need to implement this algorithm in Salesforce.
    Salted SHA (aka SSHA) is computed as follows:
    result = {SSHA}BASE64(SHA(password,salt),salt)
  • The password policy defined in OpenAM should be a subset or equivalent to the password policy defined in Salesforce

Proposed Solution

To have a smooth transition, we need to find way to capture the password entered by the user and call password API update from Salesforce to set the password for the migrated user (hash password in Salesforce as not accessible). The following diagram show the steps that are involved.

Salesforce Identity - Progressive User Migration scenario


Thanks for reading.

About Chenda Mok

19 years of hands on experience in software design and development with emphasis on Enterprise Application Integration (EAI), Services Oriented Architecture (SOA) and Identity Management (IDM) solutions. I’m a software engineer, member of the professional service delivery team working for Salesforce. Prior to this, I worked for Oracle as Solution Architect, through SeeBeyond(06/2005), then SUN’s acquisition (04/2009). After my master’s degree in computer science in 1997; I always delivered consulting on architecture, design, implementation on integration’s field. I’m interested in architecture using EAI/SOA/IDM/BPM/Cloud technologies, software development and Java’s related technologies. I may blog about my work/activities at Salesforce, but I do not speak for my employer, past, present or future.
This entry was posted in Salesforce and tagged , , , . Bookmark the permalink.