Salesforce Identity service connects users to Web and mobile apps through the vendor's cloud platform. But does it fit with Active Directory?
Plenty of businesses rely on Active Directory and other LDAP-based directory services to manage employee access to applications and servers behind the corporate firewall. But how are they managing the chaos brought on by the cloud and BYOD movements, with Web-based and mobile-enabled apps ranging from Gmail and Box to Concur, Workday and Office 365?
Salesforce.com on Tuesday announced the general availability of Salesforce Identity, the identity management service it announced more than a year ago at Dreamforce 2012. The extended beta period was used to consult with customers and test the services at scale, with at least 70% of Salesforce.com customers already using aspects of the service such as Mobile Identity, according to Chuck Mortimer, a Salesforce VP of product management.
"It's not as straightforward as a beta because we've opened up a series of platform services that we already use for all of our customers," Mortimer explained in a phone interview with InformationWeek. "With Mobile Identity, for example, we've used that to deliver our own mobile applications, and we're extending that now to any application that wants to plug into our app ecosystem."
Salesforce Identity extends to third-party Web and mobile apps the consistent, platform-based identity services Salesforce customers are used to as the gateway to more than 1,900 AppExchange apps. Customers wanted the ease and convenience of Salesforce's single-sign-on access controls extended to a wider universe of unsupported apps and resources brought on by the cloud, shadow IT and mobility trends, Mortimer said.
Salesforce Identity is not designed for client-server apps and is not intended to be a replacement for Microsoft Active Directory and similar products. Rather, Salesforce says a connector lets you take advantage of the identities, roles and access privileges set up in LDAP directories and extend them to cloud and mobile apps through Salesforce Identity.
Salesforce did not release a formal list of supported apps, but it said Identity relies on open standards including SAML (Security Assertion Markup Language), OAuth, OpenID Connect and SCIM (System for Cross-domain Identity Management) that will enable the service to be extended and customized via open APIs.
The Identity service presents a single management console (familiar to Salesforce administrators) through which admins can provision cloud-based services, custom or packed mobile apps and even Web-based apps deployed on-premises. Employees then log in once and gain access to otherwise disparate collections of apps such as ADP, Dropbox, SugarCRM and Zendesk as well as everything on the Salesforce platform.
The Identity console can be used to set higher-level access controls for certain apps, such as two-factor authentication. And when employees leave a company, a Freeze button lets administrators lock users out of all apps immediately.
Basic Salesforce Identity services are free for Enterprise and Unlimited Edition licensed users of Salesforce Sales, Service and Marketing cloud services. The catch is that that does not include the connector to existing identity directories, which adds are charge of $1 per user, per month. Lower-level subscribers and employees who do not use Salesforce applications can use the service at $5 per user, per month.
The service includes a brandable log-in page and App Launcher portal from which companies can present managed, single-sign-on apps.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.