When most people think of Salesforce, they think of the following :

1. Most powerful & #1 CRM
2. Sales (Opportunities, Leads, …) & Services processes (Case Management, Knowledge, Field Services, …)
3. Customer & Partner communities

There are probably other things you’d think of as well, but very few people think of Salesforce as being a Security product.

Let me explain, Salesforce has a product Salesforce Identity which is used to secure access to Salesforce. It provides multiple capabilities :

1. Multifactor authentication
2. Standard based protocols : oAuth2, OpenID Connect & SAML
3. Third party authentication providers

You can even use a Salesforce Community to create a fully custom and branded sign in and sign up experience for customers and partners. This is probably the hidden gem of Salesforce Identity.

You can read more on the Salesforce Identity website

If you dig a bit deeper in the documentation, you can find that you can use Salesforce Identity to secure applications running outside of Salesforce. The magical link is the Connected App framework.

All of this is very promising and it already allows Salesforce customers to secure all kinds of applications (mobile apps, web apps and even IoT products).

Unfortunately, there are a few aspects of Salesforce Identity which are inheritably incompatible with a usage outside of the Salesforce ecosystem :

1. The Connected App framework is meant to connect outside applications to Salesforce. It’s not made so that these applications communicate with each other. The central point is Salesforce.
2. The multifactor experience in Salesforce is geared towards Salesforce needs. Meaning, it’s made for your employees to use in order to access your Salesforce instance. You can use it with Customers to different degrees of customization, but you are fighting the fundamentals of why/how it has been created
3. While you can use Salesforce as an Authorization Server (in oAuth terms), you cannot have JWT access_token s, and until recently, you could not use the authorization_code flow on a browser due to CORS limitations on the platform.

There are probably other limitations which may inhibit you from using Salesforce Identity as a central security system.

I have worked with Salesforce Identity for over 2 years, in maybe the biggest deployment to date.

Fundamentally, Salesforce Identity has a lot of the capabilities that other well known players of the IAM/CIAM landscape (Auth0, Okta, ForgeRock, Ping Identity, …) claim to have. But they all have very clear limitations.

This was the realization that drove me to create CYM Identity, a managed package which aims to remove some of the limitations and to add the missing capabilities.

The current focus of CYM Identity is to extend Salesforce Identity with :

1. An oAuth2 & OpenId Connect provider with extra flows : CIBA, Resource Indicators, Dynamic Client Registration and Management, Session Management, …
2. A focus on API security : JWT access_tokens, introspection, resource specific policies, …
3. A simpler way to extend MFA to customers and partners using Twilio Verify or Push, …
4. Step up authentication and contextual MFA (only apply MFA when needed)
5. A Simplified experience for developers using a curated list of pre-configured Open Source SDKs
6. A unified interface which allows your administrators to control the different policies

There is probably many more things to do as the Salesforce Identity product evolves.

If you see a use case that is relevant to you, reach out to have a more in depth conversation.

In the meantime, you can start your free trial today.