Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).
...
Canvas
Canvas enables you to easily integrate a third-party application in Salesforce. Canvas is a set of tools and JavaScript APIs that can be used to expose an application as a canvas app. Our new or existing applications can be made available as part of Salesforce experience.
Following authentication methods can be used
Signed Request
OAuth 2.0
Canvas framework includes an SDK that can be used to authenticate apps and retrieve data from Salesforce.
Signed Request Authentication
This is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app’s Permitted Users field
Admin Approved users are pre-authorized
Users don’t need to approve or deny access, app is accessible as soon as administrator installs and configures it.
Salesforce performs a POST to the canvas app with all authorization information contained in the body of the signed request, including request token.
All users may self-authorize
app is accessible to all users but user is prompted to approve or deny access.
If user has approved the app previously and access is not expired or revoked, Salesforce performs POST to canvas app with signed request payload.
if user has not approved, or if access is revoked or expired, Salesforce performs a GET to the canvas app URL. Canvas app must handle the GET by accepting the call and looking for URL parameter _sfdc_canvas_authvalue. If the canvas app receives this parameter value, canvas app should initiate the approve or deny OAuth flow. After user approves, canvas app should call repost() method with a parameter of true to retrieve signed request.
Considerations
Salesforce performs GET or POST depending on the Permitted Users value
Server side code is needed to verify and decode the request
using SDK signed request can be requested on demand after app is invoked.
Signed request is a string with following elements concatenated
Canvas app consumer secret encrypted with HMAC SHA 256 algorithm
A period (“.”)
The context and authorization token JSON encoded in base 64
Flow
OAuth Authentication
Two options are available Web Server Authentication Flow, User-Agent authentication flow.
Considerations
Salesforce performs an HTTP GET when invoking the canvas app URL.
With user agent OAuth, all authorization can be performed in the browser (no server-side code is needed).
Flow
SAML SSO
Whether signed request or OAuth authentication is choses, SAML based SSO can be used to provide users with a seamless authentication flow.
SAML SSO enables automatic authentication into canvas app via SAML and authentication into Salesforce via the signed request.
We can create a canvas app that begins a standard SAML authentication flow when opened by a user. After this process completes, the user is authenticated into Web application.
Exposing Connected App as a Canvas App
A connected app can be exposed as a Canvas App.
Steps
Create connected app
In Canvas App Setting section, select Canvas to expose connected app as Canvas app.
Enter canvas app URL to third-party app, user is redirected to this URL when clicking the link to canvas app.
Select access method
Signed Request
OAuth authentication is used.
Users are not prompted to allow apps to access their information.
Authentication is posted directly to canvas app URL.
Do not select “Perform requests on your behalf at any time” for OAuth scopes
OAuth Webflow
OAuth authentication is used.
Users are prompted to allow apps to access their information.
Canvas app must initiate OAuth authentication flow.
If SAML SSO is used for authentication, Select SAML Initiation Method. Options include. This requires Enable SAML in Web App Settings.
IdP initiated
SP Initiated
Select where the canvas app appears to users. Available options are Chatter Feed, Chatter Tab, Console, Layouts and Mobile Cards, Mobile Nav, Open CTI, Publisher, Visualforce Page