Architect Journey: Identity and Access Management
SAML Assertion Flow for Accessing the Web Services API
- Clients can federate with the API using a SAML assertion (same way as SSO) - Experience Cloud sites don't support this flow - Authentication through this flow doesn't invoke login flows
Interview-based login pattern
- multiple identity providers - IdP choices are easily forgotten - uses other info (name, email, member id) other than username to determine what IdP is associated with the user
What are the 3 redirect policies when you have setup a My Domain policy?
1. Redirect to the same page within the domain - allows users to still access the instanced URL 2. Redirect with a warning to the same page within the domain 3. Don't redirect
What Role Do I Play with Connected Apps?
1. connected app developer - Salesforce developer or ISV who builds API integrations or external apps 2. connected app admin - install, uninstall, and—when necessary—block connected apps from the Salesforce org
What other data can a connected app query for?
1. user information (i.e. photo, accessible API endpoints) 2. OpenID Connect configuration 3. SAML Authentication Settings
What is the maximum number of days you can retrieve data in Event Monitoring Analytics app?
30 days
How does Salesforce store information about businesses and individuals?
Salesforce stores business information in business accounts, and individual information in person accounts
Can We Have Production and Sandbox Orgs in the Same Environment?
No. You can set up Identity Connect to manage multiple production orgs. And you can set up Identity Connect to manage multiple nonproduction orgs.
What is the key difference in the flow between OpenID and OAuth?
OAuth's end game is sending the access token, while OpenID sends the access token PLUS id token then sends the user profile back to the client application
How can identity connect work with SSO if users are using salesforce outside your company network?
Put Identity Connect in DMZ, so users doesn't have to connect to VPN
What are examples of OAuth Scopes?
api chatter_api full id refresh_token web
Where can you see OAuth 2.0 Authorization Errors?
error code to the callback URL with an error code
What are supported Auth. Providers for Social Sign-On?
facebook, janrain, salesforec, open ID connect
True or False. All OAuth authorization flows, except for the SAML Assertion flow, require you to define a connected app
True
True or False. Identity Connect connects with Salesforce over REST APIs
True
True or False: You can give the profile name as the profileId attribute for JIT user provisioning
True - if profile name is unique in the org. salesforce will lookup to the corresponding profileid
Where can you set the login service that you want each user to have?
User record > Authentication Service field
What does Salesforce as Authentication Provider mean?
users can log in to their custom external web app using their Salesforce credentials
How does Single Logout work?
users can log out from single application and be automatically logged out from all connected apps
What can an Event Monitoring Analytics User do?
view Event Monitoring Analytics app
***SECURITY BASICS***
not started
What is the difference between ADFS and Identity Connect
- ADFS doesn't do auto user sync unless you implement a JIT along with it at log-in time - ADFS doesn't disable/deprovision users - Salesforce1 session does not terminate on ADFS which can be a security threat
What are examples of events monitored by Transaction Security?
- API events to prevent unauthorized exports - List View events - Login events to block logins from unauthorized browsers, unsupported locations and specific device types - Report events like views and exports
What are the actions or policies you can take?
- Block the operation - Require high-level assurance using multi-factor authentication - Do nothing (useful for testing) - Policy notifications: email, in-app notification, both
What do you need to setup in Salesforce if it is the IDP?
- Connected App so that the 3rd party app (SDP) can connect to salesforce to send request to authenticate the user. - Connected App must have a Start URL
What is the difference between data masking and data encryption?
- Data masking prevents developers or other users from viewing sensitive data in the user interface or exporting it as plain text. - Data encryption prevents malicious attackers from accessing or interacting with sensitive data at rest in the data center.
What security controls control storing of user logins?
- Enable caching and autocomplete on login page - Enable user switching - Remember me until logout
How do you add a connected app to App Launcher?
- Go to Connected App - Assign a Start URL (same as IDP login url). - Add either the profile or permission set that can have access. This will make the App appear on the App Launcher for the logged-in user session
What is not secured in a user-agent flow compared to the web server flow?
- In user-agent flow, the access token is in the callback URL which is exposed to the user and other apps. - To mitigate: Use javascript window.location.replace() to remove the history from the user's browser. - To mitigate: salesforce doesn't use client secret, rather authorization is based on the user-agent's same-origin policy
How frequently does updates on AD sync with Salesforce?
- LiveUpdate: every 15 seconds - scheduled update
What do you need to purchase to be able to use Transaction Security?
- Salesforce Shield or - Salesforce Shield Event Monitoring add-on
What are other security tools?
- Security Center - does not come OOTB - Salesforce Optimzer
What are example use cases for event monitoring?
- monitor data loss - increase adoption - optimize performance
OAuth 2.0 Device Flow for IoT Integration
- To integrate apps that run on devices with limited input or display capabilities (instead is redirected to a browser) - Command-line apps can also use this flow - Steps: 1. Device (via connected app) sends an authorization request to the Salesforce token endpoint (response_type = device_code) 2. Salesforce returns a human readable code, verification URL, and device code 3. User then authenticates and authorizes by navigating to the URL and entering the code 4. Then user is asked to log-in and Allow access to data 5. While that is happening, the device polls the salesforce endpoint to check whether the user has authorized access and whether the authorization server has sent the access token 6. Salesforce responds with the access token 7. Then the device accesses the user's data
What permission sets are needed to access Real-Time Event Monitoring?
- View Real-Time Event Monitoring Data (view events) - Customize Application (manage transaction security)
What can an Event Monitoring Analytics Admin do in Event Monitoring Analytics app?
- access event monitoring apps and templates - use analytics templated apps - edit dataflows
How can you apply dynamic branding (i.e. on log-on screen) for a single community site?
- add a query parameter {expid} into the login url. Get this using a method Site.getExperienceId. You can also dynamically drive the behavior of registration, business logic and user experience - embedded login (Sprint 18). Javascript framework (if not using SAML) - SAML flow
What do you need to do to enable self-registration for person accounts?
- add business and person account record types to your public access settings - make sure to remove the default Account in Sites > Administration > Login & Registration
What is OpenID Connect protocol?
- adds an authentication layer on top of OAuth 2.0 - OpenID Connect sends identity information from one service to another - social sign-on
What is OAuth 2.0 protocol?
- allow secure data sharing between applications - user works in one app but sees the data from another - Salesforce org gets contacts from another service also uses OAuth
What is Transaction Security?
- allows for setting policies on certain events that are monitored in real-time. - when a policy is triggered notification is sent through email or in-app notification - consist of events, notifications, and actions
What is required to implement mobile-first identity with text messages (SMS)?
- any user license - add-on license for Identity Verification Credits
What are uses cases for real-time event monitoring?
- audit user activity - enforce security policies - track application performance
What are benefits of OpenID Connect for business?
- automate/simplify user creation - reliable source of user details - reduce helpdesk interactions
How can external users manage external users?
- by giving them delegated external user administrator permission - must have licenses: partner community and partner portal, customer portal manage and customer community plus
What are some SSO debugging tips?
- check login history (if there's no entry then it means that federation id might be missing as it didn't come through at all) - ensure that your user has federation id - use SAML Assertion Validator - use Firefox "SAML Tracer" plugin
What else can you customize with the Login Discovery Handler?
- check the user's browser state and/or location of where they login using LoginDiscovery.login method
What are additional JIT attributes for communities?
- community url
What are two ways to create transaction policy?
- condition builder - apex
OAuth 2.0 Authorization and Session Management for Hybrid Apps
- connects the access and refresh tokens with the web session to give hybrid apps direct web session web management - Mobile SDK 9.1 supports OAuth 2.0 hybrid app flows - Steps: key difference with other flows are 1. response_type = hybrid 2. When Salesforce responds with the access token, it also includes the session ids 3. the hybrid app sets the session ids in the session cookies
Identity Connect capabilities
- constantly monitors AD and updates Salesforce when changes in AD occur - near real-time or regular schedule - one direction, AD is the source of truth - automated creation of users and assigning of permission sets - can work with SSO using the same AD credentials - automatic de-provisioning of users - map additional user attributes - mapped profiles, permission sets, roles, and public groups in Salesforce
What are the Custom Attributes under the connected app?
- contains list of user attributes that the IdP passes to the service provider/subscriber app/org - the subscriber uses this list of attributes in the "Just-In-Time Provisioning" handler class (Auth.SamlJitHandler) to create the user record in the subscriber org - most importantly that user record is created with the same federation id as in Hub org
What are two readily avaialable apex class methods for creating community users?
- createPortalUser(user, accountId, password) lets you create an external user associated to a Customer or Partner account - createPersonAccountPortalUser(user, ownerId, password) lets you create an external user associated to a Person Account
What is "Just-In-Time" provisioning dynamic user management?
- creates new user automatically - these attributes are required: username, email, lastname, profileid - for external users, following additional attributes are required: contact account, contact last name, contact email, portal role (for CCP license) - consider creating a de-provisioning process as well
What is Custom Baselines
- custom security baselines xml files that you can import
What is the capability of External Identity license?
- customers and partners can self-register, log in, update their profile, and securely access web and mobile apps with a single identity - comes with Community license
How should the webservice use for delegated authentication be deployed to it's accessible by Salesforce?
- deploy the web service on a server in your DMZ - use your server's external DNS name when entering the delegated gateway URL in Single Sign-On Settings - make your web service available by TLS - A certificate from a trusted provider, such as Verisign or Thawte, is required
How does Session-based permission sets work?
- enables a permission only when a session is activated - a permission set with "Session Activation Required" ticked - a session is enabled when a record is inserted on SessionPermSetActivation object - can activate a session using an API or flow (flow can be embedded on an App page)
OpenID Connect Dynamic Client Registration for External API Gateways
- enables resource servers to directly register client apps as connected apps with Salesforce - external apps are able to send request through an external API Gateway - Steps: 1. Pre-required setups before the flow can work: - create a connected app for the API Gateway with an initial access token - create the API Gateway on MuleSoft's Anypoint Platform (with the initial access token) 2. To initiate the flow, API Gateway registers a connected app with the Salesforce dynamic client registration endpoint 3. After successful registration, Salesforce responds with the registered connected app metadata 4. API Gateway then sends a request to Salesforce authorization server to approve the registered app 5. Salesforce then responds with an access token 6. API Gateway sends a request to the Salesforce token introspection endpoint to validate the access token 7. After successful validation, API Gateway then grants access to protected data
What are benefits of OpenID Connect for users?
- fewer usernames and passwords to remember - quicker login - reduced registration effort
How does Field Audit Trail works?
- field history is archived into the FieldHistoryArchive big object - you set the retention of that data on HistoryRetentionPolicy (up to 10 years) - it extends the number of fields that can be tracked from 20 to 60
How is a secret created?
- generated by a processor called HSM (hardware security module) - stored in a USB stick which is stored in a bank safety deposit box
How does salesforce determine what is the IdP to prompt for a particular user who logged-in using other info (other than username)?
- in the user record, there is a field called "Authentication Service" where you can set what is the IdP for that user - the Login Discovery Handler queries the user record to determine the Authentication Service
In Shield Platform Encryption space, what are keys and secrets?
- keys is a string of bits that is used to scramble and unscramble data - secret is another layer of protection to verify/double-check the key
What are Connected Apps?
- metadata framework for describing applications to the salesforce platform - captures the app's basic information, capabilities, protocol, urls - these info provide context of the app and allows the app to be displayed, managed and audited
What is Real-Time Event Monitoring?
- monitor and detect standard events in near-real-time - requires an add-on license - events are streamed thru platform events and and stored in big objects - examples of events: reports, list views, logins, API calls, when records are modified
Which features require My Domain?
- multiple salesforce orgs in one browser - SSO with external identity providers - Social Sign-on - use lightning components in Lightning component tabs, Lightning page, the Lightning App Builder, or standalone apps - Use Financial Services Cloud, Health Cloud, or Work.com
Where is identity connect deployed?
- on-premises software that sits behind your firewall and pushes data to Salesforce - server runs within the corporate network and communicates with the AD server over LDAP(S) - AD is in your protected network, while Salesforce Identity Connect is in DMZ - it communicates to Salesforce via HTTPS
OAuth 2.0 Username-Password Flow for Special Scenarios
- passes credentials back and forth - The connected app requests an access token by sending the user's login credentials to the Salesforce token endpoint
What is Lightning Login?
- password-less login - uses authenticator app - use either fingerprint or password pin
What are additional JIT attributes for portals?
- portal_id - organization_id
What are additional JIT attributes for sites?
- portal_id - organization_id - siteurl
What is Event Monitoring Analytics App?
- pulls its data from Salesforce event logs - provides dashboards - identify suspicious behavior, slow page performance, and poor user adoption - draw the reports/dashboards you need based on your answers on configuration wizard - allow setting of email notifications on KPIs right on the dashboard
How can you customize further the Login Discovery Handler to determine social sign-on login?
- query the ThirdPartyAccountLink (TPAL) standard object which contains records of third-party account links generated when users authenticate using Auth. Providers - redirect the user to login either via facebook or linkedIn if it finds the associated user's email
OAuth 2.0 Refresh Token Flow for Renewed Sessions
- renews access tokens issued by the OAuth 2.0 web server flow or the OAuth 2.0 user-agent flow
OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps
- similar to a refresh token flow within OAuth, but doesn't use refresh token - Salesforce validates the signature using the certificate registered for the connected app
OAuth 2.0 Web Server Flow for Web App Integration
- the server hosting the app must be able to protect the connected app's identity by the client ID and secret - Steps: 1. the external web service sends an authorization code request to Salesforce. The request is an HTTP redirect with parameters (i.e. client_id, response_type, reques header, request_uri, ect.) 2. Once salesforce receives and validates the request, it asks the user to log into Salesforce and grant access to the app (Allow Access page with Deny/Allow button) 3. After the user clicks the "Allow" access, salesforce grants authorization code to the external web service app (with callback URL and code) 4. The connected external app then sends a POST request back to Salesforce with the authorization code (and client id and secret) 5. Salesforce then responds with JSON format response including the access token (as well as scope, refresh token, ect.)
What is Delegated Authentication?
- use case: for employees - Salesforce uses an LDAP (Lightweight Directory Access Protocol) server that manages the password and policies - you integrate your org with your LDAP server by wrapping the LDAP server in a SOAP-based web service - Salesforce immediately disposes of the password without storing, logging, or viewing it. - With delegated authentication, a user can experience a slight delay when logging in while the user account becomes available in the org.
Hub-Spoke pattern
- user is authenticated on a salesforce hub - hub permits access to spoke salesforce orgs - hub serves as the identity proterm-106vider
OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration
- users authorize a desktop or mobile app to access data using an external or embedded browser - Steps: 1. The connected app (in this case triggered when user accesses the mobile app) redirects the user to the authorization endpoint 2. Once salesforce receives and validates the request, it asks the user to log into Salesforce and grant access to the app (Allow Access page with Deny/Allow button) 3. After the user clicks the "Allow" access, salesforce redirects users to the callback URL which includes the granted access token (the parameters of the URL comes after the hash tag #)
OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
- uses a certificate to sign the JWT request and doesn't require explicit user interaction - require prior approval of the client app - flow never issues a refresh token - Steps: 1. Create a X509 Certificate that will be used later on to sign the JWT (JSON Web Token). Use the certificate as signing certificate of the connected app in Salesforce 2. Build an app that generates JWT and signed with the X509 Certificate 3. Once that is all setup, the connected app posts a request to Salesforce with JWT in the post 4. Salesforce validates the JWT with the signature in the certificate 5. Assuming JWT is valid, Salesforce determines if there is prior approval and then sends a response with the access token
OAuth 2.0 Asset Token Flow for Securing Connected Devices
- uses asset token for verifying and securing requests from connected devices - registers the device and maps it to Salesforce CRM data (i.e. customer info) - the access token and actor token is received by Salesforce, in exchange for an asset token
What is Cross-Origin Resource Sharing (CORS) used for?
- when web applications requests resources from origins other than their own - example: a web page can use CORS to request information about a user from your My Domain or Experience Cloud site
What are archived tenant secrets?
- when you generate a new secret, the existing one gets archived - it cannot be used to encrypt new data - but it can decrypt the data that was previously encrypted by it
What is the advantage of using Just-In-Time provisioning over SAML for community users?
- you don't have to manually create the account record during the first-time log-in of the user - when user logs in using SSO credentials, the identity provider will send the user details to salesforce - salesforce either finds a matching existing federation id (with account, contact and user) or creates a new account (with contact and user)
What are the 3 types of token?
1. Access - short-lived, relevant on to a user's current session 2. Refresh - long-lived which is used to get access token; can be revoked 3. ID token - used for OpenID Connect
In community site, where do you configure the log-in settings?
1. All Sites > Workspace > Administration 2. Login & Registration 3. You can setup: Login Page Type, Login Prompt, Login Discovery Handler 4. Tick options of Identity Provider - this is the buttons of IdP that appears on the login page (but if you are using interview-based, user doesnt need to remember what to select here, this can be hidden)
What are some MFA methods?
1. Built-in Authenticator (touch id, face id, windows hello) 2. UTF Security Keys - a key that is inserted into a port on the computer or mobile device 3. Generate temporary verification code - for users who can't access their verification method; has an expiration date
How do you setup embedded login to drive registration, login, business logic and user experience for community users?
1. CORS - add the sites which we are going to allow 2. setup a connected app (imp. callback URL and scope) 3. Update the html of your website that will connect to community. Add the ff meta name (in html format) - salesforce-community - salesforce-client-id - salesforce -redirect-uri - salesforce-mode (i.e. modal) - salesforce-target - salesforce-login-handler (calls a javascript event) - salesforce-logout-handler (calls a javascript event)
What are two ways to encrypt data?
1. Classic encryption - encrypting data in an encrypted field. Uses 128-bit Advanced Encryption Standard (AES) keys 2. Shield Platform encryption - encrypt data at rest; 256-bit AES key
What are the 3 general steps of all Oauth flows?
1. Client app requests access to a protected resource 2. Authorizing server grants access tokens to the client app 3. Resource server validates the access token and grants access to the protected resource
How to create basic login flow?
1. Create a flow 2. Create a Login Flow from Setup > Security Controls - assign the flow, license and profile
What are 2 system permissions you need to enable Shield Platform Encryption?
1. Customize Application 2. Manage Encryption Keys
How does Login Discovery work?
1. Determine the identity of the user, which can be by username, email address, phone number, or a custom identifier that you define. 2. Challenge the user to verify their identity through password-less methods: - verification code sent to email/sms - social network credentials - Salesforce Authenticator - TOTP - physical device like yubikey OR using password
What are the different ways to download event log files?
1. ELF browser - download button 2. curl script - allows you to schedule when you want to run the script of downloading, perform transformations 3. python script - easier for Windows user
What verification types can be done in mobile-first identity?
1. Email verification - comes free 2. Text message - extra cost (add-on license Identity Verification Credits)
How to setup Salesforce as Identity Provider?
1. Enable Salesforce as Identity Provider (Setup > Identity Provoder > Enable Identity Provider button) 2. Get information about the service provider (Entity ID, ACS URL, Subject Type, Start URL(optional)) 3. Create a connected app with the details of the service provider (note: Subject Type is federation id, ect.) 4. Download the metadata to share with the service provider 5. Map Salesforce users to connected app users (i.e. federation id)
How to setup delegated authentication?
1. Enable delegated authentication for your org. 2. Build your web service - download the Delegated Authentication Web Services Description Language (WSDL) file to test server stubs 3. Specify your delegated authentication gateway URL (in SSO Settings). 4. Enable permissions. 5. (Optional) Record login attempts.
Two ways to use Mobile Apps as Connected App
1. End-user Authentication - end-user is asked to authorize the app. This setup is org-wide 2. Admin Authorization - admins package and distribute the app on per org basis (i.e. when you get the app form appexchange). This will log-out all users currently authorized.
What are ways to view event log files?
1. Event Log File (ELF) browser - which can also be visualized in Tableau CRM (Event Monitoring Analytics app) 2. Developer Console - query EventLogFile object
What tools does Salesforce Shield includes?
1. Event Monitoring 2. Platform Encryption 3. Field Audit Trail
What are ways to visualize event logs in a graphical view?
1. Event Monitoring Analytics app 2. Splunk App for Salesforce - user REST API to pull data from salesforce 3. FairWarning - user-centric insights and real-time alerts; supports multiple orgs in single view; stores data beyond 30 days 4. New Relic Insights - allows importing Event Monitoring data
Mobile-first Identity comes with which licenses?
1. External Identity 2. Customer Community 3. Customer Community Plus 4. Partner Community 5. Lightning External Apps 6. Lightning External Apps Plus
What are the steps for setting up Salesforce as service provider?
1. Gather information from your identity provider (or import the SAML 2.0 settings from identity provider) 2. Specify SAML start, login, logout and error pages 3. Download the metadata and send to identity provider
How does the logic of the Login Discovery Handler works?
1. Get the identifier (email or phone number) entered by the user in the login page 2. Check if the identifier is valid 3. Query the database for a user associated with the identifier a. if the user exists, check if the user has already verified with that identifier (User Verified Email and User Verified Mobile Number fields) - if user has verified already, send a verification code - redirect the user to the "Verify" page to enter the verification code b. if user hasn't verified yet, redirect the user to the page where the user enters a password
What are two example of access management pattern?
1. Hub Spoke 2. Interview-based login
How to setup Google as IDP for Social Sign-On?
1. In google, register Salesforce as an app 2. Copy the client id and secret generated in google app registration 3. In Salesforce, create an "Auth. Provider". Select Open ID Connect 4. Set the attributes including the copied client id an secret (NOTE: Upon saving it creates a registration handler class automatically) 5. Copy in Callback URL in Salesforce Auth. Provider (after it's been saved) 6. Go back to Google, and set it as Redirect URL in the app that was registered
What are the different MFA methods?
1. Salesforce Authenticator 2. 3rd party TOTP (time-based one-time password) authenticator apps like Google Authenticator, Microsoft Authenticator, Authy 3. Security keys - small physical tokens that look like a thumb drive
What are the different SSO use cases?
1. Salesforce as the service provider or relying party 2. Salesforce as identity provider or OpenID connect provider 3. Salesforce as Both (chain identity providers) 4. Salesforce and Delegated Authentication - use same user credentials on multiple apps using credential management system (i.e. Lightweight Directory Access Protocol)
What Happens When a Customer Self-Registers to Join Your Site?
1. Salesforce creates a User record and Contact with the information that the registrant provides on the self-registration page. 2. Salesforce associates the Contact with an Account, in our case, Customers. You created the account earlier as part of setting up your org. 3. The User record is assigned the Customers profile, that you cloned from the External Identity User profile earlier in this module.
What are two session security levels?
1. Standard 2. High Assurance - usually Two-Factor Authentication
Several client configuration URLs are generated after defining the authentication provider.
1. Test-Only Initialization URL - use to ensure third-party is setup correctly 2. Single Sign-On Initialization URL - use to perform SSO into salesforce using 3rd party credentials 3. Existing User Linking URL - use to link existing users to 3rd party account 4. OAuth-Only Initialization URL - obtain OAuth access tokens for a third party. 5. Callback URL - used by the auth provider to get configuration
What are the OAuth access token request parameters that need to be sent with the access request url (https://login.salesforce.com/services/oauth2/token?)
1. code 2. grant_type 3. client_id 4. client_secret 5. redirect_url
What features can be enabled to work with Identity Connect?
1. Use My Domain to Redirect Users to Identity Connect 2. Disable Salesforce passwords to ensure users log in to Salesforce with their AD credentials 3. Password Sync is an optional plug-in that clones your AD password into Salesforce - alternative to SSO 4. Integrate Identity Connect with Integration Windows Authentication (IWA) - once user is logged in to their computer using AD credentials user doesn't get prompted to log-in again to Salesforce
How is the OAuth flow?
1. User tries to access a client application 2. Application requests permission from the user to allow checking his credentials 3. A request to check the user is sent to the Authorization Server 4. Authorization sends an access token to the application 5. Application sends the access token to the Resource Server which verifies if the user is allowed to access 6. Resource Server sends the authentication and authorization to the Authorization Server
What are the different types of OAuth2.0 Protocol
1. Web Server Authentication Flow - when user is present to authenticate and approve the use of the application; client secret is protected 2. SAML Bearer Assertion Flow - authenticate without interactively logging in 3. JWT Bearer Token Flow - authenticate without interactively logging in 4. Username-password Flow - explicitly using username/password in the request (not recommended for production, can be used for quick proof of concepts)
How Can My Salesforce Org Use Connected Apps?
1. access data with API integration 2. integrate service providers with salesforce as identity provider 3. provide authorization for external API gateways (i.e. when apps are authorized and results in creating connected app automatically) 4. manage access to third-party apps 5.
How can you track progress of identity verification of users?
1. create a list view of Users with the "User Verified*" fields 2. Create a custom report type with "Identity Verification History" as the main object. Then create a report based on this report type 3. Create a dashboard
What are the use cases of login flow?
1. custom login experience 2. post registration forms 3. custom two-factor authentication 4. conditional login flows 5. accept terms of services 6. identity confirmation 7. geo-fencing 8. verify identities
How can you secure user sessions?
1. modify session security settings 2. enable browser security settings 3. set trusted IP ranges for your org - where user doesn't have to enter verification codes 4. require high-assurance session security for sensitive operations like accessing reports and managing IP addresses - this is controlled in Setup > Identity Verification 5. review active user sessions on the User Session Information Page 6. Using Frontdoor.jsp to Bridge an Existing Session (i.e. other salesforce sites) Into Salesforce
What are the benefits of OAuth2.0?
1. security - trust a 3rd party app, secure transfer of data via SSL, no need to store passwords 2. easy use - user just clicks a button to allow access 3. easy management - access can be revoked easily
How does SAML Assertion works?
1. service provider sends a request to identity provider (with XML-based protocol) 2. identity provider checks the user and sends a response back to the service provider
How can you setup identity connect with multiple AD Domains
1. setup a global catalog where multiple AD connect to 2. OR setup separate AD & Identity Connect for each domain
How many times does Salesforce generates a new master secret key?
3 times a year with each release
How long does big objects store events from real-time event monitoring?
6 months to 10 years
presents tiles for all the standard apps, custom apps, and connected apps in your Salesforce org
App Launcher
Where can you organize the sequence of the apps appearing on App Launcher?
App Menu Item
Authentication vs Authorization
Authentication is identifying the user, while authorization is identifying the service that the user is allowed to access
admins can manage all their user account tasks in one place
Centralized User Account Management
What identity features are for customers and partners only?
Communities, Self-registration
"authorized resources" that your signed-on users have access to. bring Salesforce orgs, third-party apps, and services together
Connected Apps
What identity features are for all types of users?
Connected Apps App Launcher Single Sign-on Profiles and permission sets Two-factor authentication Auth. Providers (social sign-on)
What do you need to do if you need to encrypt all data with the same tenant secret?
Contact Salesforce Support for help in applying active tenant secret to all encrypted data
What are Salesforce person accounts for?
Creating B2C accounts
What tool can you use for data obfuscation?
Data Mask managed package - make the data random - replace with familiar values from a library - make data fields empty
Where can I view delegated authentication errors?
Delegated Authentication Error History - 21 most recent login errors
How does an Authentication and Authorization Flow works?
Dual purpose - the identity provider authenticates the user to access the service provider's app, as well as authorizes the service provider to access data from identity provider (3rd party data)
What are editions?
Editions bundle together a suite of platform, user and permission set licenses
What does identity provider must support for SP-initiated SSO?
SAML "RelayState"
What is the license for Salesforce Customer Identity?
External Identity
Mission statement of Identity and Access Management
Getting the right users have access to the right resources at the right time
What dashboard gives you visibility into all of your org's security settings and allows you to identify and fix vulnerabilities in your security settings
Health Check
What are key identity concepts?
IdP - federation id, connected apps SP - SSO, self-signed cert from IdP, JIT Handler
What product helps Salesforce admins apply all the data collected in AD to automate Salesforce user management. It syncs changes in AD within seconds.
Identity Connect
When a user is created in AD, that same user account can also be created automatically in Salesforce. When a user is deleted from AD, the user account in Salesforce is deactivated at the same time.
Identity Connect
What object can you use to create a report of identity logins?
Identity Event Logs
What can cause a problem when using JIT provisioning over SAML for community users?
If an account with the same name is created manually (MULTIPLE_ACCOUNTS_FOUND)
Why should you use Health Check when developing apps?
It provides you with information to secure your org while you are developing apps
What does prior approval mean in OAuth 2.0 JWT Bearer Flow?
It means that a user session may have been pre-approved with either of the following ways: 1. All users may self-authorize - so if user have self authorized before (the first time) 2. Admin approved users are pre-authorized - this is controlled by profile/permission set
When you see IdP Certificate populated on a connected app, what does it mean?
It means the salesforce org is serving as identity provider. The IdP certificate must be shared to the service provider org.
What are settings licenses?
Licenses that contains settings like platform licenses, user licenses, permission set licenses; can be bought separately or individually (permissions and preferences)
What are examples of identity providers?
Microsoft's Active Directory Federation Services (ADFS) Ping Identity's PingFederate open-source Shibboleth ForgeRock's OpenAM
users have to provide two or more pieces of evidence—or factors—when they log in
Multi-Factor Authentication
customize your Salesforce URL to include your company or brand name
My Domain
What Identity features are for employees only?
My Domain, Identity Connect, User Provisioning
How can you enable reports to be accessible using high assurance security levels?
On Report Settings | Access Policies, tick High Assurance session required. Then select "Raise the session level with step-up authentication"
How to setup your SSO to enable JIT?
On SSO, tick the "User Provisioning Enabled" attribute
What should you use together with OAuth if you want to authenticate user's identity?
OpenID Connect
How are passwords reset when delegated authentication has been implemented?
Password reset is disabled for delegated authentication because Salesforce no longer manages user passwords
Differentiate the following: Platform-level perms Platform-level prefs User-level perms User-level prefs
Platform-level perms - for the whole org, cannot be turned on/off (i.e. creating custom object capability) Platform-level prefs - for the whole org, can be updated by admins (i.e. language, timezone) User-level perms - controlled by admin thru profile and permission sets User-level prefs - uer personalization settings
What are the 3 identity standards and protocols that salesforce implements?
SAML (Security Assertion Markup Language) OAuth 2.0 OpenID Connect (hybrid of OAuth for authorization and SAML for authentication like SSO)
What is required for Salesforce to generate the SSO initiation URL?
Registration Handler Class
Where in Setup do you define Salesforce Authentication Provider?
Setup > Auth. Providers
Where do you choose fields to encrypt?
Setup > Encryption Policy
lets users access all authorized resources without logging in separately to each one—and without having to create (and remember) different user credentials for each app.
Single Sign-On
What are the main features of Salesforce Identity
Single sign-on Connected apps Social sign-on Multi-factor authentication My Domain Centralized user account management User provisioning Identity Connect App Launcher
log in to a Salesforce org with their username and password from an external authentication provider, like Facebook, Twitter, LinkedIn, or Google
Social Sign-On
How are events stored?
Stored as EventLogFiles which are available to view and download after 24 hours (1 day data retention by default)
How can a non-salesforce app use Identity Connect (on-premise)?
They can use Salesforce as a pass-through (AD<->Identity Connect->Salesforce->(SSO)->App. - Salesforce can enforce 2-factor authentication - Salesforce can enforce IP restrictions
What apex interface is required when creating apex class for building transaction policy?
TxnSecurity.EventCondition
How many maximum authorized devices can access a connected app?
Up to 5 per connected app per user
What's an alternative for not sending client secret in the POST request?
Use client_assertion instead (signed with the private key associated with the OAuth consumer's uploaded certificate)
What system permission is needed to enable app launcher?
Use Identity Features
How can you implement zero sign-in where users only need to log-in to their desktop and then they can access Salesforce in a browser without having to login?
Use Kereberos SSO
Can non salesforce admin generate temporary verification codes?
Yes, by assigning them "Manage Multi-factor Authentication in User Interface" user permission
Does Identity Connect only work for AD?
Yes, for now
What is Salesforce Shield?
a set of security tools that admins and developers can use to protect business-critical apps: Platform Encryption, Event Monitoring, and Field Audit Trail
What is DMZ?
a subnetwork that separates your internal network from other untrusted networks, like the Internet. But it's still on-premises, within the corporate network.
What is data obfuscation?
a way to modify and ensure privacy protection for PI and PII data. You can mask a field's contents by replacing the characters with unreadable results or different from original value
What can you customize in Identity Connect login page?
background color and logo
What does Salesforce Identity mean?
deliver the right user experience to the right people, at the right place, and at the right time
What does rotating your tenant secret at specific intervals mean?
generating a new tenant secret and archiving the old one
What is an Authentication Provider in an OpenID Connect framework?
implements OAuth2.0 to authorize Salesforce to access 3rd party data (used in social sign-on)
master secret vs tenant secret
master key is what Salesforce generates and holds in a deposit box WHILE tenant secret is the secret that we (customer) generate on demand
What are perms and prefs?
metadata settings that control access to product functionality
What is SAML Assertion in the SSO process?
part of the SAML responses that asserts facts about the user like username or email. The identity providers signs the SAML assertion and the service provider validates the signature
When setting up Auth. Providers, what step is commonly overlooked?
setting "Execute Registration As" which should be a service user records (instead of yourself as you may leave the company)
In the SSO, when you want to implement MFA, who is enforcing MFA?
the identity provider
If the 5 limit is reached, what happens when a new device requests access to the resource?
the access token that hasn't been used for the longest period of time is revoked
create, manage, and secure user accounts across all your orgs and connected apps
user provisioning for connected apps