Salesforce Certified Identity and Access Management Designer ALL SOLUTION LATEST 2023/24 EDITION GUARANTEED GRADE A+

Salesforce uses this protocol to allow users of applications to securely access data on the platform without having to reveal their username and password credentials. OAuth 2.0 How do you register your application on the Salesforce platform for use with OAuth 2.0, SSO, etc.? Create a Connected App What is an OAuth authentication flow? An OAuth authentication flow defines a series of steps used to coordinate the authentication process between your application and Salesforce. Name the supported OAuth authentication flows. 1.) Web-server flow 2.) User-agent flow 3.) Username-password flow 4.) JWT bearer token flow 5.) SAML bearer assertion flow 6.) SAML assertion flow 7.) Device authentication flow 8.) Asset token flow What purpose does a Callback URL serve within the Connected App settings? Depending on the OAuth authentication flow used, the Callback URL typically defines the URL to which the user is redirected after successful authentication. Additionally, the Callback URL is used to establish trust between the two systems. The Callback URL must match between the system requesting authorization/access and the Connected App defined in Salesforce. NOTE: As this URL is sometimes used for some OAuth flows to pass back an access token, the URL must use HTTPS or a custom URI scheme. OAuth is typically compared to this when describing its purpose. A valet key. Just as a valet key allows access for a user to drive a car, but NOT access the glove compartment or the trunk, OAuth authorizes an application to access Salesforce on behalf of the user, while also defining the OAuth Scopes (i.e. what the application can do, and what the application cannot do). What are OAuth Endpoints? OAuth Endpoints are the URLs you use to make authentication requests to Salesforce. What are the three types of OAuth Endpoints? 1.) authorize 2.) token 3.) revoke Use this OAuth endpoint for authorization Use this OAuth endpoint for token requests Use this OAuth endpoint to revoke OAuth tokens What is the Web-Server OAuth flow? The Web Server OAuth flow is used by applications that are hosted on a secure server (web applications), where the Client Secret, or Consumer Secret in Salesforce terminology, can be protected. Here, server side code is interacting with Salesforce on your behalf. List the steps of the Web-Server OAuth flow. 1.) The client application sends the user to the appropriate Salesforce authorization endpoint, such as the following: Note that the following parameters are required: response_type - must be "code" for this flow client_id - the consumer key redirect_uri - the callback url 2.) The user logs into Salesforce with his/her credentials. The user is interacting with the authorization endpoint directly, so the application never sees the user's credentials. Once the user logs in successfully, the user is asked to authorize the client application (allow or deny). Note that this step is skipped if the user has already authorized the application. 3.) The user is sent to the URL specified in the redirect_uri parameter of the authorization request (i.e. the callback url of the connected app), and Salesforce appends two parameters to the URL: code - the authorization code the client application must use to obtain access tokens. state - the state value that was passed in, if applicable. 4.) The client application receives the authorization code and uses it to place a POST request to Salesforce for the access tokens. The request is placed using the applicable token endpoint, such as the following: Note the following parameters are required: grant_type - must be "authorization_code" client_id - the consumer key client_secret - the consumer secret redirect_uri - the callback url code - the authorization code 5.) If the request is successful, the server returns a response body that contains the access token, refresh token, and other identifying information such as the user Id, instance url, and more. 6.) The client application can now use the access token to retrieve resources from the server. What is the User-Agent OAuth flow? The user-agent OAuth flow is used by client applications (or, consumers) that are residing on the user's device. This could be implemented in the browser using a scripting language such as JavaScript, or from a mobile device or desktop application. These applications cannot keep the Client Secret protected or confidential. List the steps of the User-Agent OAuth flow. 1.) The client application sends the user to the appropriate Salesforce authorization endpoint, such as the following: Note that the following parameters are required: response_type - must be "token" for this flow client_id - the consumer key redirect_uri - the callback url 2.) The user logs into Salesforce with his/her credentials. The user is interacting with the authorization endpoint directly, so the application nver sees his/her credentials. 3.) Once authorization is granted, the authorization endpoint redirects the user to the URL in the redirect_uri parameter (the callback url). Salesforce appends the following parameters to the redirect url: access_token - the access token/session Id. Should be protected like user credentials in the client application. refresh_token - the token that can be used to obtain new access tokens in the future. Note: this value is a SECRET and should be protected as if it were the user's password. ... and other parameters. 4.) The application uses the provided access token and refresh token to access protected user data and resources from the server. What is the Username-Password OAuth flow? The username-password OAuth flow is used to authenticate when the client application already has the user's credentials. In this flow, the user's credentials are used to obtain the access token. List the steps of the Username-Password OAuth flow. 1.) The application uses the user's credentials to request an access token. This is done via a POST request to the token endpoint: Note that the following parameters are required: grant_type - must be "password" for this flow. client_id - the consumer key. client_secret - the consumer secret. username - the user's username. password - the user's password (note that the security token must be appended for applicable orgs). 2.) Salesforce verified the credentials and, if successful, sends a response to the application with the access token. The response contains the access_token, id of the user, and other information. 3.) The application uses the access token to retrieve data and other resources from the server. What should you keep in mind regarding the use of the Username-Password OAuth flow compared to the other flows (aside from the obvious)? Since the user is never redirected to login at Salesforce in this flow, the user can't directly authorize the application, so no refresh tokens can be used. If your application requires refresh tokens, you should consider using the web-server or user-agent OAuth flow. Access tokens have a limited lifetime specified by this... The session timeout settings in Salesforce. Describe the OAuth Refresh Token process Only applies to the Web-Server and User-Agent flows, which provide a Refresh Token. 1.) The client application sends a POST request to the toekn endpoint (below) with the following required parameters: grant_type = refresh_token refresh_token = [the refresh token itself] client_id = [Consumer Key] client_secret = [Consumer Secret] *format) = [Optional. The expected return format, such as json, urlencoded, or xml. Default is json. Can also be specified in the header of the POST request.] 2.) Once Salesforce verifies the request, it sends a response to the application with the following response body parameters: access_token = [the access token] instance_url = [Identified the Salesforce instance to which API calls should be made] id = [Identity URL. Used to identify the user and query for more information about the user.] ... and others. What is Single Sign On (SSO)? Single Sign On (SSO) lets users access authorized network resources with one login. You validate usernames and passwords against your corporate user database or other client application rather than Salesforce managing separate passwords for each resource. What are the three ways that Salesforce lets you use SSO? 1.) Federated authentication using SAML 2.) Delegated authentication SSO 3.) Authentication providers What is federated authentication using SAML? Federated authentication using SAML (Security Assertion Markup Language) lets you send authentication and authorization data between affiliated but unrelated web services. You can login to Salesforce from a Client app. Salesforce enables federated authentication for your org automatically. What is delegated authentication SSO? Delegated authentication SSO integrates Salesforce with an authentication method that you choose. You can integrate authentication with your LDAP (Lightweight Directory Access Protocol) server or use a token instead of a password for authentication. You manage delegated authentication at the permission level, not at the org level, giving you more flexibility. With permissions, you can require that some use delegated authentication while others use their Salesforce password. Note that you must contact Salesforce to enable delegated authentication before you can configure it in your org. What are some benefits of using delegated authentication SSO? 1.) Uses a stronger form of user authentication, such as integration with a secure identity provider. 2.) Makes your login page private and accessible only behind a corporate firewall. 3.) Differentiates your org from all other companies that use Salesforce to reduce phishing attacks. What are authentication providers (hint: one of the SSO options offered by Salesforce)? Authentication providers let your users log into Salesforce using their login credentials from an external service provider. Salesforce supports the OpenID Connect protocol, which lets users login from any OpenID Connect provider, such as Google, PayPal, and LinkedIn. When an authentication provider is enabled, Salesforce doesn't validate a user's password. Instead, Salesforce uses the user's login credentials from the external service provider to establish authentication credentials. Salesforce acts as a Service Provider when... When you have an external identity provider and configure SSO for your Salesforce org. True or false: only the service provider needs to configure SSO. True What are some benefits to using Single Sign On (SSO)? 1.) Reduced administrative costs (fewer passwords to manage, and to be forgotten by end users). 2.) Time saved (usually takes 5-20 seconds to login per application) 3.) Leverage existing investment 4.) Increased user adoption 5.) Increased security Describe the process that Salesforce uses to authenticate users with delegated authentication SSO. 1.) When a user tries to login, Salesforce validates the username and checks the user's permissions and access settings. 2.) If the user has the "Is Single Sign-On Enabled" permission, Salesforce does not validate the username and password, and instead makes a web service callout to the user's orgasking it to validate the username and password. NOTE: Salesforce does not store, log, or view the password. It is discarded immediately following the transaction. 3.) The web services call passes the username, password, and IP address (sourceIp) to the web service. Note: You must create and deploy an implementation of your web service that Salesforce servers can access. 4.) Your web service implementation validates the passed-in details and returns a TRUE or FALSE based on whether or not the authentication was successful. 5.) If the response is TRUE, the login process continues, and the user is logged in with a new session. If FALSE, an error is returned (i.e. username & password combination is invalid). Describe the process to Configure Delegated Authentication SSO. 1.) Contact Salesforce to have the feature enabled. 2.) Navigate to Setup > API and download the Delegated Authentication WSDL 3.) Use the Delegated Authentication WSDL to build your SSO web service 4.) In Salesforce, specify your org's SSO gateway URL under Setup > Single Sign-On Settings > Edit > Delegated Gateway URL 5.) Optionally, select Force Delegated Authentication Callout (use this if you need to record every login attempt internally) 6.) Enable the Is Signle Sign-On Enabled permission for applicable users. What are some benefits to using My Domain? 1.) Enhanced security 2.) Highlight your brand with a unique URL 3.) Brand your login screen 4.) Block or redirect page requests that do not use your custom subdomain 5.) Work in multiple Salesforce orgs at the same time (otherwise only an issue when two or more orgs exist on the same instance) 6.) Set custom login policies to determine how users are authenticated 7.) Allow users to login using a social account, like Google or Facebook (i.e. Social Sign-On) 8.) Allow users to login once to access external services Using as an example, the trailhead piece (similar to what you create with My Domain) is called this. Subdomain. Essentially, with My Domain, you are creating a subdomain within the domain. My Domain is required before you can use these platform features. 1.) Single Sign-On (SSO) with external identity providers (SP-Init flow) 2.) Social Sign-On 3.) Lightning Components (custom-built) What are some of the policy settings you can configure with My Domain (under My Domain Settings)? 1.) Determine the Login Policy (i.e. whether to block or allow logins from ). 2.) Determine Redirect Policies (for page requests that do not use your custom domain. For example, you can choose to redirect to the same URL within your domain, redirect with a warning message to the same URL within your domain, or choose not to redirect, which Salesforce recommends). True or False: When using My Domain and configuring Authentication Services (like Social Sign-On or SSO IdPs), the standard Salesforce Login form cannot be hidden and is always an option for users to login. False With My Domain and Authentication Configuration settings, suppose you configure Google as a single Authentication Service and disable all others, including the standard Salesforce Login form. What behavior can users expect when the navigate to your domain to login? In this example, the users will be automatically redirected to Google's login page to authenticate. True or False: My Domain is available for Sandbox environments. True What is the format of your URL when using My Domain? https://[your_subdomain]. Describe the format and limitations when choosing a custom subdomain when using My Domain. 1.) Max length 40 characters 2.) Use letters, numbers, and hyphens 3.) CANNOT start with root, status, or a hyphen True or False: After setting up and deploying My Domain, you can change your subdomain up to a maximum of 3 times. False. Once deployed, only Salesforce Support can change your subdomain. What is the App Launcher? The App Launcher presents tiles for all the standard apps, custom apps, and connected apps in your Salesforce org. Your users can go to one location in Salesforce to access all apps—without having to log in again. You choose which third-party and other connected apps to add the App Launcher. And you control which apps are available to which users. Describe the features and functionality of the App Launcher 1.) Provides access to Salesforce apps and Connected apps 2.) SSO portal for users 3.) Driven off of Profiles and Permission Sets for authorization (i.e. which users can see which apps, etc.) 4.) Backed by the AppMenuItem API From where can the App Launcher be accessed (Classic and Lightning options) 1.) In Salesforce Classic, consistently available to users via the App Menu (top-right corner) 2.) In Lightning Experience, the App Launcher has its own icon (top-left corner) Tab Sets (i.e. Salesforce apps) automatically show up in the App Launcher when these conditions are met. When the user has access to those apps via either their Profile or assigned Permission Sets Connected apps appear in the App Launcher when these conditions are met. 1.) When the user has access to the Connected App either via their Profile or assigned Permission Sets, AND... 2.) When the Connected app has a Start URL listed How is the order in which apps are displayed in the App Launcher controlled? Under "App Menu" in Setup (path varies between Classic and Lightning) The App Launcher appears for users when these permissions are enabled. 1.) Use Identity Features 2.) the App Launcher app is visible What features does Salesforce Identity provide? (Hint: 9 unique/tentpole features) 1.) Single Sign-On 2.) Connected Apps 3.) Social Sign-On 4.) Two-factor authentication (2FA) 5.) My Domain CONTINUED...