100 terms

Identity and Access Designer


Terms in this set (...)

What is an oAuth authentication flow?
Defines a series of steps to coordinate the authentication process between SFDC and your application?
Which oAuth authentication flows are supported by SFDC?
1) Web server flow
2) User-agent flow
3) Username-password flow
What is the first step when setting up authentication using OAuth?
Create a Connected App
What is the Callback URL used for when setting up a Connected app?
Typically the user's browser is redirected to this URL after successful authentication. NOTE: Must be a secure HTTP (HTTPS) because a token may be passed through it.
Which applications can use a web server authentication flow?
The application must be hosted on a secure server. The server must be able to protect the consumer secret.
What is the client_id parameter?
The consumer key
What is the redirect_url?
The callback url
What information is appended to the callback url after Salesforce confirms the client app is authorized?
1) Code, the authorization code the app must use to obtain access and refresh tokens
2) State, if applicable
What is federated authentication?
Configuration choice for user sign-on. Uses industry standard protocols to communicate between orgs and SFC for authentication. Org sets up SFDC to trust "assertions" about users made using SAML. SFDC can natively validate these assertions and create sessions for users.
What is delegated authentication?
Configuration choice for user sign-on. Org sets up a web services client (delegated authority) that replaces SFDC mechanisms for sign ins.
What are the benefits of delegated authentication?
1) Uses a stronger form of user authentication
2) Makes your login page private and accessibly only behind a corporate wall
3) Differentiates your org from other companies using Salesforce, which protects against phishing
What are authentication providers?
Lets your users login to Salesforce using login credentials for an external service provider. Salesforce uses the user's login credentials from the external service provider to establish authentication credentials instead of validating a user's password. AKA using LinkedIn credentials
What are the benefits of implementing SSO?
1) Reduced admin cost - users only need to memorize a single password
2) Leverage existing investment - Most companies have a central LDAP database to manage user identities. You can delegate Salesforce authentication to use this system.
3) Time savings
4) Increased user adoption - due to convenience
5) Increased security - all of your password policies you've established apply to Salesforce
What is Salesforce identity?
An identity and access management (IAM) service.
Which features does Salesforce Identity have?
1) Cloud-based user directories
2) Authentication services - to verify users and keep control over user access
3) Access management and authorization for third parites
4) App user provisioning - makes it easy to add/remove access to apps to multiple users
5) API - for viewing and managing Identity features
6) Identity event logs
7_ Salesforce Identity Connect for integrating Microsoft Active Directory
Which methods can you leverage to implement Salesforce identity?
2) OAuth 2.0
3) OpenID Connect
4) My Domain
5) Connected Apps
6) App Launcher
7) Identity License
8) External Identity License
9) Identity Provider and Service Provider Integration
10) Salesforce Identity Connect
11) Two-Factor Authentication
What does OAuth allow you to do?
Enables a third party app to obtain limited access to an HTTP service
What is a service provider?
The web server you are trying to access info from
What is an identity provider?
The server that owns the user identities and credentials
What is a connected app?
Third party apps and services
What does Identity Connect do?
Synchronizes users and their attributes from Active Directory (AD) to Salesforce. In some cases, users can open Salesforce and be automatically signed in.
What are benefits of Salesforce identity for customers and partners?
1) Brand Control
2) User Registration
3) Social Sign-On
4) Seamless Web Experience
5) Comprehensive view of user
What is SAML?
The protocol that enables single sign-on. It authenticates connections.
What is a SAML assertion?
When a user attempts to access a service, the service provider sends a request to the identity provider asking whether the user should have access. The identity returns an ASSERTION saying that the user is authorized.
In what language are SAML packages written in?
What is OAuth?
An open protocol that allows secure data sharing between applications. The user works in one app, but sees data from another. Works as a sort of handshake and asks the user for permission to access the info. Allows users to connect apps to their accounts.
What is OpenID Connect?
A protocol based on OAuth 2.0 that sends info from one service to another. Used to enable social single sign-on.
What is the SAML flow for SSO?
1) User attempts to access SFDC
2) SFDC recognizes the SSO request and generates a SAML request
3) Salesforce redirects SAML request to browser
4) Browser redirects the SAML request to the external identity provider
5) The identity provider verifies the user's identity and packages the SAML assert containing the authentication
6) Identiyt provider sends SAML assertion to browser
7) Browser redirects assertion to Salesforce
8) Salesforce verifies the assertion
9) User is logged in to Salesforce
What is a protocol?
A set of rules that enable systems to exchange info.
What is a standard?
Set of industry practices that vendors agree to support.
What is an OAuth token?
Like a valet key. Authorizes access to resources for specific purposes.
What is an authorization code?
A short-lived token generated by the authorization server that is passed to the client app via the browser. Auth code is sent to the auth server to obtain an access token and optionally a refresh token.
What is an access token?
Client uses an access token to make authenticated requests on behalf of the end user. In Salesforce, this is a session ID. Typically lasts minutes or hours.
What is a refresh token?
Can be used to request fresh access tokens. Can have an indefinite lifetime.
What is an ID Token?
A signed data structure as part of OpenID Connect, the authentication layer on top of OAuth 2.0. Contains user attributes, the time the token was issues, and an identifier for the requesting client.
What authentication flows are supported for OAuth 2.0?
1) Web server
2) User-Agent
3) JTW Bearer Token Flow
4) Device Authentication Flow
5) Asset Token Flow
6) SAML Bearer Assertion Flow
7) Username and Password
What is the Web Server OAuth flow?
- Used for apps hosted on a secure server.
- Server must be able to protect the client secret.
- Uses OAuth 2.0 authorization code grant
What is the User-Agent OAuth flow?
- Can authorize desktop or mobile app to access data using an external or embedded browser
- Often require a scripting language running within the browser
- Uses OAuth 2.0 implicit grant type
What is the JWT Bearer Token Flow?
- Mainly used for server-to-server API integration
- Uses a certificate to sign the JWT request and doesn't require explicit user interaction
T/F You should enable SSO for your SFDC admin.
False. If SSO is down, you want your admin to be able to disable SSO.
T/F Sandboxes are made with SAML disabled.
What is user provisioning?
How user profiles are created and changed over time
What is authentication?
How users are identified and their identities validated
What is authorization?
How users are granted permission to specific resources
What happens when a user signs into an external app?
1) Salesforce prompts user for login credentials and stores for repeated use (creates a session)
2) External app sends a security token on behalf of the user
(Think dataloader)
What is a security token?
A long string of characters that is generated uniquely for each user
What can you use to programmatically add and modify users?
What two options are available when removing the authentication step from a user's experience in SFDC?
1) Delegated Authentication
2) Federated Authentication
What three combinations can be used to set up delegated authentication?
1) Password validation: SFDC login page is used, but credentials are validated against the delegated authority instead of Salesforce
2) Token validation: SFDC login not used. a) User authenticates to their Enterprise. b) Enterprise creates Salesforce session by sending (via HTTP POST) the username and token to Salesforce which is authenticated by the delegated authority
3) Hybrid model: Users are required to use token validation when accessing SFDC through the website. BUT allowed to authenticate using password validation when using a client application,
What happens when token validation is used alone and a user attempts to use a standard desktop client (like Salesforce for Outlook)?
User can't log in because the client can't generate and post the token to Salesforce for validation.
What is a benefit of federated authentication over delegated authentication?
Federated authentication does not require proprietary coding between Internet sites.
How do you enable Delegated Authentication?
Contact Salesforce support
How do you enable Federated Authentication?
Setup > Identity > Single Sign-On Settings > SAML Enabled
T/F Username/Password authentication is not required when connecting to a desktop client or remote application through federated authentication.
False. Not possible to pass a SAML token from a desktop client.
What does My Domain allow you to do?
You create a subdomain within the Salesforce domain. Example, trailhead = subdomain, trailhead.salesforce.com
What are the benefits a My Domain subdomain?
1) Highlight business identity with unique domain URL
2) Brand our login screen and customize right frame content
3) Block or redirect page requests that don't use the domain
4) Work in multiple SFDC orgs at the same time
5) Set custom login policy for user authentication
6) Let users log in using social accounts
7) Allow users to log in once to access external services
For which features is My Domain required?
1) SSO with external identity providers
2) Social sign-on with authentication providers
3) Lightning components
T/F My Domain is unavailable for sandbox environments.
What is the scope parameter?
It allows you to fine tune the permissions associated with tokens. A subset of values that you specifiy when defining the connected app
What are the steps taken to set up SSO through Federated Authentication?
1) Establish a SAML identity provider and gather info about how it connects to SFDC
2) Provide info to your identity provider (like URLs for start and logout pages)
3) Setup SFDC (only step that takes place in SFDC)
What are the steps taken to set up SSO through Federated Authentication specifically in SFDC?
1) Enable SAML
2) Create a configuration (New, New from Metadata File, New from Metadata URL)
3) Enter the Issuer (entity ID of the identity provider)
4) Specify which domain to use
5) Identity Provider Certificate -
Upload the authentication certificate from the identity provider
6) Request Signing Certificate: select the desired certificate from those saved under Certificate and Key Management settings
7) Request Signature Method: select the hashing algorithm for encrypted requests
8) SAML Identity, SAML Identity Location, Service Provider Initiated Request Binding, etc.: enter fields as provided by identity provider
8) For SAML 2.0 specify specific login or logout pages
9) Custom Error URL: specify URL that users are directed to
10) Save and download metadata to send to identity provider
If your users have trouble logging into SFDC after setting up SSO, which tools should you use to troubleshoot?
1) SAML Assertion Validator
2) Login history
What is the process Salesforce uses for delegated authentication?
1) When user logs in, Salesforce checks if user has the "Is Single Sign-On Enabled" permission
2) If user does, SFDC doesn't validate credentials. It makes a web services call to to the user's org to validate the credentials
3) Web services call passes the username, password, and sourceIP to the web service
4) Web service validates and returns true or false
5) If true, login continues and a new session is created
How do you set up Delegated Authentication?
1) Build SSO web service
a) Download the Delegated Authentication WSDL
b) Add a link to your internal site that takes the user's credentials and passes them through an HTTP POST to the SFDC login page
2) In SFDC, enter the URL in the Delegated Gateway URL
3) Enable "Is Single Sign-On Enabled" permission
What is single logout?
When your user logs out from one app, they are automatically logged out from other apps.
Which protocols does SFDC support for SLO?
2) OpenID Connect SLO
What does OpenID Connect allow you to do?
Allows one or more relying parties (app) to delegate user authentication to an OpenID Provider. The OpenID Provider authenticates users and provides data/claims (user attributes). Relying parties then don't have to manage login processes.
What are the steps involved when a user signs in using the OpenID Connect Protocol?
1) User makes a client request (click Login with Salesforce)
2) User is redirected to a URL at the authentication server
3) User is prompted to authenticate and authorize app
4) Upon successful authorization, user is redirected back to a redirect URL at the client app
5) Client app extracts the auth code from its URL parameter and sends a direct POST request to auth server
6) Auth server responds with an ID token
What is the OpenID Connect ID token?
A signed data structure that contains authenticated user attributes, encoded as a JSON web token (JWT). It identifies the end-user (subject AND the issuer AND the audience. (This is the reason why you need OpenID connect instead of OAuth.)
How do you set up SSO from SFDC to SFDC?
1) Enable My Domain
2) Set up one SFDC as the identity provider
2a) Download certificate and key pair
2b) Copy Salesforce Identity URL under SAML Metadiscovery Endpoints on the Identity Provider page OR download metadata in XML file
3) Set up service provider org
a) Enable SAML
b) Create new configuration: use the Metadata file or URL from before
c) Complete the settings and save the Entity ID and Identity Provider Login URL
d) Add the identity provider as an authentication service under My Domain
4) On the identity provider, create a Connected App
a) Configure settings incl adding the Entity ID and Identity Provider from before
b) Add permissions for users to access the service provider
What security issues can arise with SSO?
1) The API Partner URL is not validated - an attacker can imitate the SFDC endpoint and steal the user's data
2) SSL is not used when a non-native app calls back to an external server with a user session's ID - makes the SID vulnerable which is equivalent to a user's credentials
Which two parameters are involved when authenticating an external application?
1) API Session ID (~user login and password)
2) API Partner Server URL
What is the API Partner Server URL
The URL of the SOAP endpoint that is associated with the user's SFDC instance.
What do session security levels allow you to?
You can restrict access to connected apps, reports, and dashboards based on the level of security associated with the authentication method. (Ex: Require users to login with 2 factor when accessing reports)
How do you set up OpenID Connect (social sign on) in Salesforce?
1) Register in third party as an OAuth client
2) Configure Auth Provider in SFDC
3) Define logic for user management
4) Use Auth Provider in My Domain/Community
What does a registration handler do?
Defines the logic to be executed when a user logs in
Which two methods does a registration handler need to include?
1) For unrecognised OpenID Connect profile (hasn't logged in yet.) - Needs to match to an existing SFDC user or create a new user
2) For previously logged in users - provides profile details
How does mobile SSO work at a high level?
1) User authenticates and authorizes hte app
2) A token is issued to the device. The token is used instead of a password next time an app is used. The token is unique to the user and app combo
What steps take place when logging in through SSO on mobile?
1) The OAuth client makes an auth request to the hostname. Client asks the service provider to authorization using your My Domain
2) The auth server detects that the client needs to authenticate and redirects the user to the SAML identity provider (IdP)
3) User accesses the IdP and the IdP performs authentication
4) After user is authenticated, the IdP sends back a SAML response
5) SFDC processes the SAML assertion and logs in the user. Salesforce then authenticates the user and redirects them to the auth server
6) After auth, client prompts the user to allow the client to connect to their account
7) If use approves, a token is issued that the app uses to establish a session
Which options
Which two methods are available in the Canvas SDK for signed request authentication?
1) refreshSignedRequest - returns a new signed request via a callback
2) repost - requests parent window to initiate a POST to your canvas app and reloads the app page with the refreshed signed request
What are some examples of service provider initiated SSO?
1) SalesforceA for Android
2) SalesforceA for iOS
3) Salesforce for Android or iOS
4) Desktop clients (Salesforce for Outlook etc.)
What code must the canvas app include for initiating the standards-based OAuth flow?
1) HTTP GET when invoking the canvas app URL
Note: With user agent OAuth, all auth can be performed in browser.
When are users challenged to verify their identity?
When a user logs in outside of the trusted IP AND they are using a browser or device that is unrecognized.
What is the order of priority of methods used to verify users?
1) Via push notification or location-based automated verification through Salesforce Authenticator
2) Via a U2F security key registered with the user's account
3) Verification code generated by a mobile authenticator app
4) Verification code sent via SMS
5) Verification code sent via email
When is a user prompted to verify account after a successful identity verification?
1) User manually clears browser cookies or browses in incognito
2) User deselects Don't ask again
Which org policies can you define for requiring a second level of authentication?
1) On every login
2) Every API login
3) Access to specific features
How does Canvas with OAuth work?
1) Salesforce loads the canvas URL with a standard HTTP GET (No auth)
2) Canvas app triggers the OAuth flow
You have to kick the user into the webflow
3) Canvas app sets the token in the Canvas JS Library and calls getContext() (of who the user is)
Requires more management. You handle the authentication
How does Canvas with signed request work?
Authentication on the server side. SFDC handles it.
1) Token generation done completely on SFDC side
2) SFDC does an HTTP POST to the Canvas URL
3) Response to the POST is loaded into the Canvas iFrame
What is the preferred and default authentication for Canvas?
Canvas with Signed Request
Which methods are available for authentication into Canvas Apps?
1) No authentication (open site)
2) Username/password screen
3) Established session in the browser
4) Create your own SSO solution
5) Using SAML flow
T/F Login Flows can replace the standard authentication mechanism.
False. Login Flows work with but do not replace authentication.
What methods are available for provisioning Community Users?
1) Manual
2) Self-Registration
3) API Provisioning
4) Social Sign-On
5) Just-In-Time Provisioning over SAML
6) Mass User Provisioning (Dataloader)
What is the sequence of actions that occur during JIT provisioning?
1) Searches User records for a matching Federation ID
2) If no User found, searches Contact for a matching email
3) If no Contact found, searches Accounts for matching name or account number
4) If Account found, creates new Contact related to the Account
5) If no Account found, then creates new Account and Contact.
What is Just-In-Time provisioning?
Uses a SAML assertion to create users the first time they login. Eliminates need to create Accounts in advance. Works with your SAML provider to pass the correct info to SFDC in a SAML assertion.
What are the benefits of JIT?
1) Reduced Admin Cost
2) Increased User Adoption
3) Increased Security
What are the steps involved in setting up Identity Connect?
1) Download Identity Connect
2) Install Identity Connect (you need Java)
3) Configure Identity Connect
- Navigate to Localhost8443
- Enter Activity Directory Connection Info
- Enter base context DN
4) Select groups to authorize
5) Establish Connection with Salesforce
- Create Connected App
- Copy the Callback URL from the Identitiy Connect Setup page
- Copy the Secret and Key from the Connected App to the Identity Connect Console
6) Map the user attributes between SFDC and Active Directory
7) Map Profile to Groups
8) Sync, you can analyze what Identity Connect is going to sync
- will show you how many users were mapped, not mapped, etc.
8) Set up when users were synchronized
- can be live updates or schedule updates
Note: SAML configuration is automatically done for you
T/F SAML be used in desktop applications.
False. SAML is a browser based protocol. It requires a browser to facilitate the exchange of tokens for authentication.
How can you ensure access to an app is only given for a limited amount of time?
Configure the Refresh Token Policy under the OAuth policy for the Connected App.
How can you revoke access from a user using a Connected App?
On the Connected App Usage page revoke access on the user row.