Access Management Best Practices (15%) Flashcards
What is a best practice for deploying your web service when you are using delegated authentication?
The web service must be accessible by Salesforce servers, so you must deploy the web service on a server in your DMZ. Remember to use your server’s external DNS name when entering the delegated gateway URL in the Delegated authentication section in Salesforce
For Delegated Authentication what should you keep in mind when generating your server stub?
Namespaces, element names, and capitalization must be exact in SOAP requests, so wherever possible, generate your server stub from the WSDL to ensure accuracy
Should you enable SSO for Salesforce admins?
It’s recommended not to enable SSO for Salesforce admins, because if the SSO server has an outage they would have no way to log in to Salesforce.
For delegated authentication, how can you restrict access based on the user’s location?
Use the IP address that originated the login request. It is in sourceIp. Salesforce can also validate login IP ranges for SSO users
For federated authentication, what is the clock skew that Salesforce allows with your IDP server?
3 minutes. Make sure that your server’s clock is up to date
What should you do if you can’t log in with a SAML assertion?
Check the login history and note the error message. Use the SAML Assertion Validator on the Single Sign On Settings configuration page to troubleshoot
When using federated authentication, which feature can you use to prevent users from logging in to Salesforce directly, and give admins more control over login polices?
Use the My Domain feature. You can use the URL parameters provided in the Salesforce Login URL value from the Single Sign-On Settings configuration page with your custom domain.
What two types of two-factor authentication does Salesforce provide?
1 - Service-based: Also known as device activation and automatically enabled for all orgs
2 - Policy-based: Admins can enable policy-based two-factor authentication
Name the two security levels for session login security.
Standard Assurance
High Assurance
Which authentication method is the only one that has a default session security level of High Assurance?
Two-Factor Authentication
Explain what Referrer URL protection is
When loading assets outside of Salesforce or navigating outside of Salesforce, the referrer header shows only Salesforce.com or Force.com rather than the entire URL. This feature eliminates the potential for a referrer header to reveal sensitive information that could be present in a full URL, such as an org ID. This feature is supported only for Chrome and Firefox
Explain what Public Key Pinning is.
To detect man-in-the-middle attacks, Salesforce now monitors which SSL certificates users can see. Custom certificates aren’t affected. Public key pinning is supported only for Chrome and Firefox
What is HSTS protection?
HTTP Strict Transport Security
It redirect browsers to use HTTPS. It is enabled on all Salesforce and Visualforce pages and it can’t be disabled
What would you use the Identity Provider Event Log for?
It records both problems and successes with inbound SAML or OpenID Connect authentication requests from another app provider, and outbound SAML response when Salesforce is acting as an identity provider
Which three attacks will a 2-Factor authentication help with?
A) Network perimeter attacks
B) Key logging attacks
C) Phishing attacks
D) Man-in-the-middle attacks
E) Dictionary attacks
A) Network perimeter attacks
B) Key logging attacks
E) Dictionary attacks