Access Management Best Practices (15%) Flashcards

1
Q

What is a best practice for deploying your web service when you are using delegated authentication?

A

The web service must be accessible by Salesforce servers, so you must deploy the web service on a server in your DMZ. Remember to use your server’s external DNS name when entering the delegated gateway URL in the Delegated authentication section in Salesforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

For Delegated Authentication what should you keep in mind when generating your server stub?

A

Namespaces, element names, and capitalization must be exact in SOAP requests, so wherever possible, generate your server stub from the WSDL to ensure accuracy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Should you enable SSO for Salesforce admins?

A

It’s recommended not to enable SSO for Salesforce admins, because if the SSO server has an outage they would have no way to log in to Salesforce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

For delegated authentication, how can you restrict access based on the user’s location?

A

Use the IP address that originated the login request. It is in sourceIp. Salesforce can also validate login IP ranges for SSO users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

For federated authentication, what is the clock skew that Salesforce allows with your IDP server?

A

3 minutes. Make sure that your server’s clock is up to date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should you do if you can’t log in with a SAML assertion?

A

Check the login history and note the error message. Use the SAML Assertion Validator on the Single Sign On Settings configuration page to troubleshoot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When using federated authentication, which feature can you use to prevent users from logging in to Salesforce directly, and give admins more control over login polices?

A

Use the My Domain feature. You can use the URL parameters provided in the Salesforce Login URL value from the Single Sign-On Settings configuration page with your custom domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What two types of two-factor authentication does Salesforce provide?

A

1 - Service-based: Also known as device activation and automatically enabled for all orgs

2 - Policy-based: Admins can enable policy-based two-factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Name the two security levels for session login security.

A

Standard Assurance

High Assurance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which authentication method is the only one that has a default session security level of High Assurance?

A

Two-Factor Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain what Referrer URL protection is

A

When loading assets outside of Salesforce or navigating outside of Salesforce, the referrer header shows only Salesforce.com or Force.com rather than the entire URL. This feature eliminates the potential for a referrer header to reveal sensitive information that could be present in a full URL, such as an org ID. This feature is supported only for Chrome and Firefox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain what Public Key Pinning is.

A

To detect man-in-the-middle attacks, Salesforce now monitors which SSL certificates users can see. Custom certificates aren’t affected. Public key pinning is supported only for Chrome and Firefox

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is HSTS protection?

A

HTTP Strict Transport Security

It redirect browsers to use HTTPS. It is enabled on all Salesforce and Visualforce pages and it can’t be disabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What would you use the Identity Provider Event Log for?

A

It records both problems and successes with inbound SAML or OpenID Connect authentication requests from another app provider, and outbound SAML response when Salesforce is acting as an identity provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which three attacks will a 2-Factor authentication help with?

A) Network perimeter attacks

B) Key logging attacks

C) Phishing attacks

D) Man-in-the-middle attacks

E) Dictionary attacks

A

A) Network perimeter attacks

B) Key logging attacks

E) Dictionary attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

If you have the Enforce IP Restrictions set, what is the effect for the user if:

A) you also have continuous IP Enforcement Disabled(default)

B) you have continuous IP Enforcement enabled?

A

For both A) and B): A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile

17
Q

If you have the Enforce IP Restrictions, but relax for refresh tokens set, what is the effect for the user if:

A) you also have continuous IP Enforcement Disabled(default)

B) you have continuous IP Enforcement enabled?

A

A) A user running this app is subject to the org’s IP restrictions, such as IP ranges set in the user’s profile, during initial login. These restrictions are relaxed when th app later uses a refresh token to obtain a new access token

B) It will be the same as A) EXCEPT for security reasons users can’t

  • change their password
  • register a verification method
  • access pages in a login flow
18
Q

If you have the relax IP restrictions for activated devices set, what is the effect for the user if:

A) you also have continuous IP Enforcement Disabled(default)

B) you have continuous IP Enforcement enabled?

A

A) A user running this app bypasses the org’s IP restrictions when either of these conditions is true:

  • The app has IP ranges whitelisted and is using the web server OAuth authentication. Only requests coming from the whitelisted IPs are allowed
  • The app has no IP range whitelist and is using the web server or user-agent OAuth authentication flow

B) A user running this app bypasses the org’s IP restrictions when either of the OAuth conditions for A) is true. However, for security reasons they can’t:

  • change their password
  • register a verification method
  • access pages in a login flow
19
Q

If you have the relax IP restrictions set, what is the effect for the user if:

A) you also have continuous IP Enforcement Disabled(default)

B) you have continuous IP Enforcement enabled?

A

A) A user running this connected app is not subject to any IP restrictions

B) A user running this app is not subject to any IP restrictions. However, for security reasons they can’t:

  • change their password
  • register a verification method
  • access pages in a login flow