Identity Management Concepts (28%) Flashcards

1
Q

An architect has configured a SAML-based SSO integration between Salesforce and an external identity provider. During testing, the architect attempts to log in to Salesforce using SSO, but receives a SAML error. Which two actions should the Architect take to troubleshoot the issue?

A. Ensure the Callback URL is correctly set in the Connected Apps settings.

B. Use a browser that has an add-on/extension that can inspect SAML.

C. Paste the SAML Assertion Validator in Salesforce.

D. Use the browser’s Development tools to view the Salesforce page’s markup.

A

B. Use a browser that has an add-on/extension that can inspect SAML.

C. Paste the SAML Assertion Validator in Salesforce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Universal Containers wants users to access Salesforce, and other SSO-enabled applications, from a custom web page that UC maintains. UC wants its users to use the same set of credentials to access each of the applications. What SAML SSO flow should an Architect recommend for UC?

A. Service Provider Initiated with Deep Linking.

B. Service Provider Initiated.

C. Identity Provider Initiated.

D. User-Agent.

A

C. Identity Provider Initiated.

Why? In this scenario, the authentication is handled within the custom web portal of Universal Containers. The connected systems (including Salesforce) are the service providers, and the custom portal is the identity provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A group of users try to access one of Universal Containers’ Connected Apps and receive the following error message:

“Failed: Not approved for access.”

What is the most likely cause of this issue?

Choose one answer.

A. The Connected App settings “All users may self-authorize” is enabled.

B. High Assurance sessions are required for the Connected App.

C. The Users do not have the correct permission set assigned to them.

D. The Salesforce Administrators have revoked the OAuth authorization

A

C. The Users do not have the correct permission set assigned to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Universal Containers (UC) has decided to use Salesforce as an Identity Provider (IdP) for multiple external applications. UC wants to use the Salesforce App Launcher to control the applications that are available to individual users.

Which three steps are required to make this happen?

Choose three answers.

A. Add each Connected App to the App Launcher with a Start URL.

B. Set up an Auth Provider for each External Application.

C. Set up Salesforce as a SAML Idp with My Domain.

D. Set up Identity Connect to synchronize user data.

E. Create a Connected App for each external application.

A

A. Add each Connected App to the App Launcher with a Start URL.

C. Set up Salesforce as a SAML Idp with My Domain.

E. Create a Connected App for each external application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a Case with a record type “Classified”. They are only allowed to access the system when they own an open “Classified” Case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff’s access to the classified information system based on whether they currently own an open “Classified” Case record.

What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open “Classified” Case record criteria?

Choose one answer.

A. Use Salesforce reports to identify users that currently owns open “Classified” Cases and should be granted access to the classified information system.

B. Use Apex trigger on Case to dynamically assign Permission Sets that grant access when an user is assigned with an open “Classified” Case, and remove it when the Case is closed.

C. Use Custom Connected App Handler to dynamically allow access to the system based on whether the staff owns any open “Classified” Cases.

D. Use Custom SAML JIT Provisioning to dynamically query the user’s open “Classified” Cases when attempting to access the classified information system.

A

C. Use Custom Connected App Handler to dynamically allow access to the system based on whether the staff owns any open “Classified” Cases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can a Consultant simplify the login process when half the users enter a username/password and the other half use an SSO solution?

A. Disable access to login.salesforce.com in the My Domain setup.

B. Require the use of Salesforce Authenticator with My Domain.

C. Create a custom page to display login instructions in the My Domain right-hand panel.

D. Create an Identity-First login page for My Domain Login Discovery.

A

D. Create an Identity-First login page for My Domain Login Discovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A user of a custom Heroku web application should be authenticated by Salesforce, but only created as a contact once becoming a qualified lead. With Spring ’19, which user license should an architect recommend to meet this requirement efficiently?

A. Identity Plus

B. Identity

C. External Identity

D. Company Community

A

C. External Identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An administrator is tasked with configuring an org with a user-authentication method that complies with the FedRAMP Digital Identity requirements. With Spring ’19, which new feature should the administrator use to meet this requirement?

A. Salesforce Identity Connect for certificate support

B. Certificate-based authentication

C. SMS method of identity verification

D. Allow log-ins only from IP addresses approved by the government

A

B. Certificate-based authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which features are only available for Employees?

A. Connected Apps

B. Communities

C. Two-Factor Authentication

D. Single Sign-On

E. Identity Connect

F. Self- Registration

G. User Provisioning

H. Auth. Providers (Social Sign-On)

I. My Domain

A

E. Identity Connect

I. My Domain

G. User Provisioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which features are only available for Customers and Partners?

A. Connected Apps

B. Communities

C. Two-Factor Authentication

D. Single Sign-On

E. Identity Connect

F. Self- Registration

G. User Provisioning

H. Auth. Providers (Social Sign-On)

I. My Domain

A

B. Communities

F. Self- Registration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three protocols that Salesforce and other identity vendors follow to implement Identity Solutions?

A
  • SAML
  • OAth 2.0
  • OpenID Connect
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does SAML stand for?

A

Security Assertion Markup Language (SAML)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What does IdP stand for?

A

Identity Provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Describe what Identity Connect is?

A

It integrates Microsoft Active Directory (AD) with Salesforce.

It is on-premises software that sits behind your firewall and pushes data to Salesforce. It communicates with the AD server over LDAP(S), and it communicates with Salesforce over HTTPS.

You can also use Identity Connect for single sign-on to Salesforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 4 use cases for which your org can use connected apps?

A

1 - Integrate external applications with the Salesforce API (Such as a web based app that pulls in order status data from your Salesforce org)

2 - To enable Single Sign-on (SSO) with Salesforce as the Identity provider

3 - To set security policies to control what data a third-party app can access from your org

4 - To provide authorization for external API gateways, such as API gateways hosted on MuleSoft’s Anypoint Platform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the definition of an Access Token?

A

Instead of using the user’s Salesforce credentials, a consumer (connected app) can use an access token to gain access to protected resources on behalf of the user.

For OAuth 2.0, the access token is a session ID and can be used directly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the definition of an Authorization Code?

A

It’s only used in OAuth 2.0 with the web server flow, the authorization code is a token that represents the access granted by the end user. The authorization code is used to obtain an access token and a refresh token. It expires after 15 minutes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the definition of the Callback URL?

A

A callback URL is the URL that is invoked after Oauth authentication for the consumer (connected app). In some contexts, the URL must be a real URL that the client’s web browser is redirected to. In others, the URL isn’t actually used, but the value between your client app and the server (the connected app definition) must be the same. For example, you might want to use a value that identifies the app, such as https://MyCompany.Myapp

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the definition of a Consumer?

A

A consumer is the website or app that uses OAuth to authenticate both the Salesforce user and itself on the user’s behalf

20
Q

What is the definition of a Consumer Key?

A

A consumer uses a key to identify itself to Salesforce. It’s referred to as client_id in OAuth 2.0

21
Q

What is the definition of a Consumer Secret?

A

A consumer uses a secret to establish ownership of the consumer key. Referred to as client_secret in OAuth 2.0

22
Q

What is the definition of a Nonce?

A

A Nonce is a number, often a random number, used during authentication to ensure that requests cannot be reused

23
Q

What is the definition of OAuth?

A

Open Authentication (OAuth) is a standard, token-based protocol for authentication and authorization

24
Q

What is the definition of a Refresh Token?

A

Only used in OAuth 2.0, a consumer can use a refresh token to obtain a new access token, without having the end user approve the access again

25
Q

What is the definition of a Request Token?

A

Only used in OAuth 1.0.A and has been replaced with the Authorization Code in OAuth 2.0

It is a token to obtain authorization from the end user and it exchanges the token for an access token.

26
Q

What is the definition of a Token Secret?

A

A consumer uses this secret to establish ownership of a given token, both for request tokens and access tokens

27
Q

What are the 3 ways to use SSO in Salesforce?

A
  • Federated Authentication using SAML
  • Delegated authentication SSO
  • Using other authentication providers (through the OpenID Connect protocol)
28
Q

What is the Federated authentication using Security Assertion Markup Language (SAML)?

A

Federated authentication using SAML lets you send authentication and authorization data between affiliated but unrelated web services. You can log in to Salesforce from a client app. Salesforce enables federated authentication for your org automatically

29
Q

What is Delegated authentication SSO?

A

Delegated authentication SSO integrates Salesforce with an authentication method that you choose. You can integrate authentication with your LDAP server or use a token instead of a password for authentication. You manage delegated authentication at the permission level, not at the org level, giving you more flexibility. With permissions, you can require some to use delegated authentication while others use their Salesforce-managed password

30
Q

Which of the following scenarios describes how you can use a connected app?

A) Users can create their own connected apps to access their personal email accounts

B) Users can log in to an external application with their Salesforce or Communities credentials

C) Users can authorize a mobile app to securely access defined Salesforce data on their behalf

D) B and C

A

D) B and C

31
Q

What are the 4 generic steps for a Salesforce IdP initiated flow (When Salesforce logs in to a service provider at the initiation of the end user)?

A
  1. Salesforce: User initiates login
  2. Salesforce: Sends response to service provider
  3. Service Provider: Identifies user, authenticated certificate if necessary
  4. Service Provider: Enables login
32
Q

What are the 5 generic steps for a Service-provider initiated login (when the service provider requests Salesforce to authenticate a user, at the initiation of the user)

A
  1. Service Provider: Requests secure session
  2. Salesforce: Identifies the user, authenticates certificate if available
  3. Salesforce: Sends response
  4. Service Provider: Authenticates certificate or metadata
    5: Service Provider: Enables login
33
Q

What is the difference between Identity provider and Service provider?

A

Identity provider is a trusted service that enables users to access other websites and services without logging in again

Service provider is a website or service that hosts apps and accepts identity from an identity provider

34
Q

What is the difference between authentication and authorization?

A

Authentication means who a person is. These days, authentication is often used as shorthand for authorization and authentication.

Authorization means what a person can do.

35
Q

What benefits does delegated authentication offers?

A
  • Uses a stronger form of user authentication, such as integration with a secure identity provider
  • Makes your login page private and accessible only behind a corporate firewall
  • Differentiates your org from all other companies that use Salesforce to reduce phishing attacks
36
Q

What is Federated Authentication?

A

The platform receives a SAML assertion in an HTTP POST request. The SAML assertion has a limited validity period, contains a unique identifier, and is digitally signed. If the assertion is still within its validity period, has an identifier that has not been used before, and has a valid signature from a trusted identity provider, the user is granted access to the application. If the assertion fails validation for any reason, the user is informed that their credentials are invalid

37
Q

What is Delegated Authentication?

A

An internal WS authenticates users. It receives an username, password and sourceIP and returns true or false

38
Q

What is Social Sign On?

A

Sign on via a Social site credentials. Works with community users only.

39
Q

What is SSO with AD?

A

Salesforce is integrated with AD using Identity Connect or ADFS

40
Q

How does SAML and OAuth work together in terms of Authentication and Authorization?

A

SAML is used for authentication (SP sends a SAML request for an access token, the IdP sends a SAML assertion that contains the access token)

OAuth is used for authorization (Grants permission to access certain elements of data, Scopes control what data is shared via an OAuth request)

41
Q

What are the 4 grant types in oAuth2.0?

A
  • Authorization Code Grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant
  • Client Credentials Grant
42
Q

When should the Authorization Code Grant be used?

A

When the client is a web server. It allows you to obtain a long-lived access token since it can be renewed with a refresh token (if the authorization server enables it)

43
Q

When should the Implicit Grant be used?

A

It is typically used when the client is running in a browser using a scripting language such as Javascript. This grant type does not allow the issuance of a refresh token.

This type of authorization should ONLY be used if no other type of authorization is available. It is the least secure because the access token is exposed on the client side.

44
Q

When should the Resource Owner Password Credentials Grant be used?

A

It is mainly used when the client has been developed by the same authority as the authorization server.

For example, a website named example.com seeking access to protected resources of its own subdomain api.example.com. The user would not be surprised to type his login/password on the site example.com since his account was created on it

45
Q

When should the Client Credentials Grant be used?

A

This type of authorization is used when the client is itself the resource owner. There is no authorization to obtain from the end user.

The end-user does not have to give its authorization for accessing the resource server.

46
Q

What is the maximum number of custom objects that an external identity license have access to?

A

10

47
Q

If you need to use reports and dashboards, which license should you use?

A) External Identity License
B) Community Plus License

A

B) Community Plus License