Identity Management Concepts (28%) Flashcards
An architect has configured a SAML-based SSO integration between Salesforce and an external identity provider. During testing, the architect attempts to log in to Salesforce using SSO, but receives a SAML error. Which two actions should the Architect take to troubleshoot the issue?
A. Ensure the Callback URL is correctly set in the Connected Apps settings.
B. Use a browser that has an add-on/extension that can inspect SAML.
C. Paste the SAML Assertion Validator in Salesforce.
D. Use the browser’s Development tools to view the Salesforce page’s markup.
B. Use a browser that has an add-on/extension that can inspect SAML.
C. Paste the SAML Assertion Validator in Salesforce.
Universal Containers wants users to access Salesforce, and other SSO-enabled applications, from a custom web page that UC maintains. UC wants its users to use the same set of credentials to access each of the applications. What SAML SSO flow should an Architect recommend for UC?
A. Service Provider Initiated with Deep Linking.
B. Service Provider Initiated.
C. Identity Provider Initiated.
D. User-Agent.
C. Identity Provider Initiated.
Why? In this scenario, the authentication is handled within the custom web portal of Universal Containers. The connected systems (including Salesforce) are the service providers, and the custom portal is the identity provider.
A group of users try to access one of Universal Containers’ Connected Apps and receive the following error message:
“Failed: Not approved for access.”
What is the most likely cause of this issue?
Choose one answer.
A. The Connected App settings “All users may self-authorize” is enabled.
B. High Assurance sessions are required for the Connected App.
C. The Users do not have the correct permission set assigned to them.
D. The Salesforce Administrators have revoked the OAuth authorization
C. The Users do not have the correct permission set assigned to them.
Universal Containers (UC) has decided to use Salesforce as an Identity Provider (IdP) for multiple external applications. UC wants to use the Salesforce App Launcher to control the applications that are available to individual users.
Which three steps are required to make this happen?
Choose three answers.
A. Add each Connected App to the App Launcher with a Start URL.
B. Set up an Auth Provider for each External Application.
C. Set up Salesforce as a SAML Idp with My Domain.
D. Set up Identity Connect to synchronize user data.
E. Create a Connected App for each external application.
A. Add each Connected App to the App Launcher with a Start URL.
C. Set up Salesforce as a SAML Idp with My Domain.
E. Create a Connected App for each external application.
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a Case with a record type “Classified”. They are only allowed to access the system when they own an open “Classified” Case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff’s access to the classified information system based on whether they currently own an open “Classified” Case record.
What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open “Classified” Case record criteria?
Choose one answer.
A. Use Salesforce reports to identify users that currently owns open “Classified” Cases and should be granted access to the classified information system.
B. Use Apex trigger on Case to dynamically assign Permission Sets that grant access when an user is assigned with an open “Classified” Case, and remove it when the Case is closed.
C. Use Custom Connected App Handler to dynamically allow access to the system based on whether the staff owns any open “Classified” Cases.
D. Use Custom SAML JIT Provisioning to dynamically query the user’s open “Classified” Cases when attempting to access the classified information system.
C. Use Custom Connected App Handler to dynamically allow access to the system based on whether the staff owns any open “Classified” Cases.
How can a Consultant simplify the login process when half the users enter a username/password and the other half use an SSO solution?
A. Disable access to login.salesforce.com in the My Domain setup.
B. Require the use of Salesforce Authenticator with My Domain.
C. Create a custom page to display login instructions in the My Domain right-hand panel.
D. Create an Identity-First login page for My Domain Login Discovery.
D. Create an Identity-First login page for My Domain Login Discovery.
A user of a custom Heroku web application should be authenticated by Salesforce, but only created as a contact once becoming a qualified lead. With Spring ’19, which user license should an architect recommend to meet this requirement efficiently?
A. Identity Plus
B. Identity
C. External Identity
D. Company Community
C. External Identity
An administrator is tasked with configuring an org with a user-authentication method that complies with the FedRAMP Digital Identity requirements. With Spring ’19, which new feature should the administrator use to meet this requirement?
A. Salesforce Identity Connect for certificate support
B. Certificate-based authentication
C. SMS method of identity verification
D. Allow log-ins only from IP addresses approved by the government
B. Certificate-based authentication
Which features are only available for Employees?
A. Connected Apps
B. Communities
C. Two-Factor Authentication
D. Single Sign-On
E. Identity Connect
F. Self- Registration
G. User Provisioning
H. Auth. Providers (Social Sign-On)
I. My Domain
E. Identity Connect
I. My Domain
G. User Provisioning
Which features are only available for Customers and Partners?
A. Connected Apps
B. Communities
C. Two-Factor Authentication
D. Single Sign-On
E. Identity Connect
F. Self- Registration
G. User Provisioning
H. Auth. Providers (Social Sign-On)
I. My Domain
B. Communities
F. Self- Registration
What are the three protocols that Salesforce and other identity vendors follow to implement Identity Solutions?
- SAML
- OAth 2.0
- OpenID Connect
What does SAML stand for?
Security Assertion Markup Language (SAML)
What does IdP stand for?
Identity Provider
Describe what Identity Connect is?
It integrates Microsoft Active Directory (AD) with Salesforce.
It is on-premises software that sits behind your firewall and pushes data to Salesforce. It communicates with the AD server over LDAP(S), and it communicates with Salesforce over HTTPS.
You can also use Identity Connect for single sign-on to Salesforce
What are the 4 use cases for which your org can use connected apps?
1 - Integrate external applications with the Salesforce API (Such as a web based app that pulls in order status data from your Salesforce org)
2 - To enable Single Sign-on (SSO) with Salesforce as the Identity provider
3 - To set security policies to control what data a third-party app can access from your org
4 - To provide authorization for external API gateways, such as API gateways hosted on MuleSoft’s Anypoint Platform
What is the definition of an Access Token?
Instead of using the user’s Salesforce credentials, a consumer (connected app) can use an access token to gain access to protected resources on behalf of the user.
For OAuth 2.0, the access token is a session ID and can be used directly.
What is the definition of an Authorization Code?
It’s only used in OAuth 2.0 with the web server flow, the authorization code is a token that represents the access granted by the end user. The authorization code is used to obtain an access token and a refresh token. It expires after 15 minutes
What is the definition of the Callback URL?
A callback URL is the URL that is invoked after Oauth authentication for the consumer (connected app). In some contexts, the URL must be a real URL that the client’s web browser is redirected to. In others, the URL isn’t actually used, but the value between your client app and the server (the connected app definition) must be the same. For example, you might want to use a value that identifies the app, such as https://MyCompany.Myapp