Single Sign On

Question 1

What are the 3 methods to get SSO on SF?

Answer 1

1. Federated Authentication using SAML
2. Delegated Authentication
3. Login using credentials from another service - OpenID Connect

Question 2

Describe the login flow when SF is the SP?

Answer 2

1. SF sends SAML request to IDP
2. IDP sends SAML assertions to SF using SAML web single sign on Browser POST
3. SF receives the assertion, verifies against the org and if true allows SSO

Question 3

What are the configuration steps to configure SF as SP?

Answer 3

1. Create Federation ID for each user
2. Setup SSO settings in SF (SAML Single Sign On settings - SAML Sign In URL and certificate from IDP needed)
3. Get Information required from IDP
4. Configure Pages on SF
5. Setup SF settings in IDP (SAML ACS URL and entity ID needed on IDP)
6. Test

Question 4

What are the key fields required in SAML Single Sign On settings / required from IDP?

Answer 4

1. Issuer
2. Entity ID
3. Request Signing Certificate
4. SAML Identity Type
5. SAML Identity Location
6. SP Initiated Request Binding

Question 5

What are the different SAML identity types that can be configured in SAML Single Sign On Settings?

Answer 5

1. Salesforce Username
2. Federation ID
3. User ID

Question 6

What are the SAML Identity Locations that are supported in SAML Single Sign On Settings?

Answer 6

1. NameIdentifier of Subject statement

2. Attribute element

Question 7

What further information do you need if the SAML Identity Location is Attribute?

Answer 7

1. Attribute Name
2. Attribute URI
3. Name ID format

Question 8

What are the 2 types of request binding supported for SP initiated requests?

Answer 8

1. HTTP POST

2. HTTP Redirect

Question 9

What are the SSO pages that can be configured?

Answer 9

1. Start
2. Login
3. Logout
4. Error

Question 10

What is the sequence for SSO determining what pages to use?

Answer 10

1. Session cookie
2. Values passed from IDP
3. Values specified on Single Sign On page

Question 11

What are the page values passed from IDP?

Answer 11

1. ssoStartPage - where does SSO flow start / login URL
2. Use RelayState - control where users are redirected after login
3. startURL - where users go after sso

Question 12

What are 2 ways of performing JIT?

Answer 12

1. Standard (provision automatically based on values in the assertion)
2. Custom (based on logic in the handler class)

Question 13

In what SAML tag are JIT fields passed?

Answer 13

SAML Attribute e.g.

  testuser@123.org

Question 14

What do fields need to be prefixed with for JIT?

Answer 14

User.

Question 15

How can you define Profile for JIT?

Answer 15

Pass ProfileName in ProfileID field

Question 16

What are required fields for JIT?

Answer 16

Email
Lastname
ProfileID
Username (insert only)

Question 17

When can you pass Federation ID for JIT?

Answer 17

On Insert Only mode

Question 18

What are the steps required when you set up SF as an IDP?

Answer 18

1. Enable SF as IDP
2. Determine which certificate you will use
3. Exchange SSO information with SP
4. Create SAML Connected App
5. Map SF Users to SAML SP

Question 19

What information needs to be obtained from the SP if SF is the IDP?

Answer 19

1. Certificate
2. Assertion Consumer Service (ACS)
3. Entity ID
4. Subject Type
5. Security Certificate

Question 20

What are the Identity Provider Chains that are supported with the SF platform?

Answer 20

1. SAML Only
2. OpenID Connect Only
3. SAML & OpenID

Question 21

Where are SSO permissions controlled for Delegated Authentication?

Answer 21

User Level

Question 22

Describe the login flow for Delegated Authentication

Answer 22

1. User has SSO enabled on user record
2. SF does not validate username or password
3. Calls webservice
4. When response is True
5. New session is generated
6. User gets access

Question 23

Describe the setup process for Delegated Authentication

Answer 23

1. Enable Delegated Authentication in Setup - Single Sign On Settings - Disable Login with Salesforce Credentials
2. Build web service
3. Specify Delegated Authentication Gateway URL (Single Sign On settings)
4. Enable User permissions - ‘Is Single Sign-On Enabled’

Question 24

What are security measures you should consider with the authentication service used in Delegated Authentication?

Answer 24

1. DMZ

2. 3rd Party CA used for TLS

Question 25

What happens if a user resets their SF password while using Delegated Authentication?

Answer 25

They get redirected to their SF admin

Question 26

How do you troubleshoot errors with Delegated Authentication?

Answer 26

Setup - Delegated Authentication Error History

Question 27

What are the requirements to set up SP initiated SSO?

Answer 27

1. SAML sign in URL (Issuer) and certificate from IDP to be configured in SP
2. SAML ACS URL and entity ID from SP to be configured in IDP (both in Connected App)

Question 28

What is RelayState used for in a SAML SSO flow?

Answer 28

Persisting the state of the original requested URL to support use cases such as deep linking

Question 29

What are some extra security features that can be used for SP initiated SSO?

Answer 29

1. Request signing and verification
2. Assertion encryption
3. Session level controls - e.g. MFA

Question 30

What are the certificates that can be used in SSO?

Answer 30

1. IDP certificate to be loaded in SP
2. Request signing certificate from SP (and signature method)
3. Assertion decryption certificate loaded on SP