Identity & Access Management Designer Exam Salesforce
I have to admit that Identity and Access Management Designer exam was the toughest one among all the certificates that I have appeared. If you do not have any particular experience in the Identity/Access management area then I recommend spending some time on a deep study of the core concepts like SSO and OAuth.
The Salesforce Identity and Access Management Designer exam covers the following topics –
Identity Management Concepts: 28%
- Describe the role(s) an identity provider and service provider play in an access control solution.
- Describe common methods for how to trust connections that are established between two systems and the methodologies used to describe trust between an identity provider and service provider.
- Given a scenario, articulate whether it describes an authentication, authorization, or accounting scenario and what Salesforce feature should be used to accomplish the task.
- Given a scenario, recommend the appropriate method for provisioning users in Salesforce, and other third-party services (SOAP/REST API, SAML JIT, Identity Connect, User Provisioning for Connected Apps, etc.).
- Describe the risks to enterprise security that federated Single Sign-on solutions aim to address.
- Given a scenario, troubleshoot common points of failure that may be encountered in a Single Sign-on solution (SAML, OAuth, etc.).
Accepting Third-Party Identity in Salesforce: 22%
- Describe the components of an identity management solution where Salesforce is accepting identity from a third party.
- Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept Third-Party Identity (Enterprise Directory, Social, Community, etc.).
- Given a scenario, recommend the appropriate method of SAML initiation to fulfill the requirements (SP-init, IdP-init.).
- Describe the components of a Delegated Authentication solution.
- Describe the risks of implementing delegated authentication.
Salesforce as an Identity Provider: 23%
- Given a scenario, determine the most appropriate flow type to recommend when implementing an OAuth solution where Salesforce is providing identity to a third party (for example, User-Agent, Web Server, JWT, etc.).
- Describe the various implementation concepts of OAuth (for example; scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
- Describe the role(s) Connected Apps play when Salesforce needs to provide identity to a third-party system.
- Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).
Access Management Best Practices: 15%
- Describe the risks that Two-Factor Authentication mechanisms aim to mitigate.
- Given a scenario, determine the most appropriate Two-Factor Authentication mechanism for an identity solution.
- Given a scenario, identify the risks and mitigation strategies that session security and Two-Factor Authentication enable (for example; High Assurance Sessions, 2FA, etc.).
Salesforce Identity: 7%
- Given a scenario, recommend the most appropriate Salesforce license type(s) to support the identity requirements.
- Describe the role(s) Identity Connect plays in an Identity Management solution.
Community (Partner and Customer): 5%
- Describe the capabilities for customizing the registration experience for external communities (for example; Branding options, self-registration, communications, etc.).
Authentication & Authorization
OAuth Authorization Flows
OAuth authorization flows grant a client application restricted access to protected resources on a resource server. Each OAuth flow offers a different process for approving access to a client app, but in general the flows consist of three main steps.
Types of OAuth Flows in Salesforce
- OAuth 2.0 Web Server Flow for Web App Integration
- OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration
- OAuth 2.0 Refresh Token Flow for Renewed Sessions
- OAuth 2.0 Authorization and Session Management for Hybrid Apps
- OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
- OpenID Connect Dynamic Client Registration for External API Gateways
- Generate an Initial Access Token
- OpenID Connect Token Introspection
- OAuth 2.0 Device Flow for IoT Integration
- OAuth 2.0 Asset Token Flow for Securing Connected Devices
- Demo the Asset Token Flow
- OAuth 2.0 Username-Password Flow for Special Scenarios
- OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps
- SAML Assertion Flow for Accessing the Web Services API
- OAuth 2.0 Authorization Errors
When to Use Which Auth Flow
Resource To Learn OAuth
Salesforce Standard Licence
Connected Application Salesforce
Connected apps are designed to be run independently of the user interface. Either the app is hosted on an external website that interfaces with salesforce.com, or is a desktop or mobile app that runs on a client. Authenication for a connected app is client-initiated and must be done per-client. Connected apps are usually accessed outside salesforce.com, although this is not a stringent requirement. The session lifespan may be indefinite until revoked by the user or an administrator. the app has limited access to the user’s data (referred to as the scope), which may be as minimal as identity confirmation only up to full access. The app may be run on a server or client. Access must be manually granted.
Connected App Policies
Configure OAuth access policies for OAuth-enabled connected apps. These policies include defining which users can access a connected app, what IP restrictions apply to the connected app, and how long a refresh token is valid for.
Single Sign Salesforce ( SSO )
Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.
Single Sign-On Terminology
Delegated Authentication SSO
- The web service needs to include Source IP as a method parameter.
- UC should whitelist all salesforce IP ranges on their corporate firewall
- The return type of the Web service method should be a Boolean value
- Have to Develop a SOAP Service
- Can not work with REST
- You have to contact Salesforce to enable the Delegated Authentication
- SSO Can be controlled from Profile Level
- Can be assigned using Profile or Permission Set
Resources for Single Sign On
Login Flow in Salesforce
A login flow directs users through a login process before they access your Salesforce org or Experience Cloud site. You can use a login flow to control the business processes that your users follow when they login to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they’re redirected to their Salesforce org or site. If unsuccessful, the flow can log out users immediately.
Multi Factor Authentication ( 2FA )
Set multi-factor authentication (MFA) login requirements using profile policies and session settings. You can apply MFA requirements to all Salesforce user interface authentication methods. These methods include username and password, delegated authentication, SAML single sign-on (SSO), and social sign-on (SSO using an external authentication provider). You can also enable MFA requirements for Salesforce org and the Experience Cloud site.
Other Resources That I followed
- Salesforce Trailmix
- ApexHours PlayList
- SSO Guide
- 2FA Using Apex
- Login Flow
Wish you All the best. If you need anything from y side please do let me know.