Tuesday, September 24, 2019

Custom Label : Fetch all Custom Label Information through Execute Anonymous Script

CustomLabel is available in Tooling API and can be used to get all CustomLabel Information. With single callout, REST API return 2000 records and then provide "nextRecordsUrl" attribute which contain URI for next set of custom label.

If you want to create class in your org and execute it methods to get custom label information, then refer below URL:

Custom Label : Fetch all Custom Label Information using Tooling API

But if you don't want to deploy new class to production or any org to get custom label information, then you can run below apex script in execute anonymous window in developer console to get custom label information.

Hope this will help!!!

Monday, September 23, 2019

Box API : How to Regenerate Access Token from Refresh Token

Box and Salesforce can be integrated to store files on box and link them with salesforce records. You can also write apex script to extract files or attachments from Salesforce and upload it into box folder.

For basic understanding on how to generate access token from box, refer below URL:
Box and Salesforce Integration

Whenever we perform handshake with box using OAuth, box returns access token along with refresh token. Below is sample JSON response for access token:

{
"access_token": "h91xxxxxxxxxxxxxxxxxxxx8",
"expires_in": 4012,
"restricted_to": [],
"refresh_token": "bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxM",
"token_type": "bearer"
}

here expires_in specifies the duration for which this access token is valid. After this duration, user will recieve 401 error so we need to regenerate the access token using refresh token.

Below is apex code which can be used to regenerate new access token and refresh token. In order to regenerate you need clientid, client secret and refresh token.

Above mentioned code is self explainatory.


Hope this help!!!


Tuesday, September 3, 2019

Custom Label : Fetch all Custom Label Information using Tooling API

Considering the organization which have huge metdadata, its very difficult to fetch custom label information using Metadata API. When I tried using Metadata API in org which has more than 15000 custom label, then I was getting "IO Exception: Exceeded max size limit of 6000000" error.

CustomLabel is available in Tooling API and can be used to get all CustomLabel Information. With single callout, REST API return 2000 records and then provide "nextRecordsUrl" attribute which contain URI for next set of custom label.

I have created below code snippet which can be used to fetch all custom labels in csv file. User will receive email with attachment which contains Custom Label Id, Name and Value.

After saving this apex class, run below script in developer console and you will receive email with csv file with all custom label information.

SK_CustomlabelUtility.fetchAllCustomLabels();

Below is snapshot of csv file:



This utility can be helpful to take backup of custom labels in sandbox or production or find dependency or reference of any metadata component like fields in custom label.

Hope this will help!!

Looking forward for everyone comments and feedback.

Friday, August 23, 2019

Development Lifecycle and Deployment Designer : Exam Preparation Guide and Tips

First of all big thanks to everyone who follow my blogs and provide their valuable feedback. This motivates me to write something every month and share my knowledge by taking out time from so called busy professional life.

This is my 150th blog and have reached 500K pageviews with (500+ daily page views). Once again thanks to everyone!!

Along with this, I am really excited to get "System Architect" credential after completing "Development Lifecycle and Deployment Designer" Exam.



If you want to prepare about other exam for "System Architect" then refer below URL:
Through this blog, I will be sharing some information which will help you to prepare for this exam.

As always, I started with trailmix Architect Journey: Development Lifecycle and Deployment designed for this exam. It has lot of information about different aspect for this exam.

Now I will specify different topics which will help you:

Migration Tools
  • You should know the use case on when to use Change Sets, Force.com migration tool (ANT), force.com IDE.
  • When you have separate release team for deployments, then being architect you need to make sure that all necessary components for deployment are specified in package.xml and associated metadata in .zip file to release management team.
  • There are few exception which can not be migrated using Metadata API. So we have to deploy these components manually. Refer Unsupported Metadata List for deployments
  • Custom setting can be migrated but custom setting data needs to be migrated manually after custom setting deployment.
  • Prefer custom metadata types over custom settings if you want to migrated data during deployments.
  • If you want to remove/delete certain metadata for clean up purpose, then create destructiveChanges.xml file and specify all components in that and then deploy using force.com migration tool. 

Sandbox Strategy

Salesforce offers sandboxes and a set of deployment tools, so you can:
  • Isolate customization and development work from your production environment until you’re ready to deploy changes.
  • Test changes against copies of your production data and users.
  • Provide a training environment.
  • Coordinate individual changes into one deployment to production.

Sandbox Types
  • Developer Sandbox
A Developer sandbox is intended for development and testing in an isolated environment. Developer Sandbox includes a copy of your production org’s configuration (metadata).
  • Developer Pro Sandbox
A Developer Pro sandbox is intended for development and testing in an isolated environment and can host larger data sets than a Developer sandbox. A Developer Pro sandbox includes a copy of your production org’s configuration (metadata). Use a Developer Pro sandbox to handle more development and quality assurance tasks and for integration testing or user training.
  • Partial Copy Sandbox
A Partial Copy sandbox is intended to be used as a testing environment. This environment includes a copy of your production org’s configuration (metadata) and a sample of your production org’s data as defined by a sandbox template. Use a Partial Copy sandbox for quality assurance tasks such as user acceptance testing, integration testing, and training.
  • Full Sandbox
A Full sandbox is intended to be used as a testing environment. Only Full sandboxes support performance testing, load testing, and staging. Full sandboxes are a replica of your production org, including all data, such as object records and attachments, and metadata. The length of the refresh interval makes it difficult to use Full sandboxes for development.

When you create a Full sandbox, you also have to decide how much field tracking history and Chatter activity to include.
  • The default is to omit field tracking, but you can include up to 180 days of field tracking. If you track field history for many objects in your production org, specify fewer days to avoid generating an excessive amount of data.
  • Chatter activity data can be extensive, which can add a significant amount of time to your Full sandbox copy.
Limit the amount of field history that you copy, and copy your Chatter data only if you need it for your testing use cases.

Sandbox Refresh Interval




  • As a best practice, development and testing should not happen in same sandbox.
  • If testing and development is happening in same org, then tester may face issues as development is going in same org.
  •  Salesforce releases happen first in sandbox and then in production environment. So to identify if salesforce release will not impact your current development or features, test the functionality in preview sandbox (sandbox which is already upgraded to new release before production). 
  • Salesforce sent notification about all instance or domain which are part of preview sandbox before every release. If your sandbox is not part of that, then raise request with salesforce to include your sandbox.

Continuous Integration

Continuous integration (CI) is a software development practice in which developers regularly integrate their code changes into a source code repository. To ensure that the new code does not introduce bugs, automated builds and tests run before or after developers check in their changes.

Using continuous integration, a product is built to include and integrate every code change on every commit (continuously), by any and all developers. An automated build then verifies each check-in, letting teams detect problems early.

Continuous integration (CI) is a component of the continuous delivery process that enables developers to integrate their updates into the master branch on a regular basis. With CI, automated tests run before and after each change is merged, validating that no bugs have been introduced.
  • When you have multiple concurrent projects running along with new features, then always utilize the source control, build tool for deployment and automated test script.
  • Continuous Integration Tools  includes Source Control Tool, Force.com Migration tool and sandbox environment where build can be validated and run automated test.
  • Utilize unit and automated functional test script as part of continuous integration strategy.
  • When multiple developers are working on different functionality along with bug fixes, then create separate branches for developers and merge their changes in common branch for testing.

Continuous Delivery

Continuous delivery ensures that code can be rapidly and safely deployed to production by manually pushing every change to a production-like environment. Since every change is automatically delivered to a staging environment, you can deploy the application to production with a push of a button when the time is right.

The additional step of pushing the code to a staging environment is what makes continuous integration different than continuous delivery. Having a green (successful) build with CI doesn't mean your code is production ready until you push it to a staging environment that matches the final production environment.


Continuous Deployment

Continuous deployment is the next step of continuous delivery. Using Continuous Deployment, every change that passes the automated tests is deployed to production automatically while continuous delivery is manual step.Most companies that aren’t bound by regulatory or other constraints should have a goal of continuous deployment.

While not every company can implement continuous deployment, most companies can implement continuous delivery. Continuous delivery gives you the confidence that your changes are serving value to your customers when you release your product, and that you can actually push that button anytime the business is ready for it.



Understanding Packages

A package is a container for something as small as an individual component or as large as a set of related apps. After creating a package, you can distribute it to other Salesforce users and organizations, including those outside your company.
  • Understand the difference between manage and un-manage package.
  • Manage package can be created in Developer edition and Partner Developer Edition.
  • Aloha app is status given to manage package so that it won't count against limits imposed by SFDC. This is mainly utilized for Group and Professional editions.
  • Unlock Packages 
    • Unlocked packages help you add, edit, and remove metadata in your org in a trackable way so you can reuse components and upgrade your Salesforce apps easier and faster. They encapsulate all the metadata changes and updates you plan to make.
    • These are especially suited for internal business apps.
    • With an unlocked package, you have a lot of flexibility. Your admins can make changes directly in production in response to emergency change requests because metadata in unlocked packages can be modified in a production org.

Governance


If you have multiple teams working together and delivering different features at same time, then you need to establish governance to avoid technical debt on platform.  
Suppose each team is building different VF pages or installing different manage packages from appexchange, then their may be chances that developer are doing customization instead of referring salesforce standard capabilities. Also they spend additional effort on functionality which may be implemented by other team. Without governance, there are chances of multiple page layouts, duplicate fields or VF pages. 

  • Center of excellence
This team can help to monitor if Salesforce development standards or practices have been followed or not and can also help in reducing the technical debt on platform. This team can emphasis on using Salesforce standard functionality instead on customization. This team can be involved in solution design reviews and can provide feedback before actual development.
  • Change control board
Change control board can help in avoiding duplicates in system. This Committee makes decisions regarding whether or not proposed changes should be implemented. They can raise hand or point out if functionality is already existing in system. This committee can also help in monitoring the system limits and take decisions based on that.


Agile vs Waterfall Methodology

  • Use agile approach if requirements keeps on changing based on end user feedback. This involves having DevOps for rapid testing and development. This is iterative approach in which we deliver features one by one. In this approach we estimate project time line and budget and will not have strict deadlines as requirements may vary based on end user feedback.
  • Use waterfall methodology if project has fixed scope, timeline and budget. Also if requirements are pre-defined and end users are looking for complete product, then opt for waterfall.

Testing

  • Load testing : This is considered as positive test as we monitor application performance with predefined load (concurrent operations).
  • Performance testing: This test is performed to monitor response request time throughput and measuring mean time of application performance under normal conditions. This is also considered as positive test. For this we perform concurrent transaction to measure application performance.
  • Stress testing : This is considered as negative testing. It is similar to load testing but we keep on increasing the load on application till application/server crashes down.
  • Salesforce production is shared environment so stress testing is prohibited by salesforce. Salesforce impose lot of governor limits to avoid this.

Apex Hammer Test

Salesforce runs your org’s Apex tests in both the current and new release and compares the results to identify issues for you. The Hammer means taking every single Apex test that you or anyone else has created and running it twice.
Salesforce uses these results to identify any issues to resolve before the release.
Apex hammer test refer only those test classes which do not have access to org data.  The advantages of creating data silo tests are:
  • Tests run more reliably because they aren’t dependent on data that can sometimes change.
  • Failures from those tests are easier to diagnose.
  • Finding bugs in the Hammer process is easier.
  • Deploying from one org to another is more reliable.
Apex is not alone in running hammer tests.  Visualforce, packaging, Trialforce, and dashboards all go through a similar process.  The Apex process is the most involved, but the general principle of finding potential issues before you do is applied to all of these.


Hope this will help!!!
Best of luck for your exam!!!






Sunday, August 11, 2019

Accessing Child Records from sObjects using getSobjects method

Dynamic queries plays very important role when we need to run different SOQL based on different inputs. By using dynamic apex, we can store the output of queries in sObjects list and then can even check if parent record contains any child records. Even if you want to fetch child record information then you can use "getSobjects('relationshipname') method to get child information.

Below is code snippet to get all opportunities and contacts information related to Account:

Hope this will help!!!

Thursday, June 13, 2019

Accessing Parent Field Values from sObjects in Dynamic Queries Using Dynamic Apex

In case of dynamic queries, we often store queries output in sObject and then refer field values. In order to refer field values, we first type cast generic sObject into specific objects like Account, Contact or custom objects as mentioned below:

string qString = 'Select id, name from Account Limit 1';
sObject sb = database.query(qString);
Account acc = (Account)sb;
string accountName = acc.Name;

Suppose we know the field API names then we can utilize the concept of sObject to get field values directly without type casting as mention below:

string qString = 'Select id, name from Account Limit 1';
sObject sb = database.query(qString);
string accountName = sb.get('Name');

So now with the help of sObjects concept, we can access parent field values from child records.

Now consider a scenario in which I have list which stores all field API names which can be used to query opportunity line items. I will generate the dynamic query and will use concept of sObject to access Opportunity fields from sObject which is output of dynamic query.

List<string> fieldAPINamesList = new List<string>{'Id','Opportunity.Name','Opportunity.Partner__r.Name'};
string qString ='Select '+string.join(fieldAPINamesList,',')+ ' from OpportunityLineItem where id=\'00k90000002z4ml\'';
system.debug('****qString:'+qString);
sobject sb = database.query(qString);
//syntax to get OpportunityLineItem Id  value from sObject
string OpportunityLineItemId = string.valueof(sb.get('Id'));
system.debug('******OpportunityLineItemId:'+OpportunityLineItemId);
//syntax to get Opportunity.Name field value from sObject
string OpportunityName = string.valueof(sb.getSobject('Opportunity').get('Name'));
system.debug('******OpportunityName:'+OpportunityName);
//syntax to get Opportunity.Partner__r.Name field value from sObject
//If partner field in opportunity is blank then you will get null pointer exception
string partnerName = string.valueof(sb.getSobject('Opportunity').getSObject('Partner__r').get('Name'));
system.debug('******partnerName:'+partnerName);

Note: While accessing the parent record details in child to parent query, you will get null pointer exception if parent is blank in child record.

I have written an utility method which takes sObject and fieldAPIName as a parameter and returns field value. Please refer below code for reference:

If you run above script in developer console by specifying correct opportunityLineItem Id, then you will see below logs:


Hope this will help!!!

Thursday, June 6, 2019

Fire Platform Events from Batch Apex using Database.RaisesPlatformEvents Interface

With Summer'19 release (API version 44 or later), now it is possible to fire platform events from batch apex. So whenever any error or exception occurs, you can fire platform events which can be handled by different subscriber.

Batch class needs to implement "Database.RaisesPlatformEvents" interface in order to fire platform event.

global class SK_AccountProcessBatch implements Database.Batchable<sObject>,Database.RaisesPlatformEvents{
   //batch logic
}

To understand more about platform events please refer below links

Platform Events : Way to Deliver Custom Notifications within Salesforce or to external Application

Here I will be writing simple batch class which process account records and if any errors occurs during update, then all account record Ids will be published using platform event.

I have created platform event with below mentioned fields:


Below is batch apex code which will fire platform event and I wrote a trigger which will subscribe to platform event.

I have used Database.Stateful interface to store the record ids which are getting failed in each batch execution. In finish method, I am firing platform event with all failed records Ids.

Below is logs generated by trigger which will get executed whenever platform event is fired.


In order to see debug logs for platform events subscription, add a trace flag entry for the Automated Process entity in Setup. The debug logs aren’t available in the Developer Console’s Log tab.

Navigate to SetUp --> Debug Logs --> New
  • For Traced Entity Type, select Automated Process.
  • Select the time period to collect logs and the debug level.
  • Click Save.
I have also created a lightning component which will subscribe to platform events and will display the event message as shown below in snapshot:

Please refer below link to understand how to use platform events in lightning components:

Handling Platform Events in Lightning Components


Hope this will help!!!


Saturday, June 1, 2019

How to Get List of All Child Records for Given Parent Records in .csv File using Apex

If we have lot of child object for a parent object, then it becomes very difficult to find out list of all related records for a given parent. For example, Account and Contact is reference by many standard and custom objects.

Consider a scenario in which Account is parent for more than 50 objects. In this case if we have to check if account record is being reference in any of these child objects, then how we are going to do that.  Its very difficult to add all related list on account page layout or to write SOQL queries to get this information.

If we use nested queries as mentioned below, then we have limit to use only 20 nested queries.

select id, (Select id from Cases),(Select id from Contacts) from Account where Id='0010000xxxxxxx'

In order to overcome these issues, I have written a script which you can run in developer console and you will receive email with .csv file containing all child records for a given parent record.

In below mentioned script, specify the object API name and 15 or 18 digit record id.

After running this script, you will receive .csv file in email as shown below:


If you are getting below mentioned error, while running the script, the make note of below points:


  • This exception can not be handled by try and catch
  • SOQL is not performing well may be because the large volume of data or due to indexing issues on table.
  • Instead of running this script developer console, use batch apex to run this logic. You can create a custom object and first run a script to store all child objects details like relationship name, child object name. Then you can execute the logic in batch class to first fetch all these records from custom object and then fire nested queries by using relation names and store output in variable. Make sure your batch size is not greater than 20 as we have limit of 20 nested queries in SOQL. In finish method write send email code to get .csv file. If you are still getting this error, then keep on reducing the batch size.
Hope this will help!!

Looking forward for your comments and suggestions.



Thursday, May 30, 2019

How to get all Child Objects List along with Relationship Names related to Parent Object using Apex

Sometimes it is required to get the list of all child relationship names in order to identify all related child objects to a parent object.

Dynamic apex helps to find out all related child object. Suppose you want to find all related object for Account then use below code snippet:



You can specify any object API name and run this code snippet in developer console.

You can also use workbench to find out list of child objects. Navigate to Info tab and select Standard & Custom Objects.


Hope this will help!!

Sunday, May 19, 2019

Lightning:NotificationsLibrary : Easy Way to Display Toast or Notices in Lightning

In order to display the toast messages, we have to fire standard event "force:showToast". Now Salesforce recommend using lightning:notificationsLibrary for displaying messages in lightning via notices and toasts.

Toast helps in providing information about status on user action.
Notices helps in displaying the system related issue or update about any maintenance.

NotificationsLibrary makes very easy for developer to display notices and toast.

How to display Notices using lightning:notificationsLibrary

Below is sample code:


How to display Toast using lightning:notificationsLibrary

Below is sample code:

Hope this will help!!!

Thursday, May 16, 2019

Handling Platform Events in Lightning Components

The lightning:empApi component gives methods for subscribing to a streaming channel and listening to event messages. It supports all streaming channels including channels for platform events, pushTopic events and Change Data Capture events. The lightning:empApi component uses a shared CometD connection.

Note:
  • This component is available in 44.0 api version or later.
  • This is available in Lightning Experience and only supported in desktop browsers.
To call the component's methods, add the lightning:empApi component inside your custom component and assign an aura:id attribute to it.

If you want to learn more about platform events then refer below blog:

Platform Events : Way to Deliver Custom Notifications within Salesforce or to external Applications

I have created a lightning component which will subscribe to platform event "Demo_Event__e" which we have created in our previous blog.

I have created an app page using lightning app builder named as "Platform Events App Page". and added this lightning component into it.

Code Snippet:

Below is snapshot of Lightning App page before platform event is fired.

Now fire platform event using workbench through REST API call

Platform event notification received in lightning component.

Hope this will help to understand platform events handling in lightning components. 

Looking forward for everyone's suggestions and comments!!!


Monday, April 22, 2019

Platform Events : Way to Deliver Custom Notifications within Salesforce or to external Applications

Salesforce provides Platform events which can be used create custom notification which can be used within Salesforce app or can be send to external applications. These notification are secure and scalable.

Platform events are part of Salesforce’s enterprise messaging platform. It utilizes publish and subscribe flow. One or many subscribe to same event and carry out different actions.

In lightning events, we define event and then create attributes through which information can shared between lightning components. Similar to this, you create platform event through point and click and then create custom fields which will be used to publish information by using platform events and subscriber can utilize this information.

Platform Events v/s Streaming API

  • In Streaming API (using Push Topics), subscriber receive notification based on changes or updates to records.
  • You can not edit or delete platform event records. You can only create or insert platform events.
  • Visualforce and Lightning component apps can subscribe to platform events using CometD similar to push topics.
  • You can not view platform event in Salesforce user interface and cannot query it through SOQL.
  • You can handle or subscribe platform events through triggers by using after insert.
  • Only "AfterInsert" event is available for platform event objects.
  • Platform events can be published by Process builder, Process Flow, apex, REST API by inserting an sObject.
  • Platform events persist for 24 hours only.
Permission for platform events is controlled through profile or permission sets.

Platform events can be used to publish information and has no dependency on existing salesforce records.

In order to create platform events, navigate to Setup --> Platform Events --> New Platform Event.

I have created a platform event "Demo Event" and going to use apex in order to publish event and subscribe this event through triggers.

When you create a platform event, the system appends the __e suffix to create the API name of the event.

How to fire/publish platform event
  • You have to create record in order to fire platform event.
To publish event messages, you create an instance of the event and pass it to the EventBus.publish method. Use below code snippet to publish event:

// Create an instance of the Demo event 
Demo_Event__e demoEvent = new Demo_Event__e(
           Event_Info__c='Demo event is fired using Apex', 
           Is_Event_Valid__c=true, 
           Event_Publisher__c='Apex Code');
// Call method to publish events
Database.SaveResult sr = EventBus.publish(demoEvent);
// Inspect publishing result 
if (sr.isSuccess()) {
    System.debug('Successfully published event.');
} else {
    for(Database.Error err : sr.getErrors()) {
        System.debug('Error returned: ' +
                     err.getStatusCode() +
                     ' - ' +
                     err.getMessage());
    }
}
  • You can create record using process builder or process flow.
  • You can create event using REST API. Below is details of HTTP Request:
Endpoint- /services/data/v45.0/sobjects/Demo_Event__e/
body
{
   "Event_Info__c" : "Demo event is fired using REST API CALL",
   "Is_Event_Valid__c" : true,
   "Event_Publisher__c" : "REST API CALL"
}
Method - POST
HTTP Response:

{   
   "id" : "e00xx0000000ccf",
   "success" : true,
   "errors" : [ ],
   "warnings" : [ ] 
}

How to Subscribe Platform Events using Apex Triggers

Whenever a record is created for platform event, after insert trigger gets fired. You can use below code to subscribe for platform event and perform logic as per your need:

trigger DemoEventTrigger  on Demo_Event__e (after insert) {
List<Task> taskList = new List<Task>();
for (Demo_Event__e event: Trigger.New) {
if (event.Is_Event_Valid__c == true) {
//perform logic based on event information
}
   }
}

Below is snapshot explaining Platform Events.
Hope this will help!!!




Friday, April 19, 2019

Way to export Code Coverage of Individual ApexClass or Trigger in .csv format

Salesforce provide Tooling API (REST API) through which we can find org metadata information.  Tooling API provide object called "ApexCodeCoverage" which can be used to find code coverage information about individual class or trigger or Org complete code coverage information.

I have created a apex script which can be run in developer console in "Execute Anonymous Window". After running this script, you will receive an email with .csv file which will contain information about code coverage for each apex class or trigger.

Below is snapshot of .csv file which you will recieve:


By using Tooling API you can find overall code coverage of your organization. Below is script which you can use in "Execute Anonymous Window".

Important things to consider in order to get have reliable coverage details:

  • Go to setup --> apex test execution ---> click on Options ---> deselect the Store only aggregate code coverage option.
  • Go to Setup --> Apex test execution ----> Clear all test history.
  • Go to Setup --> Apex classes ---> Compile all classes.
  • Go to Setup ---> Apex test execution ---> Run all test.
Once Run All Test is completed, then above scripts to get actual code coverage details of all classes or trigger or to get overall Org code coverage percentage.

You can also run the queries on "apexCodeCoverage" and "ApexOrgWideCoverage" object in developer console query editor by selecting tooloing api checkbox.

To get Org Overall Code coverage use below Query:

"SELECT PercentCovered FROM ApexOrgWideCoverage "



To get code coverage of specific apex class or trigger use below query:

SELECT Coverage FROM ApexCodeCoverage WHERE ApexClassOrTriggerId = 'xxxxxxxxx'
where xxxxxxxxx = 15 or 18 digit apex class or apex trigger id.



Hope this will help!!

Looking forward for everyone comments and suggestions...


Sunday, March 17, 2019

IDENTITY AND ACCESS MANAGEMENT DESIGNER : Exam Preparation Guide and Tips

I am really excited to share that I have cleared "IDENTITY AND ACCESS MANAGEMENT DESIGNER" exam yesterday and going to share my inputs for people who are preparing for it.

I have successfully completed "Application Architect" credentials and if you would like to prepare for that then refer below links:

Data Architecture and Management Designer : Exam preparation guide and tips
Sharing and Visibility Designer : Exam preparation guide and tips

As usual I started with Resource Guide for Identity and Access Management designer exam. This time while preparing I gave more preference to Trailmix-Architect Journey: Identity and Access Management  specially to hand on training section.

This was really a tough exam for me as everything was theoretical as SSO is already configured in all companies. Also we won't get chance to work on identifying the identity provider and service provider configurations as my job roles mainly include to provide solutions to streamline business process. But anyhow is was mandatory exam in order to get "System Architect" credential, I started preparing for it just after clearing my "Salesforce Certified Integration Architecture Designer".

If you are preparing for Salesforce Certified Integration Architecture Designer exam then refer below link:
SALESFORCE INTEGRATION ARCHITECTURE DESIGNER : Things to consider before appearing for this exam



Below are the points which you should cover before appearing for exam:

My Domain
  • My domain is required to configure SSO.
  • Add a subdomain to your Salesforce org with the My Domain Salesforce Identity feature. If you specify login.salesforce.com as entity id in SSO, then identity provider will redirect to genric salesforce domain and salesforce again will open login page as it will not be able to understand on which subdomain user needs to be redirected. If you enable my domain and specify my domain in entity id, then redirection from identity provider will be easy.
  • My domain is required for Single sign-on (SSO) with external identity providers, Social sign-on with authentication providers, such as Google and Facebook and lightning components in Lightning component tabs, Lightning pages, the Lightning App Builder, or standalone apps.
  • You can rename your My Domain subdomain in production orgs. But you can't rename a sandbox, developer, or trial org subdomain.
  • Authentication Configuration under My domain controls which all authentication services will be presented to user.
  • If you want user to get authenticated from external identity provider then deselect login form from authentication services. 
  • If login form is enabled as authentication services, then user may complain saying that they get redirected to salesforce login page instead of redirecting to identity provider login screen.
Salesforce 2 factor authentication 
  • You can use out of box two factor authentication provided by salesforce. Create a permission set and assign “enable 2 factor authentication” permission in it. Now assign this permission set to user for which you want to enable 2 factor authentication. User needs to download Salesforce authenticator app and link their salesforce account. Now whenever user logged in, will get approve or reject option on salesforce authenticator. Salesforce authenticator will display device and location for log in and you can specify to remember that location so that next time you will not get notification when you log in. 
Custom Login Flow
Salesforce OAuth Flows
Oauth Scope Parameter Values
  • The scope parameter fine-tunes the permissions associated with the tokens that you’re requesting. Scope is a subset of values that you specified when defining the connected app.
  • Different scope values are:
    • api : Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API. This value also includes chatter_api, which allows access to Chatter REST API resources.
    • chatter_api : Allows access to Chatter REST API resources only.
    • custom_permissions : Allows access to the custom permissions in an organization associated with the connected app, and shows whether the current user has each permission enabled.
    • full : Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.
    • id : Allows access to the identity URL service. You can request profile, email, address, or phone, individually to get the same result as using id; they are all synonymous.
    • openid : Allows access to the current, logged in user’s unique identifier for OpenID Connect apps. Use the openid scope in the OAuth 2.0 user-agent flow and the OAuth 2.0 web server authentication flow to receive a signed ID token conforming to the OpenID Connect specifications in addition to the access token.
    • refresh_token : Allows a refresh token to be returned when you are eligible to receive one. Then the app can interact with the user’s data while the user is offline, and is synonymous with requesting offline_access.
    • visualforce : Allows access to customer-created Visualforce pages. Doesn’t allow access to standard Salesforce UIs.
    • web :   Allows the ability to use the access_token on the web, and includes visualforce, allowing access to customer-created Visualforce pages.
Identity License and External Identity License
  • Identity license connects Salesforce users with external applications and services, while giving administrators control over authentication and authorization for these users.
  • External Identity license is used for users outside of your organization’s user base (such as non-employees). Store and manage these users, choose how they authenticate (username/password, or Single Sign-On social sign-on through Facebook, Google+, LinkedIn, and others), and allow self-registration.
IDP-initiated or SP-initiated
  • When salesforce act as service provider and identity provider is external app. If now user login by using my domain of salesforce, then it is called as SP initiated single sign on flow. In this case, salesforce will first redirect user to identity provider to get authorized and based on response from identity provider, will allow user to go to salesforce.
  • If user login in identity provider and then redirect to service provide using some link, then it is called as IP initiated Single sign on flow.
  • If you are using third party app as IP and salesforce and some external app are using third party as IDP. So if user click a link for salesforce resource on external app, then you need to configure SP initiated SSO that passes the SAML token to authentication provider when salesforce resource is requested.
  • With an IdP-initiated login process, you typically set up a link on the company intranet that users click to get access to Salesforce. 
Identity Connect
  • Identity Connect is a Salesforce Identity product that helps Salesforce admins apply all the data collected in AD to automate Salesforce user management. It syncs changes in AD within seconds.
  • Identity Connect is on-premises software that sits behind your firewall and pushes data to Salesforce. Identity Connect’s server runs within the corporate network and communicates with the AD server over LDAP(S). It communicates with in-the-cloud Salesforce over HTTPS. Work with your networking engineer to ensure that these paths are open so that Identity Connect can connect to both AD and Salesforce.

  • When Identity Connect detects differences between AD and Salesforce, it updates Salesforce with the information in AD. Data transfer is in one direction and AD is the source of truth. Identity Connect never changes information that's stored in AD.
  • You can set up Identity Connect to manage multiple production orgs. And you can set up Identity Connect to manage multiple nonproduction orgs. But you can’t mix production and sandbox orgs in one Identity Connect environment.
  • Different ways through which identity connect map AD Group user to Salesforce user are:
    • Profile mapping with AD groups
    • Permission set mapping with AD groups
    • User role mapping with AD groups
    • Salesforce groups to AD groups 
Self Registration - Communities
  • Enable self-registration to allow unlicensed guest users to join your community. When your users self-register, you can choose to save them as contacts under a business account or create a person account for each self-registering user.
  • If your business deals mostly with individuals, instead of creating them as contacts under a single business account, you can assign each self-registering user to a person account.
  • If you want to create person account from self register page, then don’t specify account Id while creating account. You can also manually create person accounts and assign them to community users with Customer Community and Customer Community Plus licenses.
Canvas App
  • Canvas enables you to easily integrate a third-party application in Salesforce. Canvas is a set of tools and JavaScript APIs that you can use to expose an application as a canvas app. This means you can take your new or existing applications and make them available to your users as part of their salesforce experience.
  • The third-party app that you want to expose as a canvas app can be written in any language. The only requirement is that the app has a secure URL (HTTPS).
  • Canvas app appearance in salesforce depends on the values you select in the locations field when creating the connected app in salesforce. 
  • Canvas app can appear in chatter feed, Chatter tab, Console, navigation menu in salesforce app, VF page, Page layouts and mobile cards, Open CTI (in the call control tool), Chatter publisher and action bar.
  • Force.com Canvas can use web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow.
Single Sign On Settings
  • Configure single sign-on in order to authenticate users in salesforce.com from external environments
  • With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. 
  • Just-in-Time provisioning works with your SAML identity provider to pass the correct user information to Salesforce in a SAML 2.0 assertion attribute statement. You can both create and modify users, contacts, and accounts this way. Because Just-in-Time provisioning uses SAML to communicate, your organization must have SAML-based single sign-on enabled.
  • To enable Just-in-Time provisioning, you must explicitly enable the checkbox in Single Sign-On Settings.
  • Entity Id controls the redirection of user once it gets authorized by identity provider.
  • If user is getting redirected always to home page after getting authenticated successfully, then it means identity provider is not able to preserve the relay state which specify where to redirect user after authentication.
Connected App
  • A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities, connected apps allow Salesforce admins to set various security policies and have explicit control over who can use the corresponding apps.
  • If you want your user to access salesforce using mobile devices and IP restriction is applied on user profiles, then if you relaxed IP restrictions for your OAuth-enabled connected app then user can access salesforce using mobile devices.
  • IP relaxation does not apply to SAML-enabled connected apps unless they are also OAuth-enabled for single sign-on.
  • Refresh Token Policy can also be set in connected app. If users are complaining that they need to login after some time on their mobile device, then check refresh token policy on connected app.
  • Create connected app for external application to configure SSO for external application from salesforce. You can add profile and permission set to connected app to pre-authorize the user. Connected app is mainly used for inbound request to salesforce.
Federated Authentication
  • Federated Authentication using SAML Federated authentication uses SAML, an industry standard for secure integrations. Investing in SAML with Salesforce.com can be leveraged with other products or services. If you use SAML, you don't have to expose an internal server to the Internet: the secure integration is done using the browser. In addition, Salesforce.com never handles any passwords used by your organization.
  • When SAML is configured, the user (via their browser) hits either a URL at the enterprise Identity Provider (IdP) or, if My Domain is configured, any My Domain URL at Salesforce - e.g. https://mycompany.my.salesforce.com/SOMERECORDID. The SAML protocol redirects them for authentication in the enterprise, and sends them to Salesforce with a signed XML message representing that authentication.
  • Signed XML request message contains federation Id to uniquely identify the user in salesforce.
  • Salesforce user record Id, federation Id and username can be used to represent the identity of the user when Salesforce is acting as a Service Provider in a SAML configuration.
  • User will face issues with SSO if federation Id is not specified in salesforce correctly which is being returned by identity provider.
Delegated Authentication
  • Another option for authenticating users on Mobile and Desktop devices is Delegated Authentication. If enabled for an organization and user's profile, when a user attempts to authenticate directly to Salesforce, the credential is sent back to a customer configured endpoint over a HTTPS secured web-service.
  • You need to request to salesforce in order to enable this feature.
  • Salesforce uses the following process for authenticating users using delegated authentication:
    • When a user tries to log in, Salesforce validates the username and checks the user’s profile settings.
    • If the user’s profile has the Is Single Sign-On Enabled user permission, then Salesforce does not validate the username and password. Instead, a Web services call is made to the user’s organization, asking it to validate the username and password. Note Salesforce doesn't store, log, or view the password in any way. It is disposed of immediately once the process is complete.
    • The Web services call passes the username, password, and IP address of the user to the customer's Web service. Your implementation of the Web service validates the passed information and returns either true or false.
    • If the response is true, then the login process continues, a new session is generated, and the user proceeds to the application. If false is returned, then the user is informed that his or her username and password combination is invalid.
    • Using this process, customers can easily use their existing authentication systems to validate credentials. This approach works will all mobile and desktop clients. Once a delegated authentication service is built and enabled for a user, there is no additional configuration required. Users will login using the regular Salesforce login screens, but their credential will simply be validated remotely.
  • Salesforce sends the user request over SAML, but the request is sent back using delegated authentication. The RelayState parameter is transformed into the startURL parameter to redirect the user to the correct page. Using this technique, mobile and desktop clients that use SAML with Salesforce can also take advantage of SSO over delegated authentication.
  • For security reasons, make your web service available by TLS. Webservice can be REST or SOAP.
  • Delegated authentication offers the following benefits.
    • Uses a stronger form of user authentication, such as integration with a secure identity provider.
    • Makes your login page private and accessible only behind a corporate firewall
    • Differentiates your org from all other companies that use Salesforce to reduce phishing attacks.
Federated Authentication vs Delegated Authentication
  • Delegated authentication is inherently less secure than federated authentication. Even if encrypted, delegated authentication still sends the username and password (possibly even your network password) over the internet to Force.com. Some companies have policies that preclude a third party for handling their network passwords. 
  • Delegated authentication requires much more work for the company implementing it. The Web services endpoint configured for the org must be developed, hosted, exposed on the Internet, and integrated with the company's identity store.
  • Federated authentication happens through web browser and can not be used for mobile and desktop applications. Use federated authentication for mobile and desktop app.
Looking forward for everyone's comments and suggestion and best of luck for exam...

Hope this will help!!!

Wednesday, March 13, 2019

Salesforce OAuth Flow - Implementation guidelines and tips

Whenever an external app request to access salesforce data, authentication needs to be done on salesforce side. Different authentication flows are available as governed by OAuth standards.

Through this blog, i will share commonly used OAuth flows and factors which you need to consider while deciding which one to use.

OAuth 2.0 Web Server Authentication Flow
  • This flow is mainly used by applications hosted on web server.
  • If external application is trusted one and hosted on secure server and can securely store client_secret, then flow can be used.
  • This flow is used mainly to build web application.
  • First of all external application will request for access_token and user will be redirected to login page for authentication. After authentication, user will approve salesforce access by external app.
  • After successful approval to grant access, authentication code will be returned through callback. External app will utilize this temporary OAuth token( valid for 10 mins) and send POST request to get access_token by sending temporary OAuth code, client_id and client_secret.
  • Salesforce will return access_token and refresh_token. Refresh token can be used to regenerate the access token by external app so that user is not required to authenticate every time.
  • Instead of sending client credentials as parameters in the body of the access token POST, Salesforce supports the HTTP Basic authentication scheme. This scheme's format requires the client_id and client_secret in the authentication header of the post as follows:         Authorization: Basic64Encode(client_id:secret)
  • This flow is not recommended for application (like ETL or middleware's) which will access salesforce using API's and no UI is involved.

OAuth 2.0 User Agent Flow
  • This flow is recommended when you build mobile or desktop application and your application can be distributed to anyone. So these kind of application are not considered as safe to store client secret because source code of application will be accessible to everyone and client secret can be exposed easily.
  • This flow is used when external system application wants to login into salesforce using salesforce login credentials. Once user logged in, then he/she to approve that external application can fetch salesforce data(scope defined in connected app).
  • In this flow, external application will pass only client id and user login page opens and user authenticate themselves to get access token, refresh tokens.
  • External application can use use refresh token to get new access token if it get expired and can avoid logging user again in salesforce.
  • With the user-agent authentication flow, the client app receives the access token as an HTTP redirection. The client app requests the authorization server to redirect the user-agent to another web server or to an accessible local resource. The server can extract the access token from the response and pass it to the client app. For security, the token response is provided as a hash (#) fragment on the URL. It prevents the token from being passed to the server or to any other servers in referral headers.

OAuth 2.0 JWT Bearer Token Flow
  • Ideal for application which access sfdc only through API as there is no UI involved. For example ETL tools or middleware.
  • A JSON Web Token (JWT) enables identity and security information to be shared across security domains. 
  • JWT is basically a JSON file consisting of a header and claims object, where the header contains the signature algorithm and the claims object contains specific information such as the username and consumer key. At a high level, you will then sign the JSON object with the private key of your certificate and send the JWT to Salesforce to obtain an access token.
  • When a client wants to use this flow, posts an access token request that includes a JWT to Salesforce’s OAuth token endpoint. Salesforce authenticates the authorized app through a digital signature that is applied to the JWT. 
  • Digital certificates are required in this flow. Upload certificate (X509 ) to connected app which will be used to authenticate JSON web tokens.
  • External application send request for access token by passing JWT token in body. SFDC server validate JWT and return access token to external app.
  • No refresh token is returned in this flow. So if access token expires then send request to generate access token again.

OAuth 2.0 SAML Bearer Assertion Flow
  • A SAML assertion is an XML security token issued by an identity provider and consumed by a service provider.
  • The external app or client isn’t required to store client_secret.
  • If you use active directory or LDAP as identity provider, then you will use SAML assertion from your SSO flow to obtain an access token to Salesforce.
  • This flow used SAML assertion (XML token generated by Identity provide) and applied digital signature to it using certificates.
  • In connected app, you upload this certificate (X509 ) containing private key. This key should be used while signing SAML asseration(base 64 encoded).
  • The SAML assertion is posted to the OAuth token endpoint, which in turn processes the assertion and issues an access_token based on prior approval of the app(users are pre- authorized in connected app). 
  • This flow also return only access token not refresh token

SAML Assertion Flow
  • The SAML assertion flow is an alternative for Orgs that are currently using SAML to access Salesforce and want to access the web services API the same way. 
  • You can use the SAML assertion flow only inside a single org.  So it means it can be used to connect to single sfdc org
  • You don’t have to create a connected app to use this assertion flow. Clients can use this assertion flow to federate with the API using a SAML assertion, the same way they federate with Salesforce for web single sign-on.
  • If you have SSO configured specifically for the Salesforce org that your partner application is authenticating to, you can also use the SAML Assertion Flow. 
  • Configure SAML for your org. SAML version 2.0 is required. Exchange a SAML assertion for an access token. Use a JSON parser to process the response from salesforce to extract the access_token.
  • The benefit of this flow is that you can use a Base-64 encoded, then URL encoded, SAML assertion that is normally used for web single sign-on. This makes it significantly more simple from a development perspective because you don't need to create a connected app but requires you to have SSO enabled for your Salesforce instance.
  • No refresh token is issued in this flow.

OAuth 2.0 Username and Password Flow
  • Use the username-password authentication flow to authenticate when the consumer already has the user’s credentials.
  • Avoid using this flow because you have to send username and password un-encrypted to Salesforce.
  • Use this flow only when there is no way to connect by using other available flows.
  • Salesforce communities don’t support the OAuth 2.0 username-password authentication flow.
  • In this flow, external app or client sends client_id,client_secret, username and password in POST request.
  • The security token must be added to the end of the password to log in to Salesforce from an un-trusted network. Concatenate the password and token when passing the request for authentication.
  • No refresh token is issued.
OAuth 2.0 Device Authentication Flow
  • The OAuth 2.0 device authentication flow is typically used by applications on devices with limited input or display capabilities, such as TVs, appliances, or command-line applications. 
  • This flow returns access_token and refresh_token.
  • When device requests authorization by specifying client_id, Salesforce verifies the request and returns the following: human-readable user code, verification URL, device code, and minimum polling interval (in seconds).
  • User navigate to verification URL and enters user code received.
  • User prompted to login and approve access to salesforce data.
  • In the meantime, the application running on the device should keep polling Salesforce (polling interval is also returned by Salesforce) and once the user has approved access, the application on the device will get an access token issued.
  • After the access token is granted, the device can use it in API requests to access data on the user’s behalf. The device uses a refresh token to get a new access token if the access token becomes invalid.

OAuth 2.0 Asset Token Flow
  • Client applications use the OAuth 2.0 asset token flow to request an asset token from Salesforce for connected devices. 
  • In this flow, the device obtain an access token (in any of the above ways) and use this token alongside additional information to create an actor token. This token contains valuable information about the asset which is then send to Salesforce where it is exchanged for an asset token. Subsequent requests to protected resources at Salesforce can then be made with the asset token.
  • In this flow, an OAuth access token and an actor token are exchanged for an asset token. This flow combines asset token issuance and asset registration for efficient token exchange and automatic linking of devices to Service Cloud Asset data.

OAuth 2.0 Refresh Token Flow
  • The OAuth 2.0 refresh token flow renews tokens issued by the web server or user-agent flows.

Revoking Tokens
  • Revoke an OAuth token if you don’t want the client app to access Salesforce data or if you don’t trust the client app to discontinue access on its own.
  • When users request their data from within an external app (the consumer’s page), they’re authenticated. You can revoke their access tokens, or the refresh token and all related access tokens, using revocation. Developers can revoke the token when configuring a log-out button in their app.
  • You can use POST method to revoke token as mentioned below

To revoke OAuth 2.0 tokens, use the revocation endpoint.
https://login.salesforce.com/services/oauth2/revoke 
Construct a POST request that includes the following parameters using the application/x-www-form-urlencoded format in the HTTP request entity-body. For example:
    POST /revoke HTTP/1.1
    Host: https://login.salesforce.com/services/oauth2/revoke 
    Content-Type: application/x-www-form-urlencoded
    token=currenttoken
  • Salesforce also supports GET requests with the query string parameter token and the current token. If an access token is included, Salesforce invalidates it and revokes the token. If a refresh token is included, Salesforce revokes it and any associated access tokens. For example: 
https://login.salesforce.com/services/oauth2/revoke?token=currenttokenID

The authorization server indicates successful processing of the request by returning an HTTP status code 200. For all error conditions, status code 400 is used.
  • If an access token is included, Salesforce invalidates it and revokes the token. If a refresh token is included, Salesforce revokes it and any associated access tokens.
You can also navigate to "Connected Apps OAuth Usage" under set up and block external app to create new sessions with connected app.

Hope this will help!!!

Thursday, February 28, 2019

Login Flows - Way to Customize User Authentication Flow

Login flows acts as business process which you want to invoke for user after logging. Login flows are assigned at profile level.


How Login Flow works?


Custom 2 Factor Authentication

Login flows can be used to provide custom 2 factor authentication. Below is flow chart that I have prepared to implement this:

Different steps involved:
  • Once user logged in, will be redirected to login flow.
  • From login flow, call apex call which can either perform callout to external system which can send authentication code to user via SMS or email. You can use twilio app to send sms to users. You can store the auth code from callout response in salesforce(may be in some custom field on user object).
  • If you don't want to use external app, then generate random code in apex and store it in custom field in user object and send email to user with code using apex email message methods.
  • Once user receives the code will enter it in input text on login flow. 
  • If user entered code matches with code stored in user object custom field then allow user to navigate to Salesforce. As a best practice clear the code stored in user object once validation completed so that user can not reuse the same code again.
  • If there is mismatch, you can deny user access.

Important considerations while using login flows
  • Login flow can not be used to replace Salesforce authentication but can used as additional set of authentication.
  • Login flow can be used to display some important messages to users once they login. Refer Login Flows to Display Important Messages to User After Login to learn about this in detail.
  • Login flows are only applicable for UI login not for API login.
  • Login flow can be used with SAML JIT. If user doesn't exist then during JIT, first user will be provisioned and then login flow will kick off. If user fails 2 factor authentication from login flow,then deactivate the user again in salesforce.
  • When user login, user login date like type of device, IP address, session id, user agent etc are available in visual workflow designer. This can be used to provide different user experience to user based on login device.
  • As a best practice, do not enable custom 2 factor authentication for system administrators.

Hope this will help!!

Thursday, February 21, 2019

How to update Chatter User Profile Photo using Connect API

The "connectapi" provide classess and static methods to access chatter data which is available through Chatter REST API. This is also referred as "Chatter in Apex". It exposes the data in localized and structured way.

Chatter in apex provides "UserProfiles" class which provides different methods to access information about users profile data.

Before version 35, "Chatterusers" class was there which was used to access information about users, such as activity, followers, subscriptions, files, and groups. Now this class is not available.

We will use UserProfiles class to update chatter user photo. You can either upload the image in documents or at any place. We need blob representation of that image and can be used to update profile photo using blob variable.

Below is sample code:

Document doc=[SELECT id, body FROM Document  WHERE Name='ProfilePhoto' LIMIT 1];
//set the photo on the user's profile
ConnectApi.UserProfiles.setPhoto(null, UserInfo.getUserId(), new ConnectApi.BinaryInput(doc.body,'image/jpg','user.jpg'));

I Have uploaded image in documents and then updating the profile photo on chatter.


setPhoto method require below attributes:
  • communityId (string)- specify the community Id or specify null for internal users
  • userid(string)- 15 digit or 18 digit user recordId 
  • Image details (ConnectApi.Binary​​Input) -  you need to specify the blob(content of file), MIME type of content and file name(string).

If you store profile photo in files, then you can use below syntax to update chatter profile photo:

ConnectApi.UserProfiles.setPhoto(null, UserInfo.getUserId(), '0690I00000D42WT',null);

This method takes 4 parameters
  • communityId (string)- specify the community Id or specify null for internal users.
  • userid(string)- 15 digit or 18 digit user's recordId.
  • fileId(string) - 15 or 18 digit file Id.
  • version number(integer) - Version number of the existing file. Specify either an existing version number, or null to get the latest version.
Hope this will help!!

Saturday, February 16, 2019

How to get User Locale information in Lightning Components

Lightning framework provide $Locale which can be used to get current user preferred locale. For example you can get user preferred timezone, language, currency format etc.

In Spring'19, Salesforce introduces new date-time $Locale attributes for date- time formattingas mentioned below:
  • longDateFormat ("MMMM d, yyyy")                              
  • shortDateFormat ("M/d/yyyy")
  • shortDatetimeFormat ("M/d/yyyy h:mm a")
  • shortTimeFormat ("h:mm a")
You can refer this global variable either directly in lightning component markup or in controller.js  file.

Below is sample code:

Snapshot of lightning component

For detailed information on Locale global variable, please refer below URL:
$Locale in Lightning Component


Hope this will help!!!