Sunday, March 17, 2019

IDENTITY AND ACCESS MANAGEMENT DESIGNER : Exam Preparation Guide and Tips

I am really excited to share that I have cleared "IDENTITY AND ACCESS MANAGEMENT DESIGNER" exam yesterday and going to share my inputs for people who are preparing for it.

I have successfully completed "Application Architect" credentials and if you would like to prepare for that then refer below links:

Data Architecture and Management Designer : Exam preparation guide and tips
Sharing and Visibility Designer : Exam preparation guide and tips

As usual I started with Resource Guide for Identity and Access Management designer exam. This time while preparing I gave more preference to Trailmix-Architect Journey: Identity and Access Management  specially to hand on training section.

This was really a tough exam for me as everything was theoretical as SSO is already configured in all companies. Also we won't get chance to work on identifying the identity provider and service provider configurations as my job roles mainly include to provide solutions to streamline business process. But anyhow is was mandatory exam in order to get "System Architect" credential, I started preparing for it just after clearing my "Salesforce Certified Integration Architecture Designer".

If you are preparing for Salesforce Certified Integration Architecture Designer exam then refer below link:
SALESFORCE INTEGRATION ARCHITECTURE DESIGNER : Things to consider before appearing for this exam



Below are the points which you should cover before appearing for exam:

My Domain
  • My domain is required to configure SSO.
  • Add a subdomain to your Salesforce org with the My Domain Salesforce Identity feature. If you specify login.salesforce.com as entity id in SSO, then identity provider will redirect to genric salesforce domain and salesforce again will open login page as it will not be able to understand on which subdomain user needs to be redirected. If you enable my domain and specify my domain in entity id, then redirection from identity provider will be easy.
  • My domain is required for Single sign-on (SSO) with external identity providers, Social sign-on with authentication providers, such as Google and Facebook and lightning components in Lightning component tabs, Lightning pages, the Lightning App Builder, or standalone apps.
  • You can rename your My Domain subdomain in production orgs. But you can't rename a sandbox, developer, or trial org subdomain.
  • Authentication Configuration under My domain controls which all authentication services will be presented to user.
  • If you want user to get authenticated from external identity provider then deselect login form from authentication services. 
  • If login form is enabled as authentication services, then user may complain saying that they get redirected to salesforce login page instead of redirecting to identity provider login screen.
Salesforce 2 factor authentication 
  • You can use out of box two factor authentication provided by salesforce. Create a permission set and assign “enable 2 factor authentication” permission in it. Now assign this permission set to user for which you want to enable 2 factor authentication. User needs to download Salesforce authenticator app and link their salesforce account. Now whenever user logged in, will get approve or reject option on salesforce authenticator. Salesforce authenticator will display device and location for log in and you can specify to remember that location so that next time you will not get notification when you log in. 
Custom Login Flow
Salesforce OAuth Flows
Oauth Scope Parameter Values
  • The scope parameter fine-tunes the permissions associated with the tokens that you’re requesting. Scope is a subset of values that you specified when defining the connected app.
  • Different scope values are:
    • api : Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API. This value also includes chatter_api, which allows access to Chatter REST API resources.
    • chatter_api : Allows access to Chatter REST API resources only.
    • custom_permissions : Allows access to the custom permissions in an organization associated with the connected app, and shows whether the current user has each permission enabled.
    • full : Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.
    • id : Allows access to the identity URL service. You can request profile, email, address, or phone, individually to get the same result as using id; they are all synonymous.
    • openid : Allows access to the current, logged in user’s unique identifier for OpenID Connect apps. Use the openid scope in the OAuth 2.0 user-agent flow and the OAuth 2.0 web server authentication flow to receive a signed ID token conforming to the OpenID Connect specifications in addition to the access token.
    • refresh_token : Allows a refresh token to be returned when you are eligible to receive one. Then the app can interact with the user’s data while the user is offline, and is synonymous with requesting offline_access.
    • visualforce : Allows access to customer-created Visualforce pages. Doesn’t allow access to standard Salesforce UIs.
    • web :   Allows the ability to use the access_token on the web, and includes visualforce, allowing access to customer-created Visualforce pages.
Identity License and External Identity License
  • Identity license connects Salesforce users with external applications and services, while giving administrators control over authentication and authorization for these users.
  • External Identity license is used for users outside of your organization’s user base (such as non-employees). Store and manage these users, choose how they authenticate (username/password, or Single Sign-On social sign-on through Facebook, Google+, LinkedIn, and others), and allow self-registration.
IDP-initiated or SP-initiated
  • When salesforce act as service provider and identity provider is external app. If now user login by using my domain of salesforce, then it is called as SP initiated single sign on flow. In this case, salesforce will first redirect user to identity provider to get authorized and based on response from identity provider, will allow user to go to salesforce.
  • If user login in identity provider and then redirect to service provide using some link, then it is called as IP initiated Single sign on flow.
  • If you are using third party app as IP and salesforce and some external app are using third party as IDP. So if user click a link for salesforce resource on external app, then you need to configure SP initiated SSO that passes the SAML token to authentication provider when salesforce resource is requested.
  • With an IdP-initiated login process, you typically set up a link on the company intranet that users click to get access to Salesforce. 
Identity Connect
  • Identity Connect is a Salesforce Identity product that helps Salesforce admins apply all the data collected in AD to automate Salesforce user management. It syncs changes in AD within seconds.
  • Identity Connect is on-premises software that sits behind your firewall and pushes data to Salesforce. Identity Connect’s server runs within the corporate network and communicates with the AD server over LDAP(S). It communicates with in-the-cloud Salesforce over HTTPS. Work with your networking engineer to ensure that these paths are open so that Identity Connect can connect to both AD and Salesforce.

  • When Identity Connect detects differences between AD and Salesforce, it updates Salesforce with the information in AD. Data transfer is in one direction and AD is the source of truth. Identity Connect never changes information that's stored in AD.
  • You can set up Identity Connect to manage multiple production orgs. And you can set up Identity Connect to manage multiple nonproduction orgs. But you can’t mix production and sandbox orgs in one Identity Connect environment.
  • Different ways through which identity connect map AD Group user to Salesforce user are:
    • Profile mapping with AD groups
    • Permission set mapping with AD groups
    • User role mapping with AD groups
    • Salesforce groups to AD groups 
Self Registration - Communities
  • Enable self-registration to allow unlicensed guest users to join your community. When your users self-register, you can choose to save them as contacts under a business account or create a person account for each self-registering user.
  • If your business deals mostly with individuals, instead of creating them as contacts under a single business account, you can assign each self-registering user to a person account.
  • If you want to create person account from self register page, then don’t specify account Id while creating account. You can also manually create person accounts and assign them to community users with Customer Community and Customer Community Plus licenses.
Canvas App
  • Canvas enables you to easily integrate a third-party application in Salesforce. Canvas is a set of tools and JavaScript APIs that you can use to expose an application as a canvas app. This means you can take your new or existing applications and make them available to your users as part of their salesforce experience.
  • The third-party app that you want to expose as a canvas app can be written in any language. The only requirement is that the app has a secure URL (HTTPS).
  • Canvas app appearance in salesforce depends on the values you select in the locations field when creating the connected app in salesforce. 
  • Canvas app can appear in chatter feed, Chatter tab, Console, navigation menu in salesforce app, VF page, Page layouts and mobile cards, Open CTI (in the call control tool), Chatter publisher and action bar.
  • Force.com Canvas can use web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow.
Single Sign On Settings
  • Configure single sign-on in order to authenticate users in salesforce.com from external environments
  • With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. 
  • Just-in-Time provisioning works with your SAML identity provider to pass the correct user information to Salesforce in a SAML 2.0 assertion attribute statement. You can both create and modify users, contacts, and accounts this way. Because Just-in-Time provisioning uses SAML to communicate, your organization must have SAML-based single sign-on enabled.
  • To enable Just-in-Time provisioning, you must explicitly enable the checkbox in Single Sign-On Settings.
  • Entity Id controls the redirection of user once it gets authorized by identity provider.
  • If user is getting redirected always to home page after getting authenticated successfully, then it means identity provider is not able to preserve the relay state which specify where to redirect user after authentication.
Connected App
  • A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities, connected apps allow Salesforce admins to set various security policies and have explicit control over who can use the corresponding apps.
  • If you want your user to access salesforce using mobile devices and IP restriction is applied on user profiles, then if you relaxed IP restrictions for your OAuth-enabled connected app then user can access salesforce using mobile devices.
  • IP relaxation does not apply to SAML-enabled connected apps unless they are also OAuth-enabled for single sign-on.
  • Refresh Token Policy can also be set in connected app. If users are complaining that they need to login after some time on their mobile device, then check refresh token policy on connected app.
  • Create connected app for external application to configure SSO for external application from salesforce. You can add profile and permission set to connected app to pre-authorize the user. Connected app is mainly used for inbound request to salesforce.
Federated Authentication
  • Federated Authentication using SAML Federated authentication uses SAML, an industry standard for secure integrations. Investing in SAML with Salesforce.com can be leveraged with other products or services. If you use SAML, you don't have to expose an internal server to the Internet: the secure integration is done using the browser. In addition, Salesforce.com never handles any passwords used by your organization.
  • When SAML is configured, the user (via their browser) hits either a URL at the enterprise Identity Provider (IdP) or, if My Domain is configured, any My Domain URL at Salesforce - e.g. https://mycompany.my.salesforce.com/SOMERECORDID. The SAML protocol redirects them for authentication in the enterprise, and sends them to Salesforce with a signed XML message representing that authentication.
  • Signed XML request message contains federation Id to uniquely identify the user in salesforce.
  • Salesforce user record Id, federation Id and username can be used to represent the identity of the user when Salesforce is acting as a Service Provider in a SAML configuration.
  • User will face issues with SSO if federation Id is not specified in salesforce correctly which is being returned by identity provider.
Delegated Authentication
  • Another option for authenticating users on Mobile and Desktop devices is Delegated Authentication. If enabled for an organization and user's profile, when a user attempts to authenticate directly to Salesforce, the credential is sent back to a customer configured endpoint over a HTTPS secured web-service.
  • You need to request to salesforce in order to enable this feature.
  • Salesforce uses the following process for authenticating users using delegated authentication:
    • When a user tries to log in, Salesforce validates the username and checks the user’s profile settings.
    • If the user’s profile has the Is Single Sign-On Enabled user permission, then Salesforce does not validate the username and password. Instead, a Web services call is made to the user’s organization, asking it to validate the username and password. Note Salesforce doesn't store, log, or view the password in any way. It is disposed of immediately once the process is complete.
    • The Web services call passes the username, password, and IP address of the user to the customer's Web service. Your implementation of the Web service validates the passed information and returns either true or false.
    • If the response is true, then the login process continues, a new session is generated, and the user proceeds to the application. If false is returned, then the user is informed that his or her username and password combination is invalid.
    • Using this process, customers can easily use their existing authentication systems to validate credentials. This approach works will all mobile and desktop clients. Once a delegated authentication service is built and enabled for a user, there is no additional configuration required. Users will login using the regular Salesforce login screens, but their credential will simply be validated remotely.
  • Salesforce sends the user request over SAML, but the request is sent back using delegated authentication. The RelayState parameter is transformed into the startURL parameter to redirect the user to the correct page. Using this technique, mobile and desktop clients that use SAML with Salesforce can also take advantage of SSO over delegated authentication.
  • For security reasons, make your web service available by TLS. Webservice can be REST or SOAP.
  • Delegated authentication offers the following benefits.
    • Uses a stronger form of user authentication, such as integration with a secure identity provider.
    • Makes your login page private and accessible only behind a corporate firewall
    • Differentiates your org from all other companies that use Salesforce to reduce phishing attacks.
Federated Authentication vs Delegated Authentication
  • Delegated authentication is inherently less secure than federated authentication. Even if encrypted, delegated authentication still sends the username and password (possibly even your network password) over the internet to Force.com. Some companies have policies that preclude a third party for handling their network passwords. 
  • Delegated authentication requires much more work for the company implementing it. The Web services endpoint configured for the org must be developed, hosted, exposed on the Internet, and integrated with the company's identity store.
  • Federated authentication happens through web browser and can not be used for mobile and desktop applications. Use federated authentication for mobile and desktop app.
Looking forward for everyone's comments and suggestion and best of luck for exam...

Hope this will help!!!

39 comments:

  1. Hiiii....Thank you so much for sharing Great information...Keep going on...
    Salesforce Training in Hyderabad

    ReplyDelete
  2. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. identity card

    ReplyDelete
  3. Different managers search for this confirmation when they are looking for new representatives.ExcelR PMP Certification

    ReplyDelete
  4. I just found this blog and have high hopes for it to continue. Keep up the great work, its hard to find good ones. I have added to my favorites. Thank You.
    ExcelR pmp certification

    ReplyDelete
  5. Now its not difficult to pass Identity-and-Access-Management-Designer exam, get the valid Identity-and-Access-Management-Designer dumps pdf to pass exam in first try with good grades ! The major deal is 100% full refunded money back guarantee in case of failure.

    Note:- Updated Exam Questions added to the Identity-and-Access-Management-Designer PDF.

    Cover the complete course & topics Identity-and-Access-Management-Designer question answers pdf And start learning :- Authentic Identity-and-Access-Management-Designer Dumps 2019

    http://www.gratisdumps.com/exam/Identity-and-Access-Management-Designer-Dumps-pdf/

    Product Features:

    1) 100% Success Rate

    2) Money Back Assurance

    3) Up-to-date Questions

    4) Instant Download

    5) Free Updates for 3 months

    ReplyDelete
  6. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up. bespoke interior design

    ReplyDelete
  7. I think there is a typo in this para.

    Federated authentication happens through web browser and can not be used for mobile and desktop applications. Use [deletagated] authentication for mobile and desktop app.

    ReplyDelete
  8. I appreciate this post a lot because I am preparing to such an exam myself at the moment, and the information given will surely help me out with it.

    ReplyDelete
  9. Prepare from website : https://www.realdumpspdf.com/

    For all latest salesforce certification dumps mail us at sales@realdumpspdf.com

    If you need help on any superbadge or salesforce certification mail us at sales@realdumpspdf.com

    We have Following latest certification of
    1. Admin 201
    2. App Builder
    3. Platform developer 1
    4. Platform Developer 2
    5. Sales Cloud
    6. Service Cloud
    7. Community Cloud
    8. Marketing cloud Email Specialist
    9. Marketing cloud Cloud Consultant
    10. CPQ
    11. FSL
    12. Data Management Architecture
    14. Integration architecture
    15. Identity Access management
    16. Development Lifecycle
    17. Pardot Specialist/Consultant
    19. Advance Admin
    20. Sharing Visibilty Designer
    21. Einstein Analytics
    22. Non- Profit Cloud

    ReplyDelete

  10. Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
    https://360digitmg.com/digital-marketing-training-in-hyderabad

    ReplyDelete
  11. I am looking for and I love to post a comment that "The content of your post is awesome" Great work!
    project management courses

    ReplyDelete
  12. Its a great pleasure reading your post.Its full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work. https://roycollections.com/servis-shoes-sale/

    ReplyDelete
  13. Very nice job... Thanks for sharing this amazing ExcelR PMP Certification and educative blog post!

    ReplyDelete
  14. Hi There,
    I'm seeing from some other sources that delegated authentication does not support Rest protocol. Can you share the source material for your finding?
    thanks

    ReplyDelete
  15. It is very helpful and very informative and I really learned a lot from it.for more information about pmp you can visit : https://360digitmg.com/pmp-training-in-hyderabad

    ReplyDelete
  16. Great post. However - there is one mistake I found. Delegated Authentication web service can be only SOAP - not Rest & Soap.

    ReplyDelete
  17. forget those clunky, hulking things that belonged to your father, today's bunk beds are lighter, and more chic than ever before. With so many different types of materials and beautiful hardwoods or metals to choose from, there is something to fit even the most discriminating palate. triple twin bunk bed

    ReplyDelete
  18. That is the reason concentrate on you will need to unique placement of feet some time before authoring. Will likely be doable to help far more suitable writing in this fashion. Best Design

    ReplyDelete
  19. Certainly, every pupil is frightened of exams like wonderlic basic skills test practice yet correct test prep work can make certain that they come out with flying shades. Below are some suggestions that pupils might comply with to examine properly so that they can prepare for the exams in a far better method.

    ReplyDelete
  20. The first step is for YOU to make a decision that developing your people to think, act, and make decisions like business owners is something you are committed to. Salesforce training in Hyderabad

    ReplyDelete
  21. nice blog!! i hope you will share a blog on Data Science.
    data science certification

    ReplyDelete
  22. I found this is an informative and interesting post so i think so it is very useful and knowledgeable. I would like to thank you for the efforts you have made in writing this article. access control system Singapore

    ReplyDelete
  23. Hello, this weekend is good for me, since this time i am reading this enormous informative article here at my home. https://michaelguion.wixsite.com/access-control

    ReplyDelete
  24. Thank you for the update, very nice site.. google ads tricks

    ReplyDelete
  25. Welcome to this 21st day of October, 12-years into the 21st century. I wish thank all my online readers and radio listeners for their continued support. For today's talk I will discuss many items having to do with our technology for domestic purposes; entertainment, safety, education, and personal communication. It all matters and it is changing the way we live, how we think, and our path forward into the future. access card system singapore

    ReplyDelete
  26. Very Interesting post and it quite informative.I really enjoyed to read this.

    ReplyDelete
  27. thanks for this usefull article, waiting for this article like this again. https://penzu.com/p/82215bb3

    ReplyDelete
  28. Great, thanks for sharing the tips. I've recently passed this exam and I'd highly recommend to go for Identity and Access Management Designer Exam practice questions while preparing for the exam. These questions helped me lot in my exam preparation.

    ReplyDelete
  29. An article about history and types of identity theft. It also explores what the identity thieves are after. fake id

    ReplyDelete
  30. Although when you decide to put together the ExamDumps.co, you can use our Latest Exam Dumps in the entire process. With studying our Latest Exam Dumps, we assume that you will 100% pass the test.

    ReplyDelete
  31. DO YOU NEED FINANCES? ARE YOU LOOKING FOR FINANCES? ARE YOU LOOKING FOR FINANCING TO ENLARGE YOUR BUSINESS?via email:bullsindia187@gmail.com

    ReplyDelete