How to Pass Identity & Access Management Designer Exam Salesforce?

on

|

views

and

comments

Identity & Access Management Designer Exam Salesforce

I have to admit that Identity and Access Management Designer exam was the most tricky one among all the certificates that I have appeared in. If you do not have any particular experience in the Identity/Access management area then I recommend spending some time on a deep study of the core concepts like SSO and OAuth.

Topic Outline

The Salesforce Identity and Access Management Designer exam covers the following topics –

Identity Management Concepts: 28%

  1. Describe the role(s) an identity provider and service provider play in an access control solution.
  2. Describe common methods for how to trust connections that are established between two systems and the methodologies used to describe trust between an identity provider and service provider.
  3. Given a scenario, articulate whether it describes an authentication, authorization, or accounting scenario and what Salesforce feature should be used to accomplish the task.
  4. Given a scenario, recommend the appropriate method for provisioning users in Salesforce, and other third-party services (SOAP/REST API, SAML JIT, Identity Connect, User Provisioning for Connected Apps, etc.).
  5. Describe the risks to enterprise security that federated Single Sign-on solutions aim to address.
  6. Given a scenario, troubleshoot common points of failure that may be encountered in a Single Sign-on solution (SAML, OAuth, etc.).

Accepting Third-Party Identity in Salesforce: 22%

  1. Describe the components of an identity management solution where Salesforce is accepting identity from a third party.
  2. Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept Third-Party Identity (Enterprise Directory, Social, Community, etc.).
  3. Given a scenario, recommend the appropriate method of SAML initiation to fulfill the requirements (SP-init, IdP-init.).
  4. Describe the components of a Delegated Authentication solution.
  5. Describe the risks of implementing delegated authentication.

Salesforce as an Identity Provider: 23%

  • Given a scenario, determine the most appropriate flow type to recommend when implementing an OAuth solution where Salesforce is providing identity to a third party (for example, User-Agent, Web Server, JWT, etc.).
  • Describe the various implementation concepts of OAuth (for example; scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
  • Describe the role(s) Connected Apps play when Salesforce needs to provide identity to a third-party system.
  • Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).

Access Management Best Practices: 15%

  1. Describe the risks that Two-Factor Authentication mechanisms aim to mitigate.
  2. Given a scenario, determine the most appropriate Two-Factor Authentication mechanism for an identity solution.
  3. Given a scenario, identify the risks and mitigation strategies that session security and Two-Factor Authentication enable (for example; High Assurance Sessions, 2FA, etc.).

Salesforce Identity: 7%

  1. Given a scenario, recommend the most appropriate Salesforce license type(s) to support the identity requirements.
  2. Describe the role(s) Identity Connect plays in an Identity Management solution.

Community (Partner and Customer): 5%

  1. Describe the capabilities for customizing the registration experience for external communities (for example; Branding options, self-registration, communications, etc.).

Authentication & Authorization

OAuth Authorization Flows

OAuth authorization flows grant a client application restricted access to protected resources on a resource server. Each OAuth flow offers a different process for approving access to a client app, but in general the flows consist of three main steps.

oauth gives app restricted access

Types of OAuth Flows in Salesforce

  1. OAuth 2.0 Web Server Flow for Web App Integration
  2. OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration
  3. OAuth 2.0 Refresh Token Flow for Renewed Sessions
  4. OAuth 2.0 Authorization and Session Management for Hybrid Apps
  5. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
  6. OpenID Connect Dynamic Client Registration for External API Gateways
  7. Generate an Initial Access Token
  8. OpenID Connect Token Introspection
  9. OAuth 2.0 Device Flow for IoT Integration
  10. OAuth 2.0 Asset Token Flow for Securing Connected Devices
  11. Demo the Asset Token Flow
  12. OAuth 2.0 Username-Password Flow for Special Scenarios
  13. OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps
  14. SAML Assertion Flow for Accessing the Web Services API
  15. OAuth 2.0 Authorization Errors

When to Use Which Auth Flow

Resource To Learn OAuth

  1. https://www.youtube.com/watch?v=6znYAIgvzG4
  2. https://www.youtube.com/watch?v=CPbvxxslDTU
  3. https://www.youtube.com/watch?v=b4gXo_kPZbg
  4. https://www.youtube.com/watch?v=cViU2-xVscA

Salesforce Standard Licence

Resource

Connected Application Salesforce

Connected apps are designed to be run independently of the user interface. Either the app is hosted on an external website that interfaces with salesforce.com or is a desktop or mobile app that runs on a client. Authentication for a connected app is client-initiated and must be done per client. Connected apps are usually accessed outside salesforce.com, although this is not a stringent requirement. The session lifespan may be indefinite until revoked by the user or an administrator. the app has limited access to the user’s data (referred to as the scope), which may be as minimal as identity confirmation only up to full access. The app may be run on a server or clientAccess must be manually granted.

Source – https://salesforce.stackexchange.com/questions/15494/whats-the-practical-difference-between-canvas-connected-apps

Connected App Policies

Configure OAuth access policies for OAuth-enabled connected apps. These policies include defining which users can access a connected app, what IP restrictions apply to the connected app, and how long a refresh token is valid for.

Source – https://help.salesforce.com/articleView?id=sf.connected_app_manage_oauth.htm&type=5

Single Sign Salesforce ( SSO )

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.

Single Sign-On Terminology

Source – https://help.salesforce.com/articleView?id=sf.sso_terminology.htm&type=5

Delegated Authentication SSO

  1. The web service needs to include Source IP as a method parameter.
  2. UC should whitelist all salesforce IP ranges on their corporate firewall
  3. The return type of the Web service method should be a Boolean value
  4. Have to Develop a SOAP Service
  5. Can not work with REST
  6. You have to contact Salesforce to enable the Delegated Authentication
  7. SSO Can be controlled from Profile Level
  8. Can be assigned using Profile or Permission Set

Resources for Single Sign On

  1. https://help.salesforce.com/articleView?id=sf.sso_about.htm&type=5
  2. https://www.youtube.com/watch?v=_P73fndPCbU&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=5
  3. https://www.youtube.com/watch?v=dczJorlRGYw&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=8
  4. https://www.youtube.com/watch?v=1tI5g63-lzA&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=9
  5. https://www.youtube.com/watch?v=vsrl8bo1r1M&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=10
  6. https://www.youtube.com/watch?v=0qNQ_YEIM8s&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=11
  7. https://www.youtube.com/watch?v=gvxI6HzqNhA&list=PLaGX-30v1lh3A6eNOEdF1k3JTstTwqA0q&index=12

Login Flow in Salesforce

A login flow directs users through a login process before they access your Salesforce org or Experience Cloud site. You can use a login flow to control the business processes that your users follow when they login to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they’re redirected to their Salesforce org or site. If unsuccessful, the flow can log out users immediately.

Sources

  1. https://help.salesforce.com/articleView?id=sf.security_login_flow.htm&type=5
  2. https://www.jitendrazaa.com/blog/salesforce/how-to-use-login-flow-in-salesforce/
  3. https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_login_flow_examples.htm

Multi Factor Authentication ( 2FA )

Set multi-factor authentication (MFA) login requirements using profile policies and session settings. You can apply MFA requirements to all Salesforce user interface authentication methods. These methods include username and password, delegated authentication, SAML single sign-on (SSO), and social sign-on (SSO using an external authentication provider). You can also enable MFA requirements for Salesforce org and the Experience Cloud site.

2FA Something you know and something you have

Sources

  1. https://help.salesforce.com/articleView?id=sf.security_require_two-factor_authentication.htm&type=5
  2. https://trailhead.salesforce.com/content/learn/modules/identity_login/identity_login_2fa

Other Resources That I followed

  1. Salesforce Trailmix
  2. ApexHours PlayList
  3. https://help.salesforce.com/articleView?id=sf.users_license_types_available.htm&type=5
  4. https://developer.salesforce.com/blogs/developer-relations/2014/06/how-to-provision-salesforce-communities-users.html
  5. SSO Guide
  6. 2FA Using Apex
  7. https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/security_3p_sms_2fa_login_flow.htm
  8. Login Flow
  9. https://help.salesforce.com/articleView?id=sf.identity_overview.htm&type=5
  10. https://help.salesforce.com/articleView?id=sf.identity_provider_examples.htm&type=5
  11. https://developer.salesforce.com/wiki/secure_coding_single_sign_on
  12. https://hermitd.tistory.com/entry/Identity-and-Access-Management-Designer
  13. https://help.salesforce.com/articleView?id=sf.remoteaccess_oauth_flows.htm&type=5
  14. https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_examples_sf2sf.htm
  15. http://salesforcememo.com/2017/09/18/how-to-prepare-for-and-pass-identity-and-access-management-designer-exam/

Wish you All the best. If you need anything from y side please do let me know.

https://www.pantherschools.com/how-to-clear-experience-cloud-consultant-exam/

#Sharing #ArchitectMindSet

Amit Singh
Amit Singhhttps://www.pantherschools.com/
Amit Singh aka @sfdcpanther/pantherschools, a Salesforce Technical Architect, Consultant with over 8+ years of experience in Salesforce technology. 21x Certified. Blogger, Speaker, and Instructor. DevSecOps Champion
Share this

Leave a review

Excellent

SUBSCRIBE-US

Book a 1:1 Call

Must-read

How to Utilize Salesforce CLI sf (v2)

The Salesforce CLI is not just a tool; it’s the cornerstone of development on the Salesforce Platform. It’s your go-to for building, testing, deploying, and more. As one of the most important development tools in our ecosystem

Save the day of a Developer with Apex Log Analyzer

Table of Contents What is Apex Log Analyzer? Apex Log Analyzer, a tool designed with Salesforce developers in mind, is here to simplify and accelerate your...

Salesforce PodCast

Introduction Hey Everyone, Welcome to my podcast, the first-ever podcast in India for Salesforce professionals. Achievement We are happy to announce that we have been selected as Top...

Recent articles

More like this

LEAVE A REPLY

Please enter your comment!
Please enter your name here