An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?
Correct Answer:
D
Encrypting the SAML Request using a CA signed certificate and decrypting it on the IdP ensures that the request content is not altered or tampered with during transit. This also adds an extra layer of security and trust between the SP and the IdP. References: SAML Single Sign-On Overview, SAML Assertion Encryption
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?
Correct Answer:
A
Configuring SSO to use the third-party portal as an identity provider is the best option to enable SSO between the portal and Salesforce. The portal can use OAuth as the protocol to authenticate users and redirect them to Salesforce. The other options are either not feasible or not relevant for this use case. References: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, Single Sign-On with SAML on Force.com
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?
Correct Answer:
A
Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open “classified” cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respond to user attributes in a way that benefits a business process. In this case, the custom handler can query the user’s open “classified” cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open “classified” case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamically query the user’s open “classified” cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open “classified” cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.
References: Certification - Identity and Access Management Architect - Trailhead, Create a Custom Connected App Handler, Manage Access Through a Custom Connected App Handler
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers
Correct Answer:
AB
The two OAuth scopes that UC should configure in the connected app are:
Refresh token. This scope allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. This scope enables UC to provide an optimal experience for its mobile users by reducing the number of login prompts and authentication failures. API. This scope allows the mobile app to make REST API calls to Salesforce using the access token.
The REST API allows the mobile app to access or manipulate data and metadata in Salesforce using HTTP methods. This scope enables UC to build a custom mobile app that can connect to Salesforce and perform various operations on Salesforce resources. References: [OAuth Scopes], [Connected Apps], [Refresh Token], [REST API]
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?
Correct Answer:
B
The SAML assertion OAuth flow allows a connected app to use a SAML assertion to request an OAuth access token to call Salesforce APIs. This flow provides an alternative for orgs that are currently using SAML to access Salesforce and want to access the web services API in the same way3. This flow can be used for inbound OAuth-enabled integration clients that want to use SAML-based single sign-on for authentication.
References: OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps, Access Data with AP
Integration, Error ‘Invalid assertion’ in OAuth 2.0 SAML Bearer Flow