Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

OAuth is an open-standard protocol that allows a client app toaccess protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:

OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.

OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.

Verified References: [OAuth 2.0 SAML Bearer AssertionFlow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]

Using Custom Login Flows with Apex is the best option to force users to authenticatewith 2FA for Salesforce only when not connected to an internal company network. Custom Login Flows allow admins to customize the login process for different scenarios and user types2. Apex code can be used to detect the user’sIP address and prompt for 2FA if it is not within the company’s network range3. The other options are not suitable because they either do not support 2FA or do not allow conditional logic based on the user’s IP address.

Enabling Two-Factor Authentication (2FA) in Salesforce can mitigate the security risks of users accessing Salesforce froma public Wi-Fi access point or choosing passwords that are the same as their Facebook password. 2FA is an additional layer of protection beyond your password that requires users to verify their identity with another factor, such as a mobile app, a securitykey, or a verification code. This can prevent unauthorized access even if the user’s password is compromised or guessed by a malicious actor. The other options are not directly related to 2FA, but rather to user behavior or password policies.

A is correct because requiring users to provide their RSA token along with their credentials is a form of two-factor authentication. An RSA token is a hardware device thatgenerates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.

D is correct because requiring users to use a biometric reader as well as their password is another form oftwo-factor authentication. A biometric reader is a device that scans a user’s fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.

B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.

C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.

The Canvas framework supports OAuth 2.0 for authorization1. There are two OAuth flows that can be used to authenticate the third-party app using the canvas framework: User-Agent OAuth Flow and Web Server OAuth Flow2. The User-Agent OAuth Flow uses the Canvas JavaScript SDK to obtain an OAuth token by using the login function in the SDK2. The Web Server OAuth Flow redirects the user to the Salesforce OAuthauthorization endpoint and then obtains an OAuth access token by making a POST request to the Salesforce OAuth token endpoint2. Both of these flows allow the third-party app to authenticate itself against Salesforce as the IdP. The SAML Single Sign-on flow can also be used to allow the third-party app to authenticate itself against UC’s IdP, which is another option for authentication3.

To allow Salesforce profiles to be managed from a central system of record, the architect should recommend to implement JIT provisioning on the SAML IDP that will pass the profile ID in each assertion. JIT provisioning is a process that creates or updates user accounts on Salesforce based on information sent by an external identity provider (IDP) during SAML authentication. By passing the profile ID in each assertion, the IDP can control which profile is assigned to each user. Option B is not a good choice because creating an Apex scheduled job in one org that will synchronize the other orgs profile may not be scalable, reliable, or secure. Option C is not a good choice because implementing Delegated Authentication that will update the user profiles as necessary may not be feasible, as Delegated Authentication only verifies the user’s credentials against an external service, but does not pass any other information to Salesforce. Option D is not a good choice because implementing an OAuth JWT flow to pass the profile credentials between systems may not be suitable, as OAuth JWTflow is used for server-to-server integration, not for user authentication.

Thetwo items that an architect should recommend for UC to minimize the administration overhead are:

Enable the “Refresh Tokens is valid until revoked” setting in the Connected App. This setting allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. By enabling this setting in the Connected App, UC can reduce the number of login prompts and authentication failuresfor its mobile users, as they can use the refresh token to renew their access without entering their credentials again.

Enable the “All users may self-authorize” setting in the Connected App. This setting allows users to grant access to the mobile app without administrator approval. By enabling this setting in the Connected App, UC can simplify and speed up the deployment process for its mobile app, as they do not need to manually authorize each user or group of users.

The other options are not recommendeditems for this scenario. Enabling the “Enforce IP restrictions” setting in the Connected App would limit the mobile app access to certain IP ranges, which could prevent some users from accessing the app from different locations or networks. Enabling the “High Assurance session required” setting in the Connected App would require users to verify their identity with a second factor before accessing the mobile app, which could increase complexity and inconvenience for users. References: [Connected Apps], [Refresh Token], [All Users May Self-Authorize], [IP Restrictions for Connected Apps], [Require a Second Factor of Authentication for Connected Apps]

The default client certificate or the certificate from the Certificate and Key Management menu is sent along with the outbound message. When sending outbound messages, Salesforce will present the CA-signed or self-signed certificate configured underSetup | Security Controls | Certificate and KeyManagement | API Client Certificate1. The default client certificate is a self-signed certificate that Salesforce generates for you when you enable outbound messages2. You can also create your own self-signed or CA-signed certificates and upload themto the Certificate and Key Management menu3. The certificate from the Develop | API menu is not usedfor outbound messages, but for SOAP API clients that need to authenticate with Salesforce4.References: 1: Know more about all the SSL certificates that are supported by Salesforce 2: Setting Up Outbound Messaging 3: Create a Self-Signed Certificate 4: [Generate or Regenerate a Client Certificate]

 Using information in the signed request that is received from Facebook is how this requirement can be met. A signed request is a parameter that contains information about the user who is logging in with Facebook credentials. The signed request can include information such as the user ID, name, email, and profile picture. You can use this information to update the corresponding customer community user in Salesforce by implementing a registration handler class. The registration handler class is an Apex class that defines how Salesforce handles user registrationand authentication when using an auth provider. You can use the updateUser() method in the registration handler class to update the user record with the information from the signed request. Using the updateUser() method on the registration handler class isnot how this requirement can be met because it is only part of the solution. You also need to use information from the signed request as the source of the updates. Using SAML just-in-time provisioning between Facebook and Salesforce is not how this requirement can be met because Facebook does not support SAML as an identity provider protocol. Developing a scheduled job that calls out to Facebook on a nightly basis is not how this requirement can be met because it is inefficient and unnecessary. You can update the user record in real time using the signed request instead of waiting for a nightly batch process.

Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open “classified” cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respondto user attributes in a way that benefits a business process. In this case, the custom handler can query the user’s open “classified” cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open “classified” case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamicallyquery the user’s open “classified” cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open “classified” cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.