Passing the Salesforce Identity and Access Management Certification 

This was the final Salesforce Architect Domain Certification I needed to study, and straight off was probably one of the more challenging just because the content was all relatively new. 

The certification is centred on The following:-

  • Identity – (authentication)
  • Access Management (authorisation)

Core concepts:

  • OAuth 2.0 – standard for Authorisation. Need deep understanding of all OAuth flows.
  • OpenId Connect – Similar to OAuth 2.0 but including authentication capability. Future standard.
  • SAML assertion 

Glossary 

Idp – identity provider

Authentication provider

Service provider

  • Trusts the idP user information
  • Uses the information to provide access to service or application

Relying party

Mydomain – needs to be enabled

Setup :

Auth provider

Client
Great video to understand OAuth 2.0 and OpenId connect: https://youtu.be/i1datiYVDVc
Identity Connect

User provisioning for connected apps

OpenId connect Salesforce Dev Guide Overview

Study Guide

 Tokens

  • Bearer tokens (saml, jwt – pronounced “jot”)
  • Access tokens
  • Refresh tokens 
  • Id token (OpenId Connect)

Web server flow (OAuth 2.0 – Authorisation Code Grant)

Typically used for web applications where server-side code needs to interact with Force.com APIs on the user’s behalf, for example Docusign.

Trust that the web server is secure to protect the consumer secret. Client application 

1. Client directs user to authorisation end point. 
2. User logs in to authorisation end point and does not interact with client application at all
3. Redirect is sent back to users browser appended with authorisation code
4. Client application extracts the access code and sends to authorisation end point. 
5. If successful authorisation end point returns access and refresh tokens.
6. Client application uses token to access users data 

Further information:

User agent flow OAuth Authentication flow


Flow is used for authentication for client applications that reside on users device. Key difference with web server flow is that client cannot keep consumer secret confidential.

1. Client directs user to authorisation end point. 

2. User logs in to authorisation end point and does not interact with client application at all

3. Redirect is sent back to users browser appended with access token

4. Client application uses access token to access user data

Further information:

Username-Password OAuth Authentication flow

This flow can be used where the client application already has the username password of the user. The flow is discouraged due to username and password being used back and forth in requests.

1. Client application requests access code with username / password

2. Authentication end point returns access token if successful 

3. Client application uses access token for access

Further information:

OAuth Refresh Token Process

Both web server flow and the user agent flow can provide a refresh token to provide user access once the access token has expired.

Client application can issue a post request to the token request end point.

OpenId Connect – extension to OAuth2.0 to provide standards around authentication

Id token – main element added 

Based on json web token

Includes authentication type and last logged in.

OpenId provider – authorisation server

SSO Canvas integration 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s