Salesforce as an Identity Provider (23%) Flashcards by Gwynn Bleidd

What are the 5 OAuth token types?

Authorization code
Initial access token
Access token
Refresh token
ID token

How well did you know this?

Not at all

Perfectly

Select which token type the description is for:

The authorization server creates this short-lived token and passes it to the client application via the browser. The client application then sends this token to the authorization server

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

A) Authorization code

How well did you know this?

Not at all

Perfectly

Select which token type the description is for:

This token is generated after configuring an OAuth 2.0 connected app. Salesforce requires this token to authenticate the dynamic client registration request

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

B) Initial access token

How well did you know this?

Not at all

Perfectly

Select which token type the description is for:

The client uses this token to make authenticated requests on behalf of the end user. It has a longer lifetime (usually minutes or hours). When it expires, attempts to use it fail and the app must obtain a new token.

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

C) Access token

How well did you know this?

Not at all

Perfectly

Select which token type the description is for:

This token can have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked. The client application can store the token. For this reason, the app must protect a this token against unauthorized access.

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

D) Refresh token

How well did you know this?

Not at all

Perfectly

Select which token type the description is for:

OpenID Connect, an authentication layer on top of OAuth 2.0, defines this token as a signed data structure. The data structure contains authenticated user attributes, including a unique identifier for the user. It also contains the time when the token was issued, and an identifier for the requesting client. This token is encoded as a JSON web token (JWT).

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

How well did you know this?

Not at all

Perfectly

Name the 8 Authentication Flows

Web Server
User-Agent
JWT Bearer Token Flow
Device Authentication Flow
Asset Token Flow
SAML Bearer Assertion Flow
SAML Assertion Flow
Username and Password

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Apps hosted on a secure server. A critical aspect of this flow is the protection of the client secret. It uses an OAuth 2.0 authorization code grant type

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

A) Web Server

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Users can authorize a desktop or mobile application to access data using an external or embedded browser for authentication. These apps often use a scripting language, such as JavaScript, running within the browser. This flow uses the OAuth2.0 implicit grant type

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

B) User-Agent

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Server-to-server API integration. The flow uses a certificate to sign the request and doesn’t require explicit user interaction

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

C) JWT Bearer Token Flow

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Command-line apps or applications that run on devices with limited input and display capabilities, such as TVs, application and other IOT devices, can use this flow.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

D) Device Authentication Flow

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Client applications use this flow to request a token from Salesforce for connected devices.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

E) Asset Token Flow

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

An app can reuse an existing authorization.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

F) SAML Bearer Assertion Flow

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

An alternate flow for orgs to access Salesforce in a specific way and also want to access the web services API in the same way.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

G) SAML Assertion Flow

How well did you know this?

Not at all

Perfectly

Which authentication flow should be used for the following use case?

Used primarily for testing when a user is not present at app startup, or with highly privileged apps.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

How well did you know this?

Not at all

Perfectly

What is the Identity URL?

It is a RESTful API that you can use to query user information, including the username, email address, and org ID. It also returns endpoints that the client can talk to, such as photos for profiles and accessible API endpoints

The URL is returned in the id scope parameter

How well did you know this?

Not at all

Perfectly

Which flow does not require a connected app to be created?

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

How well did you know this?

Not at all

Perfectly

What are the 7 steps for the OAuth 1.0.A Authentication Flow?

The consumer requests an access token. Salesforce verifies the request and returns a request token.
The consumer redirects the user to Salesforce, where the user is prompted to log in.
Salesforce authorizes the user.
After the user is authorized, the consumer requests an access token.
Salesforce verifies the request and grants the token.
After the token is granted, the consumer accesses the data either through the app or through the Lightning Platform Web Services API.
Salesforce verifies the request and allows access to the data.

How well did you know this?

Not at all

Perfectly

What are the 6 steps for the OAuth 2.0 SAML Bearer Assertion Flow?

The developer creates a connected app and registers an X509 Certificate. This certificate corresponds to the private key of the app. When the connected app is saved, a consumer key (OAuth client_id) is generated and assigned to the app.
The developer writes an app that generates a SAML assertion and signs it with the private key.
The SAML Bearer assertion is posted to the token endpoint https://login.salesforce.com/services/oauth2/token, https://test.salesforce.com/services/oauth2/token, or https://your_community_URL/services/oauth2/token (if implementing for a community).
The token endpoint validates the signature using the certificate registered by the developer.
The token endpoint validates the audience, issuer, subject, and validity of the assertion.
Assuming that the assertion is valid and that the user or admin authorized the app previously, Salesforce issues an access token.

How well did you know this?

Not at all

Perfectly

What are the 6 general steps for the OAuth 2.0 JWT bearer token flow?

The developer creates a connected app or uses an existing one, and registers an X509 Certificate for the app. The certificate corresponds to the private key of the app. When the connected app is saved, the consumer key (OAuth client_id) and consumer secret are generated and assigned to the app.
The developer writes an app that generates a JWT. The JWT is signed with the X509 Certificate’s private key, and the connected app uses the certificate to verify the signature.
The JWT is posted to the token endpoint, https://login.salesforce.com/services/oauth2/token, or if implementing for a community, https://community.force.com/customers/services/oauth2/token.
The token endpoint validates the signature using the certificate registered by the developer.
The token endpoint validates the JWT’s audience (aud), issuer (iss), validity (exp), and subject (sub).
Assuming that the JWT is valid and that the user or admin authorized the app previously, Salesforce issues an access token.

How well did you know this?

Not at all

Perfectly

What are the two steps for the refresh token authentication flow?

The consumer uses the existing refresh token to request a new access token.
After the request is verified, Salesforce sends a response to the client.

How well did you know this?

Not at all

Perfectly

What are the 5 steps for the OAuth 2.0 Web Server Authentication Flow?

The web server redirects the user to Salesforce, which authenticates and authorizes the server to access the data on the user’s behalf.
After the user approves access, the web server receives a callback with an authorization code.
The web server passes back the authorization code to get a token response.
After validating the authorization code, Salesforce passes back a token response. If there’s no error, the token response includes an access code and additional information.
After the token is granted, the web server accesses the user’s data.

How well did you know this?

Not at all

Perfectly

What are the two steps for the OAuth2.0 Username-Password Flow (and what are two important facts you need to know about this flow?

The consumer uses the user’s username and password to request an access token (session ID.)
After the request is verified, Salesforce sends a response to the client.

Facts:
1. This OAuth authentication flow passes the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token is issued

Salesforce communities don’t support the OAuth 2.0 username-password authentication flow

How well did you know this?

Not at all

Perfectly

In the OAuth 2.0 User-Agent Flow the access token is encoded into the redirection URL, so it can be exposed to the user and other apps residing on the device. If you’re using Javascript to authenticate, what should you call to remove the callback from the browser’s history?

window.location.replace();

How well did you know this?

Not at all

Perfectly

What are the 3 steps in the OAuth2.0 User-Agent Flow?

1. The client app directs the user to Salesforce to authenticate and authorize the app. 2. The user approves access for this authentication flow. 3. The app receives the callback from Salesforce.

What are the 7 steps in the OAuth2.0 Device Authentication Flow?

1. The device requests authorization from Salesforce. 2. Salesforce verifies the request and returns the following: human-readable user code, verification URL, device code, and minimum polling interval (in seconds). 3. The device displays the user code and instructs the user to enter it at the specified verification URL. 4. On a separate device that has more developed input capabilities, such as a desktop computer or smartphone, the user opens a browser. - The user navigates to the verification URL and is prompted to enter the user code. - If the code is valid, the user is prompted to log in if not already logged in. - After successful login, the user is prompted to allow the device to access Salesforce data. 5. After displaying the user code and verification URL, the device starts polling the token endpoint for authorization. Polling frequency can’t exceed the minimum polling interval. The device continues polling until the user has allowed (or been denied) access, or until the user code has expired. 6. If allowed, the authorization server returns to the device an access token, a refresh token if requested, and other information. 7. After the access token is granted, the device can use it in API requests to access data on the user’s behalf. The device uses a refresh token to get a new access token if the access token becomes invalid.

What are the 5 general OAuth 2.0 Asset Token Flow steps?

1. Create a new connected app or use an existing one that has asset tokens enabled and required settings configured. 2. Get an access token so that you can request an asset token. 3. Create your asset token request. - Create your actor token payload JWT. - Understand how Salesforce attempts to register a new or existing Asset using information from the actor token. - Create your actor token JWT. 4. Post your asset token request to the token endpoint. 5. If the asset token JWT is valid, Salesforce issues your asset token in an access token response and publishes an asset token event.

What are the 4 steps for the OAuth 2.0 SAML Assertion Flow?

1. Configure SAML for your org. SAML version 2.0 is required. 2. Exchange a SAML assertion for an access token. 3. Salesforce sends the response. 4. Use a JSON parser to process the response and extract the access_token.

Which of the following flows isn't supported for communities? (Choose 2) A) Web Server B) User-Agent C) JWT Bearer Token Flow D) Device Authentication Flow E) Asset Token Flow F) SAML Bearer Assertion Flow G) SAML Assertion Flow H) Username and Password

G) SAML Assertion Flow H) Username and Password

What is the scope parameter in OAuth 2.0?

The scope parameter fine-tunes the permissions associated with the tokens that you’re requesting. Scope is a subset of values that you specified when defining the connected app.

Name the 9 Scope parameter values in OAuth 2.0

- api - chatter_api - custom_permissions - full - id - openid - refresh_token - visualforce - web

What is the description for the api scope parameter in OAuth 2.0

Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API. This value also includes chatter_api, which allows access to Chatter REST API resources.

What is the description for the chatter_api scope parameter in OAuth 2.0

Allows access to Chatter REST API resources only.

What is the description for the custom_permissions scope parameter in OAuth 2.0

Allows access to the custom permissions in an organization associated with the connected app, and shows whether the current user has each permission enabled.

What is the description for the full scope parameter in OAuth 2.0

Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.

What is the description for the id scope parameter in OAuth 2.0

Allows access to the identity URL service. You can request profile, email, address, or phone, individually to get the same result as using id; they are all synonymous.

What is the description for the openid scope parameter in OAuth 2.0

Allows access to the current, logged in user’s unique identifier for OpenID Connect apps. Use the openid scope in the OAuth 2.0 user-agent flow and the OAuth 2.0 web server authentication flow to receive a signed ID token conforming to the OpenID Connect specifications in addition to the access token.

What is the description for the refresh_token scope parameter in OAuth 2.0

Allows a refresh token to be returned when you are eligible to receive one. Then the app can interact with the user’s data while the user is offline, and is synonymous with requesting offline_access.

What is the description for the visualforce scope parameter in OAuth 2.0

Allows access to customer-created Visualforce pages. Doesn’t allow access to standard Salesforce UIs.

What is the description for the web scope parameter in OAuth 2.0

Allows the ability to use the access_token on the web, and includes visualforce, allowing access to customer-created Visualforce pages.

Which three attributes can be used to represent the identity of the user when Salesforce is acting as a Service Provider in a SAML configuration? Choose three answers. A) Salesforce User ID. B) Salesforce Username. C) Federation ID. D) User Email Address. E) User Full Name.

A) Salesforce User ID. B) Salesforce Username. C) Federation ID.

Universal Containers (UC) has multiple Salesforce orgs and would like to use a single Identity Provider to access all of their orgs. How should UC’s Architect enable this behaviour? Choose one answer. A) Ensure that users have the same Alias value in their user records in all of UC’s Salesforce orgs. B) Ensure the same username is allowed in multiple orgs by contacting Salesforce Support. C) Ensure that users have the same Email Address in their user records in all of UC’s Salesforce orgs. D) Ensure that users have the same Federation ID value in their User records in all of UC’s Salesforce orgs.

D) Ensure that users have the same Federation ID value in their User records in all of UC’s Salesforce orgs.

Universal Containers uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement? A) Create a Connected App that supports the JWT Bearer Token OAuth Flow. B) Create a Connected App that supports the Refresh Token OAuth Flow. C) Create a Connected App that supports the Web Server OAuth Flow. D) Create a Connected App that supports the User-Agent OAuth Flow.

A) Create a Connected App that supports the JWT Bearer Token OAuth Flow. Why? JWT Bearer Token OAuth Flow is the scenario that best supports this requirement

Universal containers (UC) wants to integrate a Web application with Salesforce. The UC team has implemented the Oauth web-server authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose two answers. A) The web application should be hosted on a secure server. B) The web server must be able to protect consumer privacy. C) The flow involves passing the user credentials back and forth. D) The flow will not provide an Oauth refresh token back to the server.

A) The web application should be hosted on a secure server. B) The web server must be able to protect consumer privacy.

Universal Containers (UC) has a mobile application that it wants to deploy to all of its Salesforce users, including customer Community users. UC would like to minimize the administration overhead. Which two items should an architect recommend? Choose two answers. A) Enable the “Refresh Tokens is valid until revoked” setting in the Connected App. B) Enable the “All users may self-authorize” setting in the Connected App. C) Enable the “Enforce IP restrictions” settings in the Connected App. D) Enable the “High Assurance session required” setting in the Connected App.

A) Enable the “Refresh Tokens is valid until revoked” setting in the Connected App. B) Enable the “All users may self-authorize” setting in the Connected App.

What does JWT stand for and what does it consist out of?

JSON Web Token It consist of three parts separated by dots: - Header - Payload - Signature ex: xxxxx.yyyyy.zzzzz

What are the two authentication methods that can be used for canvas apps?

- Signed request (default method) | - OAuth 2.0

What are the two OAuth 2.0 authorization flow options for canvas apps?

- Web Server OAuth Authentication Flow | - User-Agent OAuth Authentication Flow

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site. What needs to be configured on the Salesforce org in order for the external application to integrate with Salesforce APIs? Is this configuration for outbound/inbound or bi-directional scenario?

- A connected app needs to be configured in the Salesforce org - A connected app is only for an inbound scenario from an external application into Salesforce

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site. UC wants to provide read-only access to some subset of photos for only a limited amount of time, after which the authorization becomes invalid. How do we ensure access is only given for a limited period of time for the application?

Configure the Refresh Token Policy setting under the OAuth Policy for the Connected App

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site. UC wants to provide read-only access to some subset of photos for only a limited amount of time, after which the authorization becomes invalid. How do we allow Universal Containers to revoke access if they decide they no longer wish the client to have access?

Use the Revoke action on the user row in the Connected Apps Usage page to revoke access to the valid token. Any third party with the device will now need to authenticate again in order to get access with a new access/refresh token

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site. Access between the client applications and the resource server should be seamless. Do we need to pass and store user credentials on the client application to achieve the seamless access requirement?

No. Both the OAuth Web Server Flow and User Server Flow provide access to the application through the use and exchange of tokens. No user credentials are stored on the client application

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site. Access between the client applications and the resource server should be seamless. Can we use SAML only for single sign-on scenarios for the desktop client application in Salesforce? If not, why?

No. SAML is a browser-based protocol and requires a browser to facilitate the exchange of SAML tokens in order for the authentication to take place.

Why is the My Domain configuration required for an SP Initiated SAML Flow when you want seamless access across two Salesforce orgs?

By configuring a My domain, admins enable the Force.com platform to recognize the org for which unauthenticated requests are intended, and perform customized behavior, such as redirecting to their Identity Provider through the retrieval of the Single Sign-On settings configuration of the Service Provider org. This would not have been possible if the login was done through a URL at login.salesforce.com as the application will only know which org you are trying to log in to only after the authentication happens.

How do you simulate an IDP-initiated flow in the configuration setup when you want seamless access across two Salesforce orgs?

From the IdP Salesforce org, click on a link to a resource that is hosted in the SP Provider Salesforce org. The user should not be prompted for any login to the SP Provider org

How do you simulate an SP initiated flow in the configuration setup when you want seamless access across two Salesforce orgs?

Access the SP Salesforce org through its MyDomain URL. If there is no valid authentication session, the browser will redirect the user to the IdP to enter their credentials for authentication

What is the role of the browser in the flow when you want seamless access across two Salesforce orgs?

The browser is used to facilitate the exchange of SAML tokens between the SP and the IdP

How do we ensure that the browser knows how to redirect to the original requested resource when you want seamless access across two Salesforce orgs?

This is achieved through the use of the RelayState parameter, which is passed via the browser as part of the SAML token exchange

What are the 5 parameters for an OAuth access token request?

- Code - Grant_type - Client_id - Client_Secret - Redirect_uri ex: https://login.salesforce.com/services/oauth2/token?code=

&grant_type=&client_id=&client_secret=&redirect_uri=';

True or false: OAuth 2.0 APIs enable a user to work in one app but see the data from another A) True B) False

A) True

You're creating a connected app that allows a Smart TV to display a customer's movie order history. Which OAuth 2.0 authentication flow would you use for the connected app? A) OAuth 2.0 web server authorization code flow B) OAuth 2.0 device authentication flow C) OAuth 2.0 JSON Web Token Exchange (JWT) bearer flow D) OAuth 2.0 user-agent flow

B) OAuth 2.0 device authentication flow

True or false: You can integrate identity providers with Salesforce using connected apps A) True B) False

B) False

How is OpenID Connect different from SAML? A) You can't use OpenID connect to enable SSO between two services B) You can only use OpenID Connect to enable SSO between two services C) OpenID Connect is built for today's API economy because it adds an authentication layour on top of OAuth 2.0 D) B and C

C) OpenID Connect is built for today's API economy because it adds an authentication layour on top of OAuth 2.0

True or false: Dynamic client registration enables resource servers to dynamically create client apps as connected apps

True

What role does your Salesforce org play in providing authorization for external API gateways? A) My Salesforce org requests the creation of client apps as connected apps from the external API gateway B) My Salesforce org hosts the protected data C) My Salesforce org is the OAuth authorization server that protects resources hosted on an external API gateway D) My Salesforce org asks the external API gateway to authenticate a client app

C) My Salesforce org is the OAuth authorization server that protects resources hosted on an external API gateway

When enabling Salesforce as an identity provider, what type of certificate is required?

A Salesforce certificate and key pair that's signed by an external certificate authority (CA-Signed) or self-signed.

Describe what the Canvas App User Flow - Signed Request is

It is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app's Permitted Users field is set to "Admin approved users are pre-authorized" or "All users my self-authorize"

Describe what the Canvas App User Flow -OAuth is?

Canvas supports OAuth 2.0 for authorization. When using OAuth, you have two options: - Web Server OAuth Authentication Flow - User-Agent OAuth Authentication Flow

Which two flows uses digital signatures? A) Web Server B) User-Agent C) JWT Bearer Token Flow D) Device Authentication Flow E) Asset Token Flow F) SAML Bearer Assertion Flow G) SAML Assertion Flow H) Username and Password

C) JWT Bearer Token Flow F) SAML Bearer Assertion Flow

What is one of the most secure OAuth Scope settings? A) api B) chatter_api C) custom_permissions D) full E) id F) openid G) refresh_token H) visualforce I) web

C) custom_permissions

When sending outbound messages, delegated authentication requests or Apex callouts to secure/SSL endpoints, the Salesforce org will require which type of license? A) self-signed B) root certificate authority (CA)

B) root certificate authority (CA) | Salesforce acts as the client, and the target host acts as the server