Sunday, 2 September 2018

Salesforce Certified Identity and Access Management - Spring '18 Release Exam

1 of 5.
Universal Containers (UC) uses Salesforce for all of its internal users. Recently UC started getting a lot of complaints from users regarding locked user accounts due to users not being able to reset their passwords.

What is the recommended solution a Salesforce administrator can follow to solve this problem?

A.
Modify password policies and set Password Expires to "Never Expires" so that users can log in without any interruption.
B.
Implement a third-party Identity Provider to centralize user management and authentication policies.
C.
Enable two-factor authentication using Lightning Login to allow users to log in without their passwords.
D.
Configure social media authentication provider to allow users to log in via their social media credentials.



Password-free logins rely on Salesforce Authenticator (version 2 or later), the two-factor authentication mobile app that’s available as a free download for iOS and Android devices. Lightning Logins add a layer of security by requiring two factors of authentication for login.
  • The first factor is something that the user has—a mobile device that has Salesforce Authenticator installed and connected with the user’s Salesforce account.
  • The second factor is something that the user is, such as a fingerprint, or something that the user knows, such as a PIN. The second level of authentication enhances security by requiring access to the mobile device and the user’s fingerprint or PIN.
Lightning Login isn’t limited to orgs using Lightning Experience. It works in Salesforce Classic, too.
All internal users (not external community users) are eligible for Lightning Login by default, but you can decide whether to make it available to all users. You can also determine user eligibility by using the Lightning Login User permission.
  1. From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
  2. Review the default settings for Lightning Login.
    1. Make sure that Allow Lightning Login is enabled.
      You can disable Allow Lightning Login at any time to switch users back to username and password logins.
    2. Decide if you want to make Lightning Login available to all users or only users with the Lightning Login User permission.
      Allow only for users with the Lightning Login User permission
    3. Confirm that a Standard session security level is appropriate for this login method.
      Lightning Login establishes a Standard security level for the user’s session. Standard is the default security level for the Username Password method that Lightning Login typically replaces. If needed, you can change the security level to High Assurance.
  3. Assign the Lightning Login User permission to users in the user profile (for cloned or custom profiles only) or permission set. Lightning Login isn’t supported for external users.
Consider these points about how Lightning Login relates to other login, identity verification, and two-factor authentication features.
  • You can monitor your users’ Lightning Login activity using Login History or Identity Verification History tools.
  • If enrolled users attempt a Lightning Login from an unrecognized browser or device, Salesforce requires login using username and password, along with identity verification.
  • If an enrolled user previously logged in from a browser and selected Remember me, login hints on the login page show a lightning bolt next to past usernames that are Lightning Login–enabled.
    Note
    NOTE For Lightning Login to display login hints properly in the Apple Safari browser, change theCookies and website data option in the browser. Advise your users to change it from Allow from websites I visit to Always allows.
  • If your org sets a two-factor authentication policy for logins, the Lightning Login method satisfies the second factor requirement. Salesforce does not separately require users with the Two-Factor Authentication for User Interface Logins permission to provide a second factor.
  • If your org has defined a transaction security policy that requires two-factor authentication, Lightning Login isn’t supported. Enrolled users who attempt a Lightning Login must use log in with username and password instead.
2 of 5.
Universal Containers uses Customer Community for its customers and wants to make sure that there is an extra layer of security to avoid unauthorized access.

What is the recommended way of enabling two-factor authentication for external users?

A.
Use dynamic login on the customer community to allow customers to verify their identity.
B.
Use custom login flows to implement two-factor authentication for external users.
C.
Use an AppExchange application to implement two-factor authentication for external users.
D.
Update external user profile to allow users to verify their identity and avoid unauthorized access.


3 of 5.
An administrator resets a user password in Salesforce.

Which attribute will be updated with the "True" value in the Identity URL or UserInfo endpoint?

A.
password_updated
B.
email_verified
C.
password_reset
D.
active

Explanation : The email_verified attribute in the UserInfo endpoint and identity URL now reflects whether users successfully verified their email address after clicking a link in an email confirmation message. Previously, it reflected only whether the org had email verification enabled.

The email_verified attribute’s value is set to true when org and community users click a link in the email they receive after:

  • They change their email address
  • They change their password, or a Salesforce admin resets their password
  • They verify their identity, such as in two-factor authentication
  • A Salesforce admin creates them as a new user
  • For example, a Salesforce admin creates the user Roberta Smith. Roberta receives a “Welcome to Salesforce” email message with a link to verify her account. After she clicks the link, the email_verified value is set to true.


4 of 5.
Universal Containers (UC) uses an external website to allow its customers to perform self-service functions. The website doesn't support authentication through SAML or OpenID Connect. UC has decided to implement Salesforce and authenticate its users via Salesforce.

What is the recommended solution to allow users to authenticate via Salesforce on the external website?

A.
Migrate the website to Customer Community to allow a seamless experience and set existing passwords as their customer community user passwords.
B.
Configure Salesforce as a Service Provider, and implement custom federation services using existing Identity Store.
C.
Configure a connected app in Salesforce and use username-password flow to allow customer to authenticate on the website.
D.
Configure Customer Community identity providers, and use Embedded Login to allow customers to authenticate on the website using configured identity providers.

Explanation : Embedded Login
 Overview of the Embedded Login process


Who Does What

  • The Salesforce admin creates a community, brands the login page, and configures the authentication providers. Then the admin adds the website domain to the Cross Origin Resource Sharing (CORS) whitelist (1).
  • The Salesforce admin creates an Embedded Login connected app. The connected app handles the interaction between Salesforce and the website (2).
  • The web developer adds Embedded Login meta tags to the web page to display the login form (3).
  • The web developer supplies JavaScript functions and the onlogin and onlogout specifications to determine what happens when the user logs in and out. The logout function is optional. (4).
  • The web developer creates a callback to handle the authentication response, specifying callback-specific meta tags (5).
  • The result is a web page with login capabilities (6).

What’s Happening Behind the Scenes

  1. When a user clicks the button and enters credentials in the login form, Salesforce authenticates the user. Then Salesforce checks the connected app to determine the type of access token to grant.
  2. Salesforce sends the access token to the callback.
  3. The callback uses the access token to pull the user’s information from Salesforce and cache it locally.
  4. The onlogin function determines which information to display to the user.
  5. If the website requires ongoing interaction with Salesforce after authentication, the connected app maintains a connection between the web page and the Salesforce community.
5 of 5.
Universal Containers (UC) uses Customer Community to allow its customers to register and perform self-service functions. Due to the growth of the business and the customer base, UC wants to deliver a different experience to its customers based on runtime circumstances.

What is the secure and recommended way of enabling this?

A.
Develop Lightning components to deliver different experience to customers using their information stored in Salesforce.
B.
Enable dynamic login experience by adding expid request parameter in the client configuraiton SSO initialization URL.
C.
Use an AppExchange product to customize the Customer Community login experience and deliver a personalized experience to customers
D.
Use custom login flows to deliver different experiences by extracting the source from the URL where the customer is visiting from.


Explanation : Dynamic Login

You can use dynamic branding to customise your community’s login experience at run time. For example, you can change which logo to display depending on whether the user is an employee or customer. Or display a particular self-registration page based on the user’s country code.

When using dynamic branding to customize the login experience, it applies to the entire login process: the initial login page plus related pages, such as two-factor authentication or a login flow. You can add dynamic branding to Community Builder, Visualforce, and custom login pages.
Use dynamic URLs for your login pages to present a different look and behavior based on the run-time situation. For example, different logos appear depending on who the user is or where the user’s logging in from. Dynamic branding relies on a URL parameter called the experience ID. The {expid} determines what the user experiences. At run time, the{expid} resolves to the current value, and the appropriate URL is created.
Here’s a scenario. Universal Distributing wants to brand the login experience depending on whether the user is internal or external. You create logos for each brand, appropriately named internal_logo.png and external_logo.png. Then you set the logo URLs so that internal users see http://.../internal_logo.png and external users see http://.../external_logo.png.
From the Administration Login & Registration page, you specify the logo URL with the {expid}:https://universaldistributing.com/{expid}_logo.png.
When an external user logs in, {expid} is set to external, the URL becomeshttps://universaldistributing.com/external_logo.png, and the external logo appears on the login page. Likewise, when an internal user logs in, {expid} is set to internal, the URL becomeshttps://universaldistributing.com/internal_logo.png, and the internal logo appears on the login page.
You define dynamic branding URLs for logos and right-frames on the Community Workspaces Administration Login & Registration page. They apply to default and custom login pages.
In addition to setting the experience ID, your login implementation must set the login URL according to the value of the experience ID. For example, by adding the logic to your login button, when expid=INTERNAL, the login button directs the user to https://universaldistributing.com/brands/expid=INTERNAL.
You can also use Visualforce and Apex to create dynamic URLs. Use the Apex getExperienceId method of the System.Site class to retrieve the value of the experience ID. To set the experience ID, use the setExperienceIdmethod, or add an experience ID dynamic parameter to one of these login endpoints.
  • community-url/services/oauth2/authorize/expid_value
  • community-url/idp/endpoint/HttpPost/expid_value
  • community-url/idp/endpoint/HttpRedirect/expid_value
  • community-url_login_page?expid={value}
  • community-url/CommunitiesSelfReg?expid={value}
  • community-url/.well-known/auth-configuration?expid={value}
  • secur/forgotpassword.jsp?expid={value}
For example, use the CommunitiesSelfReg endpoint to pass in a different {expid} value to the self-registration page to deliver a different registration flow for each brand.

No comments:

Post a Comment

Salesforce Certified Sharing and Visibility Designer - Spring '18 Release Exam

1 of 5. An organization uses Enterprise Territory Management to assign Accounts based on geography. In addition, Op...