Identity Basics
These are technical notes I compiled while studying using Trailhead, Salesforce's free self-learning portal.
Overview of Data Security
Describe how Salesforce Identity helps administrators. Understand how Salesforce Identity can benefit a business. Distinguish the difference between single sign-on (SSO) and social sign-on. Describe the benefits of My Domain.- Salesforce Identity lets admins give the right people the right access to the right resources.
- In the tech industry, Identity has different meanings depending on context, but in general identity providers ensure that users are who they say they are.
- In Salesforce, it means who the user is and what they can do. This includes users attributes like name, contact info, job title.
- The following list includes the main features of Salesforce Identity:
- Single sign-on: lets users access all authorized resources without separate credentials. For example a Salesforce Identity could also be used to log in to other apps, like Google Apps or Microsoft Office 365.
- Connected apps: bring Salesforce orgs, third-party apps, and services together. Apps can be configured to use SSO.
- Social sign-on: enables users to log in to a Salesforce org with username and password from an external authentification provider (Facebook, Twitter, LinkedIn, Google, PayPal, Amazon). These providers can be set up easily. This feature is particularly useful for communities.
- Two-factor authentication: requires that users provide a second “factory” or proof of identity beyond username and password. Can include text message, email, or a mobile device push notification.
- My Domain: lets users create a subdomain within the Salesforce domain. Example: https://wonderful-ed.my.salesforce.com
- Centralized user account management: means admins can easily grant users access to other apps and revoke/freeze access when they have to.
- User provisioning: provides a single location where admins can create, update, delete, and manage user accounts for other clouds.
- Identity Connect: synchronizes users and their attributes from Active Directory (AD) to Salesforce.
- App Launcher: presents tiles for all standard apps, custom apps, and connected apps. Admins can choose which third-party and other connected apps to add to the App Launcher.
- Salesforce Identity is included in standard user licenses. Identity Only licenses are also available.
Get To Know Your Salesforce Identity Users
Describe how employees benefit from Salesforce Identity. Describe how customers and partners benefit from Salesforce Identity. Describe what’s important when setting up user registration. Know which features of Salesforce Identity benefit employees, which benefit partners and customers, and which benefit both.- Two types of users in general: Employees and Customers/Partners. The former have special access to the org, and the latter may access communities.
- Access to apps can be subject to manager or supervisor approval. It can also be revoked.
- Key benefits for customers and partners:
- User Registration: can collect vital pieces of information. Users can easily edit that info later.
- Brand Control: users will see the company’s brand, not Salesforce’s.
- Social Sign-On: Facebook, LinkedIn, Twitter, etc. Also: any OpenID Connect-based provider or a custom authentication provider plug-in with any provider that uses OAuth.
- SSO means customers and partners can move between the company’s site and third-party websites without login screens.
- One Comprehensive Picture of the User: can configure social sign-on to create a new user as well as an associated contact record. Then, can kick off an email communication campaign to drive engagement.
- Very important to launch other business processes to support registration.
Learn the Language of Identity
Identify the industry standards used for identity and access management. Know how SAML is related to XML. Know the difference between an identity provider and service provider.- Identity Standards and Protocols: set of agreed-upon practices for access management:
- SAML: Security Assertion Markup Language is the protocol that enables single sign-on. For example, when logged in to Salesforce and then click App Launcher to get to Gmail inbox.
- Works by communication between service provider (asks for authenticated identity) and identity provider (provides an assertion that the user is authorized).
- XML-based protocol
- OAuth 2.0: open protocol used to allow secure data sharing between applications. Examples: a mobile app that pulls contacts from a Salesforce org.
- OpenID Connect: protocol based on OAuth 2.0 that is specifically built for today’s world of social networks, which differentiates it from SAML.
- Support for Google, Facebook, and LinkedIn work out of the box.
- SAML: Security Assertion Markup Language is the protocol that enables single sign-on. For example, when logged in to Salesforce and then click App Launcher to get to Gmail inbox.
- Salesforce can work both as an Identity Provider and as a Service Provider:
- When a user logs into Salesforce and then access Gmail, Salesforce is the identity provider and Gmail is the service provider.
- A common situation is that a company uses another identity provider like Microsoft’s Active Directory Federation Services (ADFS). In that situation, Salesforce is the service provider.