Passed the Identity & Access Management Designer Certification (Achieved System Architect)

Just passed my last required certification which is the Identity and Access Management Designer to finally become Salesforce Certified System Architect. What a journey and accomplishment. My study method seems to be working and would like to share my methods and notes.

The method :
At the start of the 2nd part of thIs year(2018) I made a goal to start the Technical Architect journey and get certified every month . The method I’ve been doing is really easy, I book a date one month in advance and spend at least an hour or two reading the materials I need. I use a technique called Pomodoro using an online tool kanbanflow.com and concentrate on learning a concept. I try to do this at least everyday either before bed or if I missed it for that evening I try to get up early in the morning. So far this has worked great for me as this made me consistent.

Exam takeaways
Now about the Identity and Access Management exam. This is like the rest of the exam which is 60 + 5 extra multiple choice question. You are given 120 minutes and passing is 65%.
Honestly this was a hard exam. Best if you have done implementation of it. I wasn’t that confident I would pass the exam when I hit the Submit button.

Trailhead: Identity and Access Management Designer
Go over this trialmix and nail down it to 100%. – https://trailhead.salesforce.com/users/00550000006yDdKAAU/trailmixes/architect-identity-and-access-management

Authentication and Authorisation – basically who you are (credentials) and what you are allowed to do
Different OAuth Flows:
  • User Agent Flow
  • Web Server Flow
  • JWT Bearer Token Flow
Idp and SP Initiated Flow
  • Heaps of questions on IDP initiated and SP Initiated Flow (3-4)
  • Idp Initiated SAML is when from the IDP system you are trying to access the system enabled for SSO
  • SP Initiated SAML is when you are coming from the service provider and asking authorization from the Idp.
  • Which SSO flow can be used for deep Linking
  • Use of Entity Id and Login URLs
Connected App and Managing Policies
  • Different types of scopes for OAuth and when to use them
  • Refresh Token Policy
  • User Provisioning – keeping users in sync
  • Custom Connected App Handler
2 Factor Authentication and Login Flows
  • When to use 2 factor and how login flows can be used for different scenarios
SSO Settings and My Domain
  • JIT User Provisioning
  • Login
  • Auth Providers
Federated SSO
Delegated SSO
Social SSO
Security
  • Login IP ranges
  • Trusted IP uses
Canvass Apps
Identity Connect
App Launcher
Auth Provider Setup
Active Directory
I’ll continue to enrich this post as I recall some of the other stuffs.

How to Setup Social Single Sign On in Salesforce

On this tutorial. I’ll walk through to the steps needed to setup Social Single Sign On with LinkedIn to Salesforce.

Do the following Salesforce steps first then we run over next LinkedIn steps.

Login to Salesforce and go to Setup and search for Auth Provider

When creating an Auth Provider – you can have Salesforce auto manage the values for a Auth Provider.

    • Select the Provider and Provide Name and URL Suffix
    • On the Registration Handler section click on Automatically create a registration handler template – you would need to edit this later
    • Hit Save.
    • Create an Account, then make sure the Account Owner has a role assigned
    • Next, let’s edit the AccountHandler auto generated for us.
    • You can grab the code from github and replace the handler – https://github.com/olopsman/salesforce-identity-registration-handler/blob/master/RegistrationHandlerTemplate
    • Update the following Constants to match your org and Community Profile name

private static final String ORG_SUFFIX = '.sso.dang.org';
private static final String DEFAULT_ACCOUNTNAME = 'Dang Channel';
private static final String EXTERNAL_USER_PROFILE = 'Customer Community User';

  • Next go to Communities Setup and for members grant the profile access to the community
  • Next to to Login and Registration and enable the LinkedIn or social sign on platform you want to configure.
  • Then finally copy the community URL

 

Next would be to create an application in your Social account LinkedIn. The steps would be similar for other like Google, Twitter and Facebook. Go developer.linkedin.com and create an App.

Give your name and app and fill in the required fields. Paste the community URL to the website URL so after authentication it knows where to redirect the page.

 

Note: you will notice that creating an app also creates a consumer key and secret, since we left these values blank in Salesforce as this was auto managed for us. You can copy the consumer key and secret to the Auth Provider section if you want to override this.

Go to your community URL and you should see LinkedIn option to login. Click on that to login to LinkedIn and authorize Salesforce to access your info. After authorization you would be redirected back to the community logged in. And bedind the scenes you have been created as a contact and user in Salesforce.

Notes on Provisioning Communities Users in Salesforce

I learned the different methods to provision external users in Salesforce.

* You can create Customers and Partners

* depending on account type you can create certain users
* personaccount and contact – customers
* account – partner/customer
* Account owner must have a role
* You can manually create contact and enable as customer or partner
* Partners have roles when enabled
* You can self register

* assign the profile in setup or
* assign in the selfregister code this overrides the setup
* assign the role
* assign the account
* You can sign up via API using the following methods

* createPortalUser
* createPersonAccountPortalUser
* Social sign on to provision a user –
* You can Just in time provision using SAML

* combine saml with more attributes and SSO to provision a user
* SAML Subject NameId as the Federation ID
* does not work for PersonAccount
* Contact email must be unique accross all even none external users
* account name and number must be unique or causes duplicate error
* Data loader
* Bulk Provisioning via API

* use same api methods – can you pass bulk here? api limits apply
* Identity Connect with Active Directory

https://developer.salesforce.com/blogs/developer-relations/2014/06/how-to-provision-salesforce-communities-users.html

How To Install Let’s Encrypt SSL Certificate on Google Cloud Compute with a Bitnami Stack

So wanted to do this for some time now and got the chance to do this now as I wanted to share something new everyday.

Let’s Encrypt is a free, automated and open Certificate Authority. Today I learned it was not straight forward to install.

I first tried to add the ppa certbot and when I tried to install python certbot app I got errors on dependencies. I then tried certbot-auto script which was successful but my site was still not showing as being secured by SSL.

Finally the following worked for me.

Here are the steps to install the SSL
Login to shell on your google cloud instance
ssh -i xx_gca key bitnami@ipaddress

Change directory
cd /tmp

Run the following command – replace the version with the latest version from github

curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - tar xf lego_v1.0.1_linux_amd64.tar.gz

Untar the file
tar xf lego_v1.0.1_linux_amd64.tar.gz

Make the lego executable by copying to the binary directory

sudo mv lego /usr/local/bin/lego

Stop your server
sudo /opt/bitnami/ctlscript.sh stop

Run the lego client
sudo lego --email="youremail@domain.com" --domains="yourdomain.com" --domains="www.yourdomain.com" --path="/etc/lego" run

Backup your existing certificates by renaming them
mv server.key server.key.2018

Copy the server certficates from /etc/lego/certificate to /opt/bitnami/apache2/conf

Change directory and go to
cd /opt/bitnami/apps/wordpress/conf

Edit the following httpd-app.conf file
sudo vi httpd-app.conf

Add the following conditions and rule
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.lopau.com/$1 [R,L]

Finally start back the server
sudo /opt/bitnami/ctlscript.sh start

Reload your website and check the URL, you should now be secured with an SSL

That should get your going.

Other things to note:

  • certificates only valid for 90 days
  • suggestions is to auto renew
  • certificates are free and can be used on websites, ftp servers, mail servers
  • need an ACME client

On my next tutorial, I’ll show you to setup a cron job to auto renew the certificate.

Share and Learn Something New Everyday – Single Sign On with Mobile SDK and Salesforce Identity

So I’m putting this post out there to motivate myself to share something everyday till 2019. Teach something that I know or have learned with regards to Salesforce development, web development or stuffs related to technology in general, big, small or  just my study notes.
I’m prepping up to seat down the Identity and Access Management Designer for Salesforce so I have quite a bit to share.
To start I learned yesterday how easy to implement single on on mobile application on the Salesforce Identity.
  • Enable My Domain and deploy to your users
  • Create a New Single Sign-On Settings
  • Exchange metadata with an Identity Provider
    • Get the Issuer URL
    • Load the Certificate
    • SAML Identity Type as Federated ID
    • Identity Login URL
    • Entity Id
  • Enabled Single Sign On
  • Edit My Domain to Edit the Login Settings and select the new Authentication Service
  • Go back to the App and edit the Policy for users who will have access to this app
  • Use profiles or permissions set to assign this app
Go to your my domain and on the Salesforce Login screen you should see the new Authentication Service.
I also learned how easy to use the Salesforce Mobile SDK.
  • Configure an App to give you the consumer key and secret, set a callback url
  • On the command line type forceios create
  • Select native, hybrid, hybrid_local
  • Note the package name
  • Add the connect app consumer key and secret
  • To enable the Single sign-on
  • Edit the plist on the Supporting Files
  • Update SFDCOAuthLoginHost to the custom my domain url
  • Launch the simulator and you be prompted to login your IDP
  • You get redirected back to Salesforce after successfully logging in
  • That easy to setup Single Sign-on
Next to Publish the app
  • On Xcode to Product > Archive to generate the .ipa
  • Select Export and choose Adhoc
  • Next make sure to match the xcode settings to the connected app settings for mobile
  • Select the private app to upload the .ipa file
Get the Private AppExchange from AppExchange
  • Create a listing for the new application
  • Then using your mobile device grab the app from the listing to install it
Watch the dreamforce session here. https://www.youtube.com/watch?v=W3okdu8nJHY
That’s it for the first share.  Watch out for my next post.