• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

Card Range To Study



Play button


Play button




Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

46 Cards in this Set

  • Front
  • Back
  • 3rd side (hint)

What are the main features that support SF Identity?

  1. Single Sign-on
  2. Connected apps
  3. Social Sign-on
  4. Two-factor authentication
  5. My domain
  6. Centralized User Account Mgmt
  7. User Provisioning
  8. Identity Connect
  9. App Launcher

9 features, different ways to provide unique views

What is Single Sign-on (SSO)?

Allows users to access all authorized resources without logging in separately to each one—and without having to create (and remember) different user credentials for each app.

Connect users to several accounts and applications running in other Salesforce orgs and even in other clouds.

For example, a call center rep with Salesforce Identity can click a link and be logged in immediately to other apps, like Google Apps, Office365, or Box.

one and done

What are "connected apps"?

The "authorized resources" for users. Connected apps bring Salesforce orgs, third-party apps, and services together. If a connected app is created without implementing SSO, it acts like a bookmark. Users can get to the app from the App Launcher or drop-down app menu, but they sometimes have to sign in again to use it.

So to get the most out of connected apps, configure them for SSO. With SSO, admins can set security policies and have explicit control over who uses which apps. You can also use connected apps to manage authentication and policies for mobile applications.

value of SSO set up

What is "social sign-on"?

users log in to a Salesforce org with their username and password from an external authentication provider, like Facebook, Twitter, LinkedIn, or Google.

You can set up any of these providers with a few clicks. With a little bit of work, you can set up other providers, like PayPal and Amazon.Social sign-on is especially useful when you want customers to be able to log in to a community without having to create (and remember) a new username and password. Customers can log in to a Salesforce Community site using their Facebook or LinkedIn account.


What is "two factor authentication (2FA)"?

users have to provide a second “factor,” or proof of identity, in addition to their username and password. The second factor can be a verification code that the user gets from a mobile authenticator app like Salesforce Authenticator. Or users can have a code sent to them by text message or email.With the newest version of the Salesforce Authenticator app, the second factor can be a response to a push notification on the user’s mobile device.

helps ensure that even if an attacker acquires a user’s password, the attacker can’t log in and do harm.

2x as secure

What is "centralized user account mgmt"?

single place to manage all user mgmt tasks - access or lack to other apps, freeze access, login policies, etc

for users single password to remember

one stop shopping

What is "user provisioning"?

create, manage, and secure user accounts across all your orgs and connected apps

for connected apps

What is "identity connect"?

synchronizes users and their attributes from Active Directory (AD) to Salesforce. When a user is created in AD, that same user account can also be created automatically in Salesforce. When a user is deleted from AD, the user account in Salesforce is deactivated at the same time.

let users sign in to Salesforce using their AD username and password. In some circumstances, you can configure Identity Connect to automatically sign users in to Salesforce—users can click a bookmark or link to Salesforce and they’re authenticated and taken to Salesforce without even seeing a login page

quick access

Why is app launcher part of the feature list for SF Identity?

if you are connecting other apps, they can be included in the app launcher no login necessary if already logged into SF

one stop shopping

Key benefits of SF Identity for partners and customers

  1. User Registration
  2. Brand control
  3. social sign on
  4. seamless web experience
  5. one comprehensive picture of the user

5 benefits, related to communities

What does user registration have to do with SF Identity benefits?

customizable process, collect relevant info, launch workflows right from registration


What are the 3 identity protocols related to SF identity?

  2. OAuth 2.0
  3. OpenID Connect

used by service and identity providers like FB or app exchange apps

What is SAML protocol and when is it used?

Allows SSO to happen between orgs and apps

one and done

What is OAuth 2.0 protocol and when is it used?

allows secure data sharing between apps, such as SF1 app accessing SF data

sharing is good

What is the OpenID Connect protocol and when is it used?

allows for social sign ons like FB and Google, doesn't create a new account and new password

social is fast

When Can Users Be Prompted for Two-Factor Authentication?

  1. Every time they log in to Salesforce, including API logins.
  2. When they access a connected app, dashboard, or report. This process is known as step-up or high-assurance authentication.
  3. During a custom login flow or within a custom app, for example, before reading a license agreement. More on this topic later in the trail.

3 times

What features require a custom domain?

  1. Work in multiple Salesforce orgs at the same time
  2. Customize your login page
  3. Set up single sign-on (SSO) with external identity vendors
  4. Set up authentication providers, such as Google and Facebook, to enable users to log in to your Salesforce org with their social account credentials
  5. Use Lightning components in Lightning component tabs, Lightning Pages, the Lightning App Builder, or standalone apps

5 features

What are the 2 My Domain Policies that can be set?

  1. login policy (only from custom domain)
  2. Redirect policy

What are the 3 redirect policy options for My Domain?

  1. Redirect to the same page within the domain. Lets users continue to log in from your URL as well as your domain name. This option might be convenient, but doesn’t enhance security for your org.
  2. Redirected with a warning to the same page within the domain. Reminds users to use your domain name when logging in from your URL, but it still redirects them to your org. This option is good for a few days to help users transition to your new domain name, but it doesn’t enhance security for your org.
  3. Not redirected. Requires users to use your domain name when viewing your pages. This option provides the greatest level of security.

What is the Federation ID?

  • unique user ID in the industry
  • can be the same for that specific user in multiple orgs


What permissions are needed to query event log files?

  1. API Enabled
  2. View Event Log File permissoin


What is Event Monitoring?

  • ability to view user activities, or "events"


How many different types of events can be monitored? Provide 8 examples

30 types of events

  1. logins
  2. logouts
  3. UITracking (mobile clicks
  4. VF page loads
  5. API calls
  6. Apex executions
  7. report exports

access,web & SF1,dev stuff, reporting

What is an event log file and when is it generated?

  • all user events are stored in event log files
  • when the event occurs
  • available to view in 24 hours

tracking real time

Name 3 benefits of event monitoring

  1. monitor data loss - spot issues before big problems
  2. increase adoption - track areas not functioning well
  3. optimize performance -track where issues lie

data and users

Where in Setup can the event log files be accessed?

  • API only - not in setup
  • Workbench is a tool to access the API object ("EventLogFile")

only advanced admins...

How can you download event log files for easy viewing?

  1. direct download via Event Log Browser application
  2. cURL script
  3. Python script

3 approaches, script

What is the advantage of using the Event Log File browser app to download files?

more straightforward - converts to Excel or Sheets


What is the advantage of using cURL to download event log files?

  • allows for scheduling of downloads
  • option to select format
  • best suited for Mac and Linux

purple button, my way

What is the advantage of using Python to download Event Log Files?

  • need more programmatic way to download
  • best for Windows
  • easy to understand

What is encryption?

scrambling of information so that only those with the right decoder can unscramble it

decoder rings

When does Shield Encryption do the encrypting?

when the data is stored (saved) in SF, "at rest"


Encryption vs other options for security

  1. field-level - who can access and edit fields on specific records
  2. page layout settings
  3. validation rules
  4. roles and profiles
  5. authentication and authorization - control who sees what data, at what time, from which locations and from which devices
  6. Security Health Check and Event monitoring - monitor user events

3 overreaching options (there are more)

when to use Shield Encryption

  • regulation requirements
  • contractual obligations
  • internal compliance policies

circle of trust

What is an (encryption) key?

  • takes data and unscrambles to make it readable
  • sometimes one is needed, sometimes more than one key is required
  • some keys in pairs - one scrambles the task and the other unscrambles the task

open doors

what is an (encryption) secret?

  • keeps keys safe and working properly
  • pieces of keys, combine to create encryption keys
  • allow servers to verify key up to date and request for access is from authorized key holder

hiding place

What are tentant and master secrets?

keys for keys (like teller and vault guard when accessing safety deposit box)

bank tellers

How often does SF generate a new master secret?

3 x a year, with each release

new stuff in SF

How does the tenant secret work?

  • you create it, on demand
  • stored securely in the database
  • key derivation process - partners with master secret to create keys that encrypt and decrypt data

link to keys

What level of encryption is included in the base SF license?

  • encrypt for special type of custom text fields
  • classic encryption - 128 bit Advanced Encryption Standard (AES) keys

custom and standard

What level of encryption is included with Shield Platform Encryption (free only to developer orgs and sandboxes)?

  • encrypt variety of data at rest- stored in fields, spreadsheets, standard and custom fields, databases and data warehouses
  • stronger 256 bit AES key
  • wider range of keys and permissions
  • data is searchable

what, how, benefits

What is "key rotation"?

generating a new tenant secret and archiving the old one


Steps to target critical needs for encryption when implementing Shield

  1. Define threat model - identify most likely threats, then create data classification scheme to decide Set No Sale Disposition Timer (25 seconds) to encrypt
  2. Not all data is sensitive - focus on regulatory, security, compliance and privacy requirements...too much can slow down performance
  3. Create data classification scheme early - work with stakeholders, find balance between functionality and security/risk

not all borders can be defended with walls

Tips for assigning Permissions and key access

  1. create strategy early for backing up and archiving keys and data - can't be reset, always back up tenant secrets..otherwise no access
  2. Grant Manage Encryption Keys to authorized users only , also monitor their activities with audit trail
  3. Encryption applies to all users, regardless of permissions - when they enter or update data it will be encrypted every time, use View Encrypted Data Permission, along with roles and profiles, to control who has access

backup, admin, access

True or False

If a user is granted the "view encrypted data" permission, he can view all data that is encrypted


Depends on all other access points, such as roles and profiles, field level security, page layouts, validations, etc.

many ways to secure

True or False

All apps in the App Exchange are compatible with Shield


Many but not all, and some would prevent enabling Shield

"always" is a fantasy