Salesforce Certified Identity and Access Management Designer Exam Tips

Salesforce Certified Identity and Access Management Designer Exam Tips

After failing this exam once before, I couldn’t leave it for very long before having another go. I was close enough that I knew I could have a good shot at it if I only gave myself a couple more weeks of study and stuck to the resource guide like a limpet. So on Christmas Eve 2017, after 3 more days of intensive study, I gave it another go.

This isn’t an easy exam in any way unless you have had practical experience of setting up single sign-on for a customer or organisation. This is by far the area in which I had the least experience, so for me, it wasn’t even a case of revising for it. I had to learn it.

Thank you CALVIN for your fantastic OAuth Demystified sessions.

Before You Start…

Your best point of guidance is to again follow the Trailmix provided by Salesforce. There are some fantastic videos and presentations that the guide points you to – this helped to put some context on the other resources that I was reading through.

Secondly – if you don’t already have the experience of setting up single sign-on (SSO), it will help you greatly if you undertake the practical exercises within the resource guide. Actually clicking through and setting up SSO makes it easier to understand for the unfamiliar.

Edit: Jan 2020:

This is a good video to follow along with. It will give you the experience of setting up single sign-on using Google as your auth provider (openID protocol, not SAML):

Concepts to Understand

  • Authentication
  • Authorisation
  • OAuth and SAML
  • Identity Provider-initiated authentication flows
  • Service Provider-initiated authentication flows
  • Deep Linking
  • My Domain
  • Different types of OAuth flow and when to use them
  • Authentication within Canvas apps
  • Login Flows and Two-Factor Authentication
  • Certificates


  • The main concept for this exam is the idea of authenticating users without swapping usernames and passwords.
  • This is done using tokens:
    • Access token (session ID) – this is granted once the user is successfully authenticated (i.e. we have the right combination of username and password/authorisation code)
    • Refresh token – can be requested and granted during the first authentication process to allow a user to be “remembered” by an application.
      • e.g. your Facebook mobile app: you don’t have to login every time you open it, because Facebook issued a refresh token to you way back when you first logged into it.


  • Authorisation is the concept of a user giving an application permission to access certain attributes.
  • You’ve all seen this page before, right?

This page is asking you to authorise Facebook to share your profile and email address with Daily Mail Online. We see these most days whilst using internet applications since social media is one of the most reliable identity providers in existence.

SAML and OAuth 2.0

Salesforce handles SSO using a combination of SAML protocol and OAuth 2.0 protocol.

  • SAML is used for authentication
    • where a service provider (SP) sends a SAML request for an access token from the Identity Provider (IdP).
      • (Hello AD, this is Salesforce. This user wants to come in. Can they?)
    • where an IdP sends a SAML assertion that contains the access token

More on SAML:

  • OAuth is used for authorisation
    • by granting permission to access certain elements of data.
    • Scopes control what data is shared via an OAuth request
      • Familiarise yourself with the main scopes used by salesforce; there is a question where you’re presented with a list of scope definitions and you’ll need to select the right one

The resource guide contains some brilliant diagrams and resources to help you understand this better, but:

At a very high level

  1. User wants to login to Salesforce
  2. Salesforce says “I don’t know who you are”. Displays a login screen (or, if you’re using SSO, displays A N Other login screen).
  3. You enter your username and password.
  4. Salesforce checks to see if you’re allowed to login. If you’re outside of the IP range configured by an admin, or in a new location, it asks for an authorisation code, which has been emailed to you.
  5. You check your email and enter the code.
  6. Salesforce says OK and logs you in.

The thing is, you can automate this process completely. What the exam tests you on is the different ways you can automate it and which one is appropriate for a given scenario.

More on OAuth through Ladies Be Architects videos:

IdP-initiated Authentication

Ever logged into your computer at work and been faced with a series of tiles, inviting you to start up an app? This is a classic example of identity provider-initiated authentication.

This example concerns Salesforce as the IdP – you would log in to Salesforce via the link, then open the App Launcher. From there you can access any of the apps displayed without having to sign in separately for them.

Note: in the exam you’ll be asked which licence type is most appropriate to support this experience: for employees and for communities. It is advisable to become familiar with the two types of Identity Licence.

SP-initiated Authentication

This type of authentication is appropriate if you want to access a resource from Salesforce but use your standard set of credentials; it’s the most common since many organisations want users to be authenticated through a central IdP, such as Active Directory.

Another good example of this is if you want your Community users to login via Facebook. The Resource Guide points you to an excellent series of videos that teach you all about how this works; I can highly recommend setting this up for real in a developer org. You can either use the Axiom Heroku app or set up a multi-org environment. There is an exam question about how best to authenticate for a multi-org situation and this exercise helped me answer that question.

Deep Linking

When I first saw this referred to several times, I had no idea what it was, but we use it all the time! One of the great things about using Salesforce is the ability to distribute links to certain things, such as a record, a report, a dashboard, a Chatter post. As admins, we do this a lot when users are unable to find things.

This is called Deep Linking. You’re effectively linking to an individual item deep within the application. If you’re already signed in to Salesforce and you click a deep link, the resource just opens. However, if you’re not logged in and you click the link, you’re subject to the same authentication requirements as you would be if you were just logging in to your org’s home page. I’ve put this into a plan English diagram here (half the battle with this hefty subject matter is the terminology!):

My Domain

It’s important to remember that without setting up My Domain, all of this SSO stuff is pointless. You HAVE to have a personalised domain because, without it, the IdP can’t find the org to allow sign in for.

Also: you configure where Salesforce is authenticated in My Domain. This is important if you are setting up SP-initiated authentication since you’ll need to tell Salesforce to redirect itself to your IdP login page.

Different Types of OAuth Flow

OAuth is an open protocol and there are a few different ways to use it. This article explains it quite well; I did still have to put my own diagrams together to help me understand them and I’m happy to share them with you.

Note: this doesn’t include ALL the flows, but they were enough to get me through the exam. I will be revisiting them in more detail as part of my CTA prep.

Web Server Flow

I used this as an SAP example: if you’re integrating anything with Salesforce, you will still need to authenticate, so this flow would be used for this purpose

User-Agent Flow

This flow is for any desktop or mobile hardware app that needs to connect to Salesforce. A good example is the data loader, Chatter Desktop or the Salesforce1 mobile app.

JWT (JSON Web Token) Flow

This flow is best used when you have a couple of frameworks that already trust each other and you just want to authenticate (not authorise) them. Once authenticated, they’ll keep talking.

Device Authentication Flow

If you have ever set up BBC iPlayer on your Smart TV, you’ll see that you are taken through this exact flow when you want to authorise your TV to access your account.

Canvas Apps

Know about canvas apps and their authentication flow; the diagram can be found here.

Login Flows and Two-Factor Authentication

Know best practices for the implementation of 2FA (two factor authentication); there are a variety of options available. Personally, I loved learning about Login Flows:

  • Login flows use the standard Visual Workflow tool to enable you to add your own 2FA depending on business logic
    • e.g. certain users need to use a fingerprint as a second factor
  • It’s worth remembering that 2FA as a best practice tends to be used with mobile apps or situations where users need to access Salesforce from outside your company’s network (in the context of this exam)

SSL Certificates

I wish I’d studied the types of certificates a little harder! There wasn’t anything immediately obvious within the resource guide for this topic. A search after the exam yielded the article above, along with some reassurance that I’d selected an answer that was along the right lines.

Luckily, our Ladies Be Architects study group leader, Natalya Murphy, ran a crash course study group on the entire exam curriculum – so, if you learn well from others, I can highly recommend this series (16 videos!!):

As ever, this post will be refined and I would love to hear your feedback. You can find me on Twitter @gemziebeth. I wish you all the best for this exam; it was a massive relief to pass this one since it made me a system architect at last!!

Share This: