After failing this exam once before, I couldn’t leave it for very long before having another go. I was close enough that I knew I could have a good shot at it if I only gave myself a couple more weeks of study and stuck to the resource guide like a limpet. So on Christmas Eve 2017, after 3 more days of intensive study, I gave it another go.
This isn’t an easy exam in any way unless you have had practical experience of setting up single sign-on for a customer or organisation. This is by far the area in which I had the least experience, so for me, it wasn’t even a case of revising for it. I had to learn it.
Thank you CALVIN for your fantastic OAuth Demystified sessions.
Your best point of guidance is to again follow the Trailmix provided by Salesforce. There are some fantastic videos and presentations that the guide points you to – this helped to put some context on the other resources that I was reading through.
Secondly – if you don’t already have the experience of setting up single sign-on (SSO), it will help you greatly if you undertake the practical exercises within the resource guide. Actually clicking through and setting up SSO makes it easier to understand for the unfamiliar.
Edit: Jan 2020:
This is a good video to follow along with. It will give you the experience of setting up single sign-on using Google as your auth provider (openID protocol, not SAML):
This page is asking you to authorise Facebook to share your profile and email address with Daily Mail Online. We see these most days whilst using internet applications since social media is one of the most reliable identity providers in existence.
Salesforce handles SSO using a combination of SAML protocol and OAuth 2.0 protocol.
More on SAML:
The resource guide contains some brilliant diagrams and resources to help you understand this better, but:
The thing is, you can automate this process completely. What the exam tests you on is the different ways you can automate it and which one is appropriate for a given scenario.
More on OAuth through Ladies Be Architects videos:
Ever logged into your computer at work and been faced with a series of tiles, inviting you to start up an app? This is a classic example of identity provider-initiated authentication.
Note: in the exam you’ll be asked which licence type is most appropriate to support this experience: for employees and for communities. It is advisable to become familiar with the two types of Identity Licence.
This type of authentication is appropriate if you want to access a resource from Salesforce but use your standard set of credentials; it’s the most common since many organisations want users to be authenticated through a central IdP, such as Active Directory.
Another good example of this is if you want your Community users to login via Facebook. The Resource Guide points you to an excellent series of videos that teach you all about how this works; I can highly recommend setting this up for real in a developer org. You can either use the Axiom Heroku app or set up a multi-org environment. There is an exam question about how best to authenticate for a multi-org situation and this exercise helped me answer that question.
When I first saw this referred to several times, I had no idea what it was, but we use it all the time! One of the great things about using Salesforce is the ability to distribute links to certain things, such as a record, a report, a dashboard, a Chatter post. As admins, we do this a lot when users are unable to find things.
This is called Deep Linking. You’re effectively linking to an individual item deep within the application. If you’re already signed in to Salesforce and you click a deep link, the resource just opens. However, if you’re not logged in and you click the link, you’re subject to the same authentication requirements as you would be if you were just logging in to your org’s home page. I’ve put this into a plan English diagram here (half the battle with this hefty subject matter is the terminology!):
It’s important to remember that without setting up My Domain, all of this SSO stuff is pointless. You HAVE to have a personalised domain because, without it, the IdP can’t find the org to allow sign in for.
Also: you configure where Salesforce is authenticated in My Domain. This is important if you are setting up SP-initiated authentication since you’ll need to tell Salesforce to redirect itself to your IdP login page.
OAuth is an open protocol and there are a few different ways to use it. This article explains it quite well; I did still have to put my own diagrams together to help me understand them and I’m happy to share them with you.
Note: this doesn’t include ALL the flows, but they were enough to get me through the exam. I will be revisiting them in more detail as part of my CTA prep.
I used this as an SAP example: if you’re integrating anything with Salesforce, you will still need to authenticate, so this flow would be used for this purpose
This flow is for any desktop or mobile hardware app that needs to connect to Salesforce. A good example is the data loader, Chatter Desktop or the Salesforce1 mobile app.
This flow is best used when you have a couple of frameworks that already trust each other and you just want to authenticate (not authorise) them. Once authenticated, they’ll keep talking.
If you have ever set up BBC iPlayer on your Smart TV, you’ll see that you are taken through this exact flow when you want to authorise your TV to access your account.
Know about canvas apps and their authentication flow; the diagram can be found here.
Know best practices for the implementation of 2FA (two factor authentication); there are a variety of options available. Personally, I loved learning about Login Flows:
I wish I’d studied the types of certificates a little harder! There wasn’t anything immediately obvious within the resource guide for this topic. A search after the exam yielded the article above, along with some reassurance that I’d selected an answer that was along the right lines.
Luckily, our Ladies Be Architects study group leader, Natalya Murphy, ran a crash course study group on the entire exam curriculum – so, if you learn well from others, I can highly recommend this series (16 videos!!):
As ever, this post will be refined and I would love to hear your feedback. You can find me on Twitter @gemziebeth. I wish you all the best for this exam; it was a massive relief to pass this one since it made me a system architect at last!!
When I was diagnosed with Stage 4 in 2021, writing a memoir came to the…
From my point of view I'm acutely aware that I didn't update my readers on…
Service Cloud - KCS & Chatbots Click the buttons below to find the Trailhead modules…
Click the buttons below to find the Trailhead modules we did and follow along with…
Click the buttons below to find the Trailhead modules we did and follow along with…
Click the buttons below to find the Trailhead modules we did and follow along with…