CTA Security Tough Challenges

1. OAuth

1.1. JWT + M-TLS

1.1.1. Why JWT? * Server 2 server * No human touch => Scripted deployment

1.1.2. M-TLS along is not enough SF API need access token

1.2. Asset Token

1.2.1. Asset Tokens never expire? Set on Connected App

1.2.2. How does the IoT backend validate the Asset token? Signature check using the public key of the Asset Signing Certificate

1.3. User Agent Flow: How to get refresh token? Redirect URL = 1. A custom protocol: trailheadapp://auth/success 2. .../services/oauth2/success

2. SAML

2.1. SAML 2.0: * Mention "Federation" * Best Practice: "Federation ID" * Mention relay request * Login URL * Request is POST or redirect * Assertion is always POST

2.2. Prefer SAML JIT over API integration for user provisioning? JIT: (1) just in time (2) on platform (3) community self registration. For complex permission management, use API. For de-provisioning, use API

2.3. Explain the common SSO & OAuth Flows

2.4. How to prevent IdP initiated SSO? 1. Disable it on the IdP side. 2. Check for InResponseTo in JIT handler. Okta uses populate this.

2.5. When multiple AD are used, how to route to the correct one? => IDK: It's an IdP configuration. => Multiple SSO settings map to multiple apps on IdP, map to multiple directories.

3. Delegated Authentication

3.1. Should the API go thru ESB? ESB: (1) Protocol translation (2) Redundancy

3.2. M-TLS, IP whitelisting can protect authentication API.

4. MFA

4.1. The doc says that the Refresh Token flow supports MFA. 1. If High Assurance is added to connected app, the token may not work any more? 2. If we get an access token, when we get session IDs, MFA is applied.

4.2. Is there a way to force all the users to switch from SF Authenticator? Use case: A custom MFA method must be enforced. SF MFA is not strong enough. => Put MFA in Standard column on Session Settings. Turn off Lightning Login. => Put SSO w/MFA in High Assurance Column. => Integrate with the custom MFA in Login Flow

5. ACME Insurance

5.1. Acme Insurance has 50m customers => M-org? Chad: up to 100m

5.2. Can we buy more Chatter Free or Chatter Only licenses? Ask the account executive

5.3. Acme Insurance wants to move Advanced Statistical Modeling to Salesforce => Push back => Consider Einstein Prediction

6. M-Org

6.1. Mobile App: * 1 MP app per community * Shared app, at least hybrid app

6.2. How to handle identity? * Shared Auth. Providers * Custom login page

6.3. How to handle leads? Integration & routing

7. Canvas App

7.1. Do we need to add SSO to a Canvas App? Is Signed Request good enough for user authentication? => SF serve as IdP is all users need to be SF users. => Otherwise, assume SSO by shared IdP

8. Who should own payment records * Invoice * Payment * Payment Method

8.1. Address scenario specific requirements. * Account owner * Sales team * Service team Internal user ownership is more flexible.

9. Product & Pricebook

9.1. Product OWD * Keep the default: Pub-RW * Community user profile allows only Read to Product & Pricebook

9.2. How to share pricebook to CC users? No way. Do not use Order! Application__c -md-< Item__c >-- Product

9.3. CC can see Active Products only

10. Sharing

10.1. The best way to share Published Tours * Copy to Public-Read Object * LwC + Apex without Sharing * CC+ license + CBS

11. Event Monitoring

11.1. Einstein Analytics

11.2. Event Log File

11.3. >55 events to track: Login, API,

11.4. Transaction Security Policy * Policy builder * Apex class

11.5. RT Event Monitoring Can subscribe to channel. (Platform Event?)

11.6. SF checks hack attempted. Visibility to those.