My session On Identity Flows @ Apexhours :
Here are answer of few Questions we were not able to talk about.
From Ybandopantpatil : What is IDP org and SP Org?
Atul: IDP stands for Identity Provider. IDP manages the identity of users & their access rights. Some of example of IDPs are Active Directory, Ping Identity, And Salesforce (Check the demo again).
SP is Service provider. Service provider provide some useful service to user and they do not manage users. SP relies on IDP to manage users. When IDP authenticate user, SP trust on IDP and do not ask for login credentials again.
From Jason : is each users Fed ID set manually like you did in the demo or would that be set via automation in a production setup?
Atul: Federation Id can be set manually as well automatically. In demo we set it up manually for simplicity. There is another aspect of provisioning where we create user on first login.
In this case we can set Federation Id automatically. As Tejas mentioned in his answer it can be set via data loader(or API) as well.
From PK : can you ask him to speak on various oauth flows
Atul: Sure. There are 8 oAuth flows in salesforce. User Agent, Web Server, JWT, Device, Asset, SAML Bearer, SAML Assertion & User Name Password flow
Each of these have specific purpose. Please find more details at : https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm&type=5
From SwatiSharma : In connected app when we use Enable Oauth setting as for current demo he used Enable SAML ?
Atul: Yes, That is right. Salesforce connected app allows you to work with the SAML & oAuth. The choice is made based on what SP is supporting. Majority of IDP support both SAML & oAuth so that maximum number of SP can be used with them.
From Narayana : I am beginner of salesforce can you suggestion what is best way to learn?
I think trailhead is best way to start. Pick a topic of your interest and just get started with your trailhead journey.
From bharath kumar : If we enable login with google how do we manage it for multiple users i.e how do we get consumer key and secret for every user?
Atul: We need to setup trust only once between Salesforce and google. Once that is done all google users can login into your system as well as they are mapped with salesforce user. I used custom field to store google id on user but you can do it as per your need or even use Federation Id.
From Harshal: if any new user login then how profile assign?
Atul: We have registration handler for this. Every time user logs in registration handler is executed. We can write our business logic in registration handler and setup users as per our needs. i.e. Assign profiles, give permissions and etc.
From Saksham Mahendru : Hi.. In case Google SSO.. If any user is deactivated from G-suite, will Social SSO take case of auto deactivating salesforce user as well. Is there any setting for that..? Similarly for user creation.?
Atul:Once the user id deactivated in IDP (Google in our case) no application that only trust IDP will be able allow login to deactivated user. If you are managing Identity at SP level (this is not standard practice as it defies the purpose of SSO) the you will need to take extra effort to sync user between two system via using APIs.