My session On Identity Flows @ Apexhours :
Here are answer of few Questions we were not able to talk about.
From Ybandopantpatil : What is IDP org and SP Org?
Atul: IDP stands for Identity Provider. IDP manages the identity
of users & their access rights. Some of example of IDPs are Active Directory,
Ping Identity, And Salesforce (Check the
demo again).
SP is Service provider. Service provider provide some useful
service to user and they do not manage users. SP relies on IDP to manage users.
When IDP authenticate user, SP trust on IDP and do not ask for login credentials
again.
From Jason : is each users Fed ID set manually like
you did in the demo or would that be set via automation in a production setup?
Atul: Federation Id can be set manually as well automatically.
In demo we set it up manually for simplicity. There is another aspect of provisioning
where we create user on first login.
In this case we can set Federation Id automatically. As Tejas
mentioned in his answer it can be set via data loader(or API) as well.
From PK : can you ask him to speak on
various oauth flows
Atul: Sure. There are 8 oAuth flows in salesforce. User Agent,
Web Server, JWT, Device, Asset, SAML Bearer, SAML Assertion & User Name
Password flow
Each of these have specific purpose. Please find more
details at : https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm&type=5
From SwatiSharma : In connected app when we use Enable
Oauth setting as for current demo he used Enable SAML ?
Atul: Yes, That is right. Salesforce connected app allows you to work
with the SAML & oAuth. The choice is made based on what SP is supporting.
Majority of IDP support both SAML & oAuth so that maximum number of SP can
be used with them.
From Narayana : I am beginner of salesforce can you
suggestion what is best way to learn?
I think trailhead is best way to start. Pick a topic of
your interest and just get started with your trailhead journey.
From bharath kumar : If we enable login with google
how do we manage it for multiple users i.e how do we get consumer key and
secret for every user?
Atul: We need to setup trust only once between Salesforce and
google. Once that is done all google users can login into your system as well
as they are mapped with salesforce user. I used custom field to store google id
on user but you can do it as per your need or even use Federation Id.
From Harshal: if any new user login then how profile
assign?
Atul: We have registration handler for this. Every time user logs
in registration handler is executed. We can write our business logic in registration
handler and setup users as per our needs. i.e. Assign profiles, give permissions
and etc.
From Saksham Mahendru : Hi.. In case Google SSO.. If
any user is deactivated from G-suite, will Social SSO take case of auto
deactivating salesforce user as well. Is there any setting for that..?
Similarly for user creation.?
Atul:Once the user id deactivated in IDP (Google in our case) no
application that only trust IDP will be able allow login to deactivated user. If
you are managing Identity at SP level (this is not standard practice as it defies
the purpose of SSO) the you will need to take extra effort to sync user between
two system via using APIs.
