Over the past few months I’ve ramped up studying for my Salesforce Architect certifications, and last week I took (and passed!) the Identity and Access Management Designer exam. I’ll be honest in saying that I didn’t expect to pass this one on the first go – I’d heard that this exam was very difficult and I didn’t have a ton of experience implementing enterprise SSO solutions. That being said, I found a ton of resources out there in the community that were helpful and true to the exam and I wanted to share those here, along with a few suggestions of my own while the exam is fresh in my mind.
Before I detail my thoughts on each section of the exam below, I want to give a shout out to Apex Hours – they’ve created some awesome resources that were very helpful in my preparation, especially this playlist of videos that walks through key concepts. Now lets get into the deets!
Exam Outline
Identity Management Concepts: 28%
- Describe the role(s) an identity provider and service provider play in an access control solution.
- Describe common methods for how trust connections are established between two systems and the methodologies used to describe trust between an identity provider and service provider.
- Given a scenario, articulate whether it describes an authentication, authorization, or accounting scenario and what Salesforce feature should be used to accomplish the task.
- Given a scenario, recommend the appropriate method for provisioning users in Salesforce and other third-party services (SOAP/REST API, SAML JIT, Identity Connect, User Provisioning for Connected Apps, etc.).
- Describe the risks to enterprise security that federated Single Sign-on solutions aim to address.
- Given a scenario, troubleshoot common points of failure that may be encountered in a Single Sign-on solution (SAML, OAuth, etc.).
Identity Management Concepts Notes and Resources:
This is the meat and potatoes of this exam and in my opinion, is where you should spend the majority of your preparation time. First, you need to have a very firm grasp of identity provider vs service provider roles. And I say a “very firm grasp” because you will be given a lot of scenarios where you are asked to identify which is which, and the questions can be vague and can be confusing if you aren’t confident in what these roles look like in a real world scenario. This Service Provider Initiated and Identity Provider Initiated videos are great. Don’t get hung up in the nitty gritty details and focus on understanding the concepts as a whole.
The other points in this section are covered well enough if you follow the recommended trailmix found here.
Accepting Third-Party Identity in Salesforce: 22%
- Describe the components of an identity management solution where Salesforce is accepting identity from a third party.
- Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept Third-Party Identity (Enterprise Directory, Social, Community, etc.).
- Given a scenario, recommend the appropriate method of SAML initiation to fulfill the requirements (SP-init, IdP-init.).
- Describe the components of a Delegated Authentication solution.
- Describe the risks of implementing delegated authentication.
Accepting Third-Party Identity Notes and Resources:
I know I mentioned it above but just to reiterate, understanding SP-init vs IdP-init flows will do wonders for you here!
The other area I needed to brush up on was using social identities. You should understand how you might implement login via social on something like a community, and what options you have for mapping those sign ups to contacts/accounts (or person accounts).
Also, Jitendra’s blog here is a great overview of the key points.
Salesforce as an Identity Provider: 23%
- Given a scenario, determine the most appropriate flow type to recommend when implementing an OAuth solution where Salesforce is providing identity to a third party (for example, User Agent, Web Server, JWT, etc.).
- Describe the various implementation concepts of OAuth (for example; scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
- Describe the role(s) Connected Apps play when Salesforce needs to provide identity to a third-party system.
- Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).
Salesforce as an Identity Provider Notes and Resources:
So going into this I thought that I knew quite a bit about OAuth. I’d implemented OAuth a number of times, both within Salesforce and in other applications. All of that was a good starting point, and if you haven’t worked with OAuth before, doing a mock implementation can be a good way to get familiar with scopes, secrets, refresh tokens, etc.
The part that I was significantly less familiar with is identify what the most appropriate OAuth flow is based on a particular situation. There were a number of questions directly related to this on the exam so I’m grateful that I spent some time brushing up on these. Apex Hours created this post that has a chart that shows which flow is best for certain scenarios – memorize it. The accompanying video also does a good job explaining why you would use one flow over another.
Access Management Best Practices: 15%
- Describe the risks that Two-Factor Authentication mechanisms aim to mitigate.
- Given a scenario, determine the most appropriate Two-Factor Authentication mechanism for an identity solution.
- Given a scenario, identify the risks and mitigation strategies that session security and Two-Factor Authentication enable (for example; High Assurance Sessions, 2FA, etc.).
This section is pretty self explanatory and I think its covered well by the trailmix. You should know how to implement 2FA. One callout is that you should also make sure you understand Login IP ranges and what options you have for setting up multiple ranges for different populations of users / scenarios (i.e. mobile apps).
Salesforce Identity: 7%
- Given a scenario, recommend the most appropriate Salesforce license type(s) to support the identity requirements.
- Describe the role(s) Identity Connect plays in an Identity Management solution.
The most important piece here is understanding how to use Identity Connect in conjunction with Active Directory. I’ve never used Active Directory myself and have only implemented the SFDC portion, but thats all you really need to know. You should know what options you have to map users, profiles, permission sets, etc. from Active Directory into Salesforce. Dont get too hung up on the details of the Active Directory side as its not needed.
Community (Partner and Customer): 5%
- Describe the capabilities for customizing the registration experience for external communities (for example; Branding options, self-registration, communications, etc.).
Self registration is the key here. You should know how contacts are created and mapped to Accounts when using self registration. Also, know how to use person accounts with self registration as well.
Final Thoughts
If you haven’t implemented SSO or worked with OAuth before, this exam can be a doozy. The exam touches on a lot of areas of Salesforce that I think a lot of people don’t use in their day to day work which makes it hard to draw on your experience during the test. The good news is that the exam outline provided by Salesforce is very well defined and accurate, so if you can read through the topic prompts and explain each concept at a high level, you’ll do great.
Now that I’ve taken and passed the exam, I think I would have focused less on the really detailed development aspects of implementation. I spent a lot of time making sure I knew methods and parameters and whatever else I thought might come up for something like OAuth, and it just wasn’t necessary. And I think that makes sense – these exams are meant to test your ability to architect solutions, so keep your studies zoomed out.
Let me know your thoughts on the exam below. And if you are sitting for the test here in the near future, best of luck!