CTA Security Review

1. MECE Decision Tree

1.1. User Identity

1.1.1. Into Salesforce

1.1.1.1. From IdP

1.1.1.2. From OIDP

1.1.1.3. From Another System

1.1.2. Into Another System

1.2. Integration Security

1.2.1. Inter System Security

1.2.1.1. Marketing Cloud

1.2.1.1.1. MC Connect

1.2.1.1.2. SSO

1.2.1.2. Pardot

1.2.1.2.1. Salesforce Pardot Connector

1.2.1.3. Box

1.2.1.4. Heroku

1.2.1.4.1. Heroku Connect

1.2.2. ETL

1.2.3. ESB

1.2.4. SF Connect

1.2.5. Canvas App

1.3. Data Access

1.3.1. Record Access

1.3.1.1. Declarative Sharing

1.3.1.1.1. Knowledge Sharing

1.3.1.1.2. Territory Management

1.3.1.2. Programmatic Sharing

1.3.1.3. Manual Sharing

1.3.2. OLS & FLS

1.3.3. FLS

1.3.4. Upload and Share Files

1.3.4.1. File Sharing Architecture

1.4. Shield

1.5. Classic Encryption

1.6. Programming Security

1.7. Queue

2. Org Setup

2.1. Set up Company

2.1.1. Allow Required Domains

2.1.2. Permissions for UI Elements, Records, and Fields

2.2. Manage Users

2.2.1. User Management Administration

2.2.2. User Management Settings

2.2.2.1. Enable User Self-Deactivation

2.2.2.2. Personal User Information Policies and Timelines

2.2.2.2.1. Personal User Information Considerations

2.2.2.3. Manage Personal User Information Visibility for External Users

2.2.2.3.1. Store Customer' Data Privacy Preferences

2.2.2.3.2. Classify Sensitive Data to Support Data Management Policies

2.2.2.4. Hide Person User Information from External Users (Retire after Winter 22)

2.2.2.5. Let Users Scramble Their User Data

2.2.2.6. Enable Contactless Users

2.2.2.7. Limit Profile Details to Required Users

2.2.2.8. Restrict Permissions Cloning in Profiles

2.2.2.9. Email the Email Domain Allowlist

2.2.3. View and Manage Users

2.2.3.1. Guidelines for Adding Users

2.2.3.2. Considerations for Editing Users

2.2.3.3. Considerations for Deactivating Users

2.2.3.4. Managing Contactless Users

2.2.3.5. Restrict User Email Domains

2.2.4. Licenses Overview

2.2.5. Delegated Administrative Duties

2.2.5.1. Define Delegated Admin Groups

2.3. Manage Data Access

2.3.1. Control Who Sees What

2.3.2. User Permissions and Access

2.3.2.1. User Permissions

2.3.2.2. Object Permissions

2.3.2.3. Field Permissions

2.3.2.4. Revoke Permissions and Access

2.3.3. Profiles

2.3.3.1. Edit Session Settings in Profiles

2.3.4. Permission Sets

2.3.4.1. Session Based Permission Set

2.3.5. Permission Set Groups

2.3.5.1. Muting Permission Set

2.3.5.2. Permission Set Group Status and Recalculation

2.3.5.3. Permission Set Group Consideration

2.3.5.4. Session-Based Permission Set Groups

2.3.5.5. Permission Set Group and Combined Permissions View

2.3.6. What Determines Field Access

2.3.6.1. Field Level Security

2.3.7. What Is a Group

2.3.7.1. Public Group Considerations

2.3.7.2. Sharing Records with Manager Groups

2.3.8. Sharing Settings

2.3.8.1. Sharing Considerations

2.3.8.1.1. Who Has Access to Account Records

2.3.8.2. OWD

2.3.8.2.1. Set Your Internal OWD

2.3.8.2.2. External OWD

2.3.8.2.3. OWD Access Setting

2.3.8.3. Controlling Access Using Hierarchy

2.3.8.3.1. Assign Users to Roles

2.3.8.3.2. Guideline for Success with Roles

2.3.8.3.3. Role and Territory Sharing Groups

2.3.8.3.4. Managers in the Role Hierarchy

2.3.8.4. Sharing Rules

2.3.8.4.1. Sharing Rule Types

2.3.8.4.2. Sharing Rule Consideration

2.3.8.5. Recalculate Sharing Rules

2.3.8.6. Manual Sharing

2.3.8.7. User Sharing

2.3.8.8. Manage Additional Sharing Settings

2.3.8.8.1. Control Manual Sharing for User Record

2.3.8.9. Viewing Sharing Overrides

2.3.8.9.1. Example Object Sharing Setting Page

2.3.8.10. Build-in Sharing Behavior

2.3.8.11. Insufficient Privilege Errors

2.3.8.12. Managing Folders for Reports, Dashboards, Files, Email Templates

2.3.9. Restriction Rules

2.3.9.1. Restriction Rule Considerations

2.4. My Domain

2.4.1. My Domain Considerations

2.4.2. Set up My Domain

2.4.3. Salesforce Edge Network

2.4.4. Enhanced Domains

2.4.5. Configure My Domain Settings

2.4.5.1. Set up My Domain Login and Redirect Policies

2.4.5.2. Create an Interview-Based Login Page with My Domain Login Discovery

2.4.5.3. Add Identity Providers to the My Domain Login Page

2.4.5.4. Customize Your My Domain Login Page for Mobile Auth Methods

2.4.6. My Domain URL Formats

2.4.7. Manage My Domains: Site Domains

2.4.7.1. Add a Domain

2.4.7.2. Options to Serve a Custom Domain

2.4.7.3. Enable External HTTPS on a Domain

2.4.7.4. Naked Domains

2.4.7.5. Add a Custom URL

2.4.7.6. Manage Domains and Custom URL

2.4.7.7. Test Custom Domain in a Sandbox

2.4.7.8. Delete a Domain

2.4.7.9. Deleting Custom URL

2.5. Protect Your Org

2.5.1. Security Basics

2.5.1.1. Manage Redirects to External URLs

2.5.1.2. Health Check

2.5.1.3. Auditing

2.5.2. Security Center

2.5.3. Einstein Data Detect

2.5.4. Shield Platform Encryption

2.5.4.1. What You Can Encrypt

2.5.4.2. How Encryption Works

2.5.4.3. Set up Your Encryption Policies

2.5.4.3.1. Generate a Tenant Secret with Salesforce

2.5.4.3.2. Manage Tenant Secret by Type

2.5.4.3.3. Encrypt New Data in Standard Fields

2.5.4.3.4. Encrypt Fields on Custom Objects and Custom Fields

2.5.4.3.5. Encrypt Custom Fields in Installed Managed Packages

2.5.4.3.6. Encrypt Tableau CRM Data

2.5.4.3.7. Fix Blockers

2.5.4.4. Filter Encrypted Data with Deterministic Encryption

2.5.4.5. Key Management and Rotation

2.5.4.5.1. Rotate Key

2.5.4.6. Shield Platform Encryption Customizations

2.5.4.7. Encryption Trade-offs

2.5.5. Session Security

2.5.5.1. Modify Session Security Settings

2.5.5.2. Enable Browser Security Settings

2.5.5.3. Set Trusted IP Ranges for Your Organization

2.5.5.4. Require High-Assurance Session Security for Sensitive Operations

2.5.5.5. User Sessions

2.5.5.6. User Session Types

2.5.5.7. Frontdoor.jsp

2.5.6. Private Connect

2.5.7. Activation

2.5.8. Transaction Security (Legacy)

2.5.9. Real Time Event Monitoring

2.5.9.1. Real-Time Event Monitoring Definitions

2.5.9.2. Considerations for Using Real-Time Event Monitoring

2.5.9.3. Enable Access to the Real-Time Event Monitoring

2.5.9.4. Stream and Store Event Data

2.5.9.5. Create Logout Event Triggers

2.5.9.6. How Chunking Works with ReportEvent and ListViewEvent

2.5.9.7. Enhanced Transaction Security

2.5.9.7.1. Transaction Security Policy with Condition Builder

2.5.9.7.2. Create an Enhanced Transaction Security Policy with Apex Trigger [+ Queueable]

2.5.9.7.3. Enhanced Transaction Security Metering

2.5.9.8. Threat Detection

2.5.10. Remote Site Settings

2.5.11. CSP Trusted Sites

2.5.12. Named Credentials

2.5.12.1. Define a Named Credential

2.5.12.2. Choose an Authentication Protocol

2.5.12.3. Grant Access to Authentication Settings for Named Credentials

2.5.13. Certificates and Keys

2.5.13.1. Generate a Self-Signed Certificate

2.5.13.2. Generate a Certificate Signed by a Certificate Authority

2.5.13.3. Set up a Mutual Authentication Certificate

2.5.13.4. Configure Your API Client to Use Mutual Authentication

2.5.13.5. Manage Master Authentication Keys for Classic Encryption

2.5.13.6. Replace the Default Proxy Certificate for SAML SSO

2.6. Monitor Your Org

3. Experience Cloud

3.1. Understand the Basics

3.2. Plan & Prepare

3.3. Set up & Configure

3.3.1. Update Org-Wide Experience Cloud Site Settings

3.3.1.1. Set the Default Number of Site Roles

3.3.1.2. Set up Custom Roles

3.3.1.3. Enable Super User Access

3.3.1.3.1. Grant Super User Access to Customer Users

3.3.1.4. Enable Report Options for External Users

3.3.1.5. Allow Customers to Change Case Status

3.3.1.6. Use the Convert External User Access Wizard

3.3.1.7. About High-Volume Community or Site Users

3.3.1.8. Set up Sharing Sets

3.3.1.9. Use Share Groups to Share Records Owned by High Volume Experience Cloud Site Users

3.3.2. Experience Cloud Site Setup Basics

3.3.2.1. Sharing CRM Data in an Experience Cloud Site

3.3.2.2. Create Experience Cloud Site Users

3.3.2.2.1. Upgrade Community User Licenses

3.3.2.2.2. Communities License Limitations

3.3.2.2.3. Experience Cloud Site User Account Ownership Limitations

3.3.2.3. Add Members to your Experience Cloud Site

3.3.2.3.1. How do external Experience Cloud site members get login information?

3.3.2.4. Customize Email Sent from Experience Cloud Sites for Email

3.3.2.5. Enable Notifications in Experience Cloud Sites

3.3.2.6. Enable App Launcher in Experience Cloud Sites

3.3.2.7. Redirect Users to your Experience Cloud Sites

3.3.2.8. Enable Optional Experience Cloud Site Features

3.3.2.8.1. Share Nickname Instead of Full Names in an Experience Cloud Site

3.3.2.8.2. Work with Files in Your Experience Cloud Site

3.3.2.8.3. Configure Custom Domain for Your Experience Cloud Site

3.3.3. Configure Login, Self-Registration, and Password Management

3.3.3.1. Customize Login Experience

3.3.3.2. Self Registration

3.3.3.2.1. Create Person Accounts for Self-Registering Users

3.3.3.2.2. Use Configurable Self-Reg Page for Easy Sign-up

3.3.3.2.3. Verify Member Identity for Self Registration

3.3.3.2.4. Customize the Experience Cloud Site Self-Registration Process with Apex

3.3.3.2.5. Best Practice and Consideration when Configuring Self-Registtration

3.3.3.3. Customize Code for Lightning Components on Login Pages

3.3.4. Access Experience Cloud sites in Mobile App

3.3.5. Enable Other Salesforce Features in Experience Cloud Site

3.3.5.1. Enable Cases for Experience Site Users

3.3.5.2. Restrict Experience Cloud Site User Access to Cases

3.3.5.3. Assign a Default Experience to a User Profile

3.3.5.4. Enable Direct Messages in Your Experience Cloud Site

3.3.5.5. Enable Salesforce Knowledge in Your Experience Site

3.3.5.6. Hiding Fields in Lightning Knowledge Search Results

3.3.5.7. Set up Approvals for External Users

3.4. Secure Your Site

3.4.1. Enable Clickjack Protection

3.4.2. Authenticate Experience Cloud Site Users

3.4.2.1. SAML SSO

3.4.2.2. Auth. Providers using OIDC

3.4.2.3. OAuth Authentication Flow for Mobile App based on Site ==> External User OAuth

3.4.3. Encrypt Data: Shield

3.4.4. CSP and Lightning Locker

3.4.4.1. CSP: Content Security Policy XSS: Cross Site Scripting

3.4.4.2. CSP and Lightning Locker Design Considerations

3.4.4.3. Allowlist Third-Party Hosts for Experience Builder Sites

3.4.4.4. Select a Security Level in Experience Builder Site

3.4.5. Experience Cloud Cookies

3.4.6. Guest Users

3.4.6.1. Guest User Security Policies

3.4.6.2. Give Secure Access to Unauthenticated Users with the Guest User Profile

3.4.6.2.1. Sharing Settings -> Secure guest user record access

3.4.6.2.2. Experience Builder -> Settings -> General -> Guest User Profile

3.4.6.2.3. Best Practices and Considerations When Configuring the Guest User Profile

3.4.6.2.4. Configure the Site Guest User Record

3.4.6.3. Assign Records Created by Guest Users to a Default User in the Org & Best Practices

3.4.6.4. Secure Data Accessible by Guest Users - Guest User Access Report on AppExchange

3.4.6.5. SEO Best Practice: Search engine is Guest User

3.4.6.6. Control Public Access to Site

3.4.6.6.1. Experience Builder Sites Search Best Practices and Considerations for Guest Users

3.4.6.6.2. Set Up Web-to-Case for Guest Users in an Experience Builder Site

3.4.6.7. Chatter and Discussions Best Practices and Considerations for Guest Users

3.4.6.7.1. Object-specific Security Best Practice for Guest User

3.4.6.7.2. Files Best Practices and Considerations for Guest Users

3.4.6.8. Test Guest Use Access

3.4.6.9. Control Which Users Site Users Can See

3.4.6.9.1. Control User Visibility in Your Experience Cloud Site

3.4.6.9.2. Site User Visibility Best Practices for Guest Users

3.5. Templates

3.6. Experience Builder

3.7. Performance

3.8. Connect Your External CMS to Your Experience Builder Site

3.8.1. CORS: Cross Origin Resource Sharing

3.8.2. Create a CMS Connection: Authenticate with a Named Credential

3.9. Lightning Bolt

3.10. Experience Management

3.11. Marketing Cloud Integration with Journey Builder

3.12. Insights for Engagement

3.13. Site Moderation Strategies and Tools

3.14. Topics

3.15. Recommendations

3.16. Gamification

3.17. Reporting

3.18. Delegate Management to External Users

3.18.1. Delegated External User Admin

3.18.2. Delegated Account Management

3.18.2.1. Manage Members in Account Management

3.18.2.2. Manage Partner Brand in Account Management

3.18.3. Account Switcher

3.18.3.1. Object: External Managed Account

3.19. Manage Partner Relationships

3.19.1. Prep Your Org for a Partner Site

3.19.1.1. Set up the Channel Manager Role

3.19.1.2. Create Partner Accounts

3.19.1.3. Create Partner Users

3.19.1.3.1. Partner User Roles

3.19.1.4. Configure and External Account Hierarchy

3.19.1.5. Grant Super User Access to a Partner User

3.19.1.6. Optimize Account Roles to Improve Performance and Scale

3.19.1.6.1. Sharing Considerations for Using Account Role Optimization in Experience Cloud Sites

3.19.1.6.2. Use a Shared Person Account Role for Community Users

3.19.1.6.3. View Shared Account Records in Your Experience Cloud Site

3.19.1.6.4. Considerations When Using Account Relationships and Data Sharing Rules

3.19.1.6.5. Best Practice for Account Relationship

3.19.2. Account Relationships and Account Relationship Data Sharing Rules

3.19.2.1. Configure Account relationship Data Sharing Rules

3.19.2.2. Create an Account Relationship

3.20. Guided Setup

3.21. Manage Customer Relationship

3.22. Customer Access to Knowledge Base

3.23. Educate Users

4. Mobile Security

4.1. Mobile App Permissions

4.2. Communication Security: HTTPS

4.3. Authentication

4.3.1. OAuth Pairing

4.3.1.1. Access Token Expiration: 2hr, 15m-24hr

4.3.1.2. Refresh Token Policies

4.3.2. SSO or Delegated Authentication

4.3.3. Certificates & Keys

4.3.4. IdP & SP

4.3.5. Inactivity Lock

4.3.6. Session Cookie for Visualforce

4.3.7. Restrict Device Platforms

4.4. App Data Storage

4.4.1. Local Data Protection on Mobile

4.4.2. Remote Wipe

4.5. MDM

4.5.1. Prerequisites for Android

4.5.2. Certificate Based Authentication

4.5.3. Automatic Custom Host Provisioning

4.5.4. Clear Clipboard

4.5.5. Sample Property List onfiguration

4.6. Mobile App Management (MAM add-on)

4.7. Mobile Connected Apps: Attributes

4.8. Best Practice & Troubleshooting

5. Prevent Users from accessing the Salesforce App

6. Security Guide

6.1. Security Basics

6.1.1. Phishing and Malware

6.1.2. Security Health Check

6.1.3. Auditing

6.1.4. Salesforce Shield

6.2. Authenticate Users

6.2.1. MFA

6.2.2. SSO

6.2.3. Custom Login Flow

6.2.4. Connected Apps

6.2.5. Password

6.2.6. Device Activation

6.2.7. Session Security

6.3. Give Users Access to Data

6.3.1. Control Who Can Sees What

6.3.2. User Permissions

6.3.2.1. Use Permissions and Access

6.3.2.2. Permission Sets

6.3.3. Object Permissions

6.3.3.1. View All & Modify All

6.3.3.2. Comparing Security Models

6.3.4. Custom Permissions

6.3.4.1. Custom Permission in Formula and Validation Rules

6.3.4.2. Custom Permission Controlling Component Visibility

6.3.5. Profiles

6.3.5.1. Assign Record Types and Page Layouts in the Enhanced Profile User Interface

6.3.5.2. App and System Settings in the Enhanced Profile User Interface

6.3.5.3. Search in the Enhanced Profile User Interface

6.3.5.4. View and Edit Login Hours in the Enhanced Profile User Interface

6.3.5.5. Restrict Login IP Ranges in the Enhanced Profile User Interface

6.3.6. Create a User Role

6.4. Share Objects & Fields

6.4.1. FLS

6.4.1.1. Classic Encryption for Custom Field

6.4.2. Sharing Rules

6.4.2.1. Sharing Rule Types

6.4.2.2. OBS

6.4.2.3. CBS

6.4.2.4. Guest User Sharing Rules

6.4.2.5. Sharing Rule Categories

6.4.2.6. Editing Sharing Rules

6.4.2.7. Sharing Rules Considerations

6.4.2.8. Recalculate Sharing Rules

6.4.2.9. Asynchronous Parallel Recalculation of Sharing Rules

6.4.3. User Sharing

6.4.3.1. Understand User Sharing

6.4.3.2. External OWD

6.4.4. What is a group?

6.4.5. Manual Sharing

6.4.6. OWD

6.5. Shield Platform Encryption

6.6. Monitoring Security

6.7. Real Time Event Monitoring

6.8. Apex & Visualforce Security

6.9. Territory Management

7. External Identity

7.1. Prepare a Developer Org

7.1.1. Custom SSL Domain

7.2. Create a Branded Login Page

7.2.1. Choose a Login Page Type

7.2.2. Brand Login Page with the Admin Workspace

7.2.2.1. Use Login Discovery to Simplify Login

7.2.2.2. Extend the Login Discovery Handler in Apex

7.2.2.2.1. Auth.LoginDiscoveryHandler

7.2.3. Brand Login Page with Experience Builder

7.2.4. Control User Access to Your Experience Site

7.3. Customize Login Pages in Apex for Full Control

7.3.1. Create a Custom Login Page in Visualforce

7.3.1.1. Github: Basic Custom Login

7.3.2. Choose a Passwordless Login Implementation

7.3.3. Create a Custom Passwordless login Page

7.3.3.1. Passwordless Login Coding Considerations

7.3.4. Create a Custom Identity Verification (Verify) Page

7.3.5. Add Dynamic Branding to Custom Login Page

7.3.5.1. Extend an Endpoint with the Experience ID

7.4. Embedded Login

7.4.1. How to Implement Embedded Login

7.5. Customer Login Page with Dynamic URLs

7.5.1. Dynamic Branding for Multiple Brands

7.5.2. Create Dynamic URLs with Workspaces

7.6. Enable Self Registration

7.6.1. Choose a Self-Registration Type

7.6.2. Add a Self-Registration Page

7.6.2.1. Add Fields to Collect Additional Information

7.6.2.2. Add a Password Field to Enable Login Directly During Registration

7.6.3. Use the Configurable Self-Reg Page for Easy Sign-Up

7.6.3.1. Extend the Configurable Self-Reg Handler in Apex

7.6.3.2. Auth.ConfigurableSelfRegHandler

7.7. Enable Self Registration for B2C Users

7.7.1. Enable Person Account

7.7.2. Configure Self-Registration for Person Account

7.8. Create Customer Error Messages in the Login Discovery and Self Registration Handlers

7.9. Set up SSO for Users

7.9.1. Social Sign-On

7.9.2. Create an Auth. Provider

7.9.3. Customize Your Registration Handler

7.9.4. Enable Your Auth. Provider for Your Site

7.9.5. Accept User Identity with SAML and JIT Provisioning

7.10. Set up SSO for Apps

7.10.1. Set up SSO and Access for Mobile Apps

7.10.1.1. Create a Connected App for Your Mobile App

7.10.1.2. Install the Salesforce Mobile SDK

7.10.1.3. Create a Mobile App

7.10.1.4. Configure Your Mobile App to Point to your Site

7.10.2. Set up SSO and Access for your Web App

7.10.2.1. Create a Connected App for Your Web App

7.10.2.2. Create a Sample Service Provider on Heroku

7.10.2.3. Configure Salesforce Identity to Provide Identity for Your App

7.10.2.4. Authorize Your Web App

7.10.2.5. Configure Your App to Trust Salesforce Customer Identity

7.10.2.6. Personalize Your App with Custom Attributes

7.10.2.7. More about SSO for Your Web App

7.11. Activate Site

7.12. View Users' Identity Verification Methods

7.13. Manage Sites for Salesforce Customer Identity

7.13.1. Create Lightweight Contactless Users

7.13.2. Upgrade a Contactless User to a Community License

7.13.3. Downgrade Users with Community Licenses to Contactless Users

8. Identity & Access

8.1. Who Is Salesforce Identity For?

8.1.1. Identity for Employees NOTE The External Identity license applies to Experience Cloud users who don’t already have a community license.

8.2. Salesforce Identity Licenses

8.2.1. Identity Only License

8.2.2. External Identity License

8.2.3. Identity Verification Credits Add-On License

8.2.4. Identity Connect License

8.3. Multi-Factor Authentication

8.3.1. Multi-Factor Authentication Customizations

8.3.1.1. Enable MFA for Direct User Logins

8.3.1.2. Enable MFA with Session Security Levels

8.3.1.3. Set MFA for API Access

8.3.1.4. Use SSO IdP MFA

8.3.1.5. Use Salesforce MFA for SSO

8.3.1.6. MFA with APEX

8.3.2. Use a Built-In Authenticator as a Verification Method (Beta)

8.3.3. Use U2F Security Keys as a Verification Method

8.3.4. Register Verification Methods for MFA

8.3.4.1. Salesforce Authenticator

8.3.5. Verify Identity with a TOTP Authenticator App, e.g., Google Authenticator

8.3.6. Disconnect MFA

8.3.7. Generate a Temporary Identity Verification Code

8.3.8. Expire a Temporary Verification Code

8.3.9. Delegate MFA Tasks

8.4. Identity Connect

8.5. Custom Login Flows

8.5.1. Create a Login Flow

8.5.2. Custom Login Flow with Visualforce

8.5.3. Setup Login Flow and Connect to Profiles

8.5.4. Login Flow Examples

8.5.4.1. TwoFactorInfo

8.5.4.2. TOTPPlugin

8.5.4.3. Integrate 3rd Party Strong Auth. Method

8.5.4.4. Login Flow Samples Package

8.5.5. Limit the Number of Concurrent Sessions with Login Flows

8.5.5.1. loginflow_forcelogout

8.5.5.2. AuthSession: Can kill sessions!

8.5.6. Login Flow (Old Version)

8.5.6.1. Login Flow for IP Based MFA

8.5.6.1.1. Process.Plugin? Not InvocableMethod?

8.5.6.2. Auth.SessionManagement

8.6. Login Access

8.6.1. Login Access Policies

8.7. Manage User Password

8.7.1. Set Password Policies

8.7.1.1. Reset Password for Users

8.7.1.2. Expire Passwords for all Users

8.8. Lighting Login for Password-Free Login

8.8.1. Enable Lightning Login

8.8.2. Enroll in Lightning Login

8.8.3. Cancel a User's Lightning Login Enrollment

8.9. Certificate-Based Authentication

8.9.1. Enable Certificate-Based Authentication

8.9.2. Upload a User Authentication Certificate

8.9.3. Add Certificate-Based Authentication to Your My Domain Login Page

8.9.4. View Details About User Authentication Certificates

8.9.5. Download a User Authentication Certificate

8.9.6. Rename User Authentication Certificates

8.9.7. Delete User Authentication Certificates

8.9.8. Log In to Your Org with Certificate-Based Authentication

8.10. App Launcher

8.11. Manage API Access

8.11.1. Restrict Access to APIs with Connected Apps

8.11.2. Restrict Customers and Partners from Accessing APIs

8.12. Manage User Identities with SCIM

8.13. Customer Identity

8.13.1. Customize Login Page

8.13.1.1. Choose a Login Type

8.13.1.2. Brand Your Login Page with the Admin Workspace

8.13.1.2.1. Login Discovery

8.13.1.2.2. Extend the Login Discovery Handler in Apex

8.13.1.3. Brand Your Login Page with Experience Builder

8.13.1.4. Control User Access to Your Experience Site

8.13.2. Customize Login Pages in Apex for Full Control -- Need Use Cases

8.13.2.1. Custom Login in Github

8.13.2.2. Choose Your Passwordless Login Implementation

8.13.2.2.1. UserManagemenr.verifyPasswordlessLogin

8.13.2.2.2. UserManagement initVerification & verifyVerification

8.13.3. Embedded Login

8.13.4. Customize Login Page with Dynamic URL

8.13.5. Enable Self Registration

8.13.6. Enable Self Registration for B2C Users

8.13.7. Create Custom Error Messages in the Login Discovery and Self-Registration Handler

8.13.8. Set up SSO for Your Users

8.13.9. Set up SSO for your Apps

8.13.9.1. Mobile App

8.13.9.2. Web App

8.13.10. View Your User' Identity Verification Methods

8.13.11. Manage Sites for Salesforce Customer Identity

8.14. Customer Identity Plus

8.14.1. Integrate Experience Cloud with Auth0

8.15. Monitor Access to Orgs & Sites

8.15.1. Monitor Login History

8.15.2. Login History Report Codes

8.15.3. Define Identity Verification Settings for Your Orgs and Experience Cloud Sites

8.15.4. System.UserManagement

8.15.4.1. Verify Email Addresses with Async Email

8.15.5. Monitor Identity Verification History

8.15.6. See How Your Users Are Verifying Their Identity

8.15.7. Use the Identity Provider Event Log

8.15.8. Device Activation

8.15.9. Mobile Device Tracking

8.15.9.1. View Devices with Mobile Device Tracking

8.15.9.2. Manage Device Access with Mobile Device Tracking

8.15.9.3. Use Visualforce with Mobile Device Tracking

8.15.9.4. Create Custom Reports for Mobile Device Tracking

8.15.10. Monitor Apps and Run Reports

8.15.10.1. Create an Identity Users Report

8.15.10.2. Track Mobile Logins from Salesforce for Android and iOS App

9. Identity & Access: OAuth & SSO

9.1. Connected Apps

9.1.1. Connected App Use Cases

9.1.2. Create a Connected App

9.1.2.1. Configure Basic Connected App Settings

9.1.2.2. Enable OAuth Settings for API Integration

9.1.2.3. Integrate Service Providers with Connected Apps with SAML 2.0

9.1.2.4. Integrated Service Providers as Connected App with OpenID Connect

9.1.2.5. Create a Connected App for Mobile App Integration

9.1.2.6. Create a Custom Connected App Handler

9.1.2.6.1. ConnectedAppPlugin

9.1.2.7. Expose Your Connected App as a Canvas App

9.1.3. Edit a Connected App

9.1.3.1. Restrict Access to a Trusted IP Ranges for a Connected App

9.1.3.2. Add Custom Attributes to a Connected App

9.1.3.3. Delete a Connected App

9.1.4. Manage Access to a Connected App

9.1.4.1. Manage a Third-Party Connected App

9.1.4.2. Install a Connected App

9.1.4.3. Uninstall a Third-Party Connected App

9.1.4.4. Manage Start URL Setting for a Connected App

9.1.4.5. Manage OAuth Access Policies for a Connected App / Canvas App

9.1.4.6. Connected App IP Relaxation and Continuous IP Enforcement

9.1.4.7. Manage Session Policy for a Connected App

9.1.4.8. Manage Mobile Policy for a Connected App

9.1.4.9. Manage Access through a Custom Connected App Handler

9.1.4.10. Manage Other Access Settings for a Connected App

9.1.4.11. User Provisioning for Connected Apps

9.1.4.11.1. User Provisioning for Connected Apps

9.1.4.11.2. Manage User Provisioning Requests

9.1.4.11.3. Create User Provisioning for Connected Apps Custom Reports

9.1.4.12. Manage Current OAuth Connected App Sessions

9.1.4.13. Manage OAuth-Enabled Connected Apps Access to Your Data

9.1.5. Send Notifications to a Connected App

9.1.5.1. Send Mobile Push Notification

9.1.5.1.1. Configure iOS Push Notification

9.1.5.2. Send Custom Notification with Notification Builder Platform

9.1.6. Connected App and OAuth Terms

9.2. Authorize Apps with OAuth

9.2.1. OAuth Authentication Flows

9.2.1.1. OAuth 2.0 Web Server Flow for Web App Integration

9.2.1.2. OAuth 2.0 User-Agent Flow for Desktop or Mobile App Integration

9.2.1.3. OAuth 2.0 Refresh Token Flow for Renewed Session

9.2.1.4. OAuth 2.0 Authorization and Session Management for Hybrid Apps

9.2.1.4.1. OAuth 2.0 Hybrid App Token Flow for Web Session Management

9.2.1.4.2. OAuth 2.0 Hybrid App Refresh Token Flow

9.2.1.5. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration

9.2.1.6. OpenID Connect Dynamic Client Registration for External API Gateways

9.2.1.7. Generate an Initial Access Token

9.2.1.8. OpenID Connect Token Introspection

9.2.1.9. OAuth 2.0 Device Flow for IoT Integration

9.2.1.10. OAuth 2.0 Asset Flow for Securing Connected Devices

9.2.1.11. Demo the Asset Token Flow

9.2.1.12. OAuth 2.0 Username-Password Flow for Special Scenarios

9.2.1.13. OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps

9.2.1.14. SAML Assertion Flow for Accessing the Wen Service API

9.2.1.15. OAuth 1.0 Flow

9.2.1.16. Sundial Diagrams

9.2.1.16.1. UA/SSO

9.2.2. OAuth Tokens and Scopes

9.2.3. Revoke OAuth Tokens

9.2.4. OAuth Custom Scope

9.2.5. Identity URL

9.2.6. OAuth Endpoints

9.2.7. Enable CORS for OAuth Endpoints

9.2.8. Query for User Information

9.2.9. Query for the OpenID Connect Configuration

9.2.10. Query SAML Authentication Settings

9.3. Single Sign-On

9.3.1. SSO Use Cases

9.3.2. SSO Terms

9.3.3. SSO FAQs

9.3.4. Require Users to Log in with SSO

9.3.5. SAML SSO Flows

9.3.6. Salesforce as SP

9.3.6.1. SAML SSO with SF as SP

9.3.6.1.1. Gather Information from Your Identity Provider

9.3.6.1.2. Customize SAML Start, Login, Logout, and Error Page

9.3.6.1.3. Example SAML Assertion

9.3.6.1.4. Configure SF as SP with SAML SSO

9.3.6.1.5. View and Edit SSO Settings

9.3.6.1.6. Review Login History

9.3.6.1.7. Configure SSO using ADFS

9.3.6.1.8. JIT Provisioning for SAML

9.3.6.2. Auth. Providers for SF as SP

9.3.6.2.1. Use Salesforce Managed Authentication Providers

9.3.6.2.2. Choose an Authentication Provider

9.3.6.2.3. Add Request Parameters to an Authentication Provider

9.3.7. Salesforce as IdP

9.3.7.1. Integrate Service Providers as Connected Apps with OpenID Connect

9.3.7.2. Salesforce as a SAML IdP

9.3.7.2.1. Enable Salesforce as a SAML Identity Provider

9.3.7.2.2. Prerequisites for Integrating Service Providers with SAML

9.3.7.2.3. Integrate Service Providers as SAML-Enabled Connected Apps

9.3.7.2.4. Map Salesforce Users to the SAML Service Provider

9.3.8. Salesforce as both IdP and SP

9.3.8.1. Create an Identity Provider Chain

9.3.8.2. Configure SAML SSO between SF Orgs & Sites

9.3.8.3. Configure a Salesforce Auth. Provider

9.3.9. SSO for Portals and Sites

9.3.9.1. Enable SSO for Sites

9.3.10. Single Logout

9.3.11. Delegated Authentication

9.3.11.1. FAQ on Delegated Authentication

9.3.11.2. Configure Delegated Authentication

9.3.11.3. Setup: Delegated Authentication Error History