Connected App Security Superbadge Unit
Set up a connected app and configure appropriate access levels.
Connected App Security Superbadge Unit
What You'll Be Doing to Earn This Superbadge
- Configure a Salesforce org as an identity provider.
- Configure a Salesforce org as a service provider.
- Create and test a connected app between two orgs.
- Explain security concepts and best practices for connected apps.
Concepts Tested in This Superbadge
- Connected App Security
Prework and Notes
Sign Up for Two Developer Edition Orgs with Special Configuration
Important: Please read the instructions below carefully as they are different than you may have seen in other superbadges.
To complete this superbadge unit, you need two special Developer Edition orgs that contain special configuration and sample data. These Developer Edition orgs are designed to work with the challenges in this superbadge unit.
- Follow both links below to sign up for the two Developer Edition orgs.
- Fill out each form and enter an active email address.
- Tip: Include the words “primary” and “support” in the respective usernames to help distinguish each org. (Example: yourinitials + today’s date + @primary.org)
- After you fill out the forms, click Sign me up.
- When you receive the activation emails (this might take a few minutes), open them and click Verify Account.
- Complete your registration by setting your password and challenge question.
- Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
- You are logged in to your superbadge Developer Edition orgs.
Now, connect your primary Developer Edition org to Trailhead. You don’t need to connect the support org to Trailhead to pass the challenges in this superbadge unit.
Make sure you’re logged in to your Trailhead account.
In the Challenge section at the bottom of this page, select Connect Org from the picklist.
On the login screen, enter the username and password for the primary org you just set up.
On the Allow Access? page, click Allow.
On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge.
Now that you have two Salesforce orgs with special configuration for this superbadge unit, you’re good to go.
Tips
Complete all steps in this superbadge in Salesforce Lightning Experience.
Some of the terminology used in this superbadge is descriptive and may not match the name as it appears in the user interface (UI). This is to test your knowledge of Salesforce features and ability to select the correct feature to satisfy a business need.
Descriptions must be set for all new fields, permission sets, and so on in order to pass the challenges.
Use Case
Hundreds & Thousands is a multinational sprinkle conglomerate based in the United Kingdom. The festive company produces hundreds, possibly thousands, of sprinkle varieties—rainbow sprinkles, nonpareils, sugar pearls, edible glitter, and more.
While Hundreds & Thousands has a colorful history with humble beginnings, it has long outgrown the single Salesforce org it started with years ago. The company now employs a multi-org architecture across different business units and geographic regions. Each org has a specific purpose and only the required users are granted access.
As an admin at Hundreds & Thousands, you’ve been asked to set up SAML single sign-on (SSO) between the primary org and the support org for support users using their Federation ID.
Business Requirements
This section represents the requirements for the SSO implementation between Hundreds & Thousands primary and support orgs. Your task is to configure a SAML SSO solution using a connected app so that support users can log in to the primary and support orgs with a single set of credentials.
Org Descriptions
Important: You'll make configurations in both the primary and the support orgs to complete the challenges in this superbadge unit. However, you will connect only the primary org in the Ready to Tackle This Superbadge? section.
Org | SSO Role | Description | Theme |
---|---|---|---|
Primary | Identity Provider (IdP) | This org serves as a central hub for all business needs. All employees have access to this org. | Custom “Hundreds & Thousands” sprinkle theme |
Support | Service Provider | This org houses all support cases, related data, and processes. For compliance purposes, only call center agents and managers should have access to this org. | Standard Lightning Blue theme |
As an experienced admin, you know it’s important to make sure you’re doing the right configurations in the right org to create a secure and seamless connection. Before you start, take the time to plan out your configurations and make sure you know what steps you need to take in each org.
Tips for working in multiple orgs:
- Make note of the unique My Domain URL for each org.
- Use the org themes and branding as visual cues.
Important: We don't recommend changing your org's My Domain Name for this challenge. If you do chose to deploy a new My Domain Name for your primary org, you need to disconnect and reconnect the org to Trailhead in order to reestablish the connection.
Identity Provider Setup in Primary Org
Set up the primary org so that it can be used as an IdP. Generate a self-signed certificate and make note of the metadata that you will need to configure SAML SSO in the support org.
Service Provider Setup in Support Org
The special support org you signed up for contains most of the SAML SSO configurations you need to connect the two orgs but you need to customize it to your unique orgs. You have two options:
- Update the existing SAML SSO record labeled SSO from Primary Org with the IdP certificate and unique My Domain URLs.
- Create a new SAML SSO record with a metadata file or URL downloaded from the primary org. The new record must be updated with the IdP certificate from the primary org and the correct SAML identity type (Federation ID).
To complete the setup in the support org, make sure the My Domain login page for the support org has a button that allows users to authenticate with the primary org instead of entering their username and password*. You need this to successfully test your configuration later on.
*Note: For testing purposes, keep the standard login form as an approved authentication service.
Connected App Setup
Now that you have configured the initial IdP and service provider settings, create a connected app to enable the integration between the two orgs using the SAML protocol. Use the following values for the connected app basic settings.
Connected App Name | Hundreds and Thousands Support |
---|---|
API Name | Hundreds_and_Thousands_Support |
Contact Email | Your email address |
Description | Manage Hundreds & Thousands support cases. |
Logo & Icon | Service Cloud sample logo/icon |
Connected App SAML
Configure the Hundreds and Thousands Support connected app to enable the SAML protocol. Populate the appropriate Entity ID, ACS URL, Subject Type, and IdP Certificate from your initial IdP and service provider configurations to complete the connected app setup.
Connected App Access
The Hundreds & Thousands support org should be used only by call center agents and their managers. Create a new permission set with the label Support Org Connected App and API name Support_Org_Connected_App
. Use this permission set to allow access to the Hundreds and Thousands Support connected app.
Finally, add this permission set to the appropriate existing permission set groups in the primary org to grant access to the users who need it. Don’t create any new permission set groups to complete this challenge.
Test Your Configuration
Now that you’ve set up the IdP, service provider, and the connected app, it’s time to test your configuration. Both the primary and support orgs contain a test user named Andrew Drew. This user has all the necessary configurations and permissions you need in order to test the connection between the two orgs.
Follow the steps outlined below to test your configuration.
- Primary org: Update Andrew Drew’s email to your email address. Check the box labeled Generate new password and notify user immediately.
- Primary org: Note Andrew’s username and password.
- Support org: Copy the support org’s My Domain URL.
- In an incognito browser, use Andrew's credentials to log in to the primary org.
- In a separate incognito tab, go to the support org’s My Domain URL and click the button to log in with SSO.
- A successful login will log you in to the support org as Andrew without entering their username and password.
Note: If your initial SSO test fails, you must end the test user sessions in both the primary and support orgs before attempting a new login.