Skip to main content
+2,000 points
Superbadge

Authentication Governance Superbadge Unit

Prepare your org to proactively monitor authentication activities.

~1 hr

Prerequisites

Authentication Governance Superbadge Unit

Authentication Governance Superbadge Unit

What You'll Be Doing to Earn This Superbadge

  1. Audit single sign-on and multi-factor authentication users.
  2. Build authentication monitoring reports and dashboards.
  3. Customize a flow with a concurrent sessions email action.

Concepts Tested in This Superbadge

  • Authentication Governance

Prework and Notes

Sign Up for a Developer Edition Org with Special Configuration

To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.

  1. Sign up for a free Developer Edition org with special configuration.

  2. Fill out the form. For Email address, enter an active email address.

  3. After you fill out the form, click Sign me up.
  4. When you receive the activation email (this might take a few minutes), open it and click Verify Account.

  5. Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.

  6. You are logged in to your superbadge Developer Edition org.

Now, connect your new Developer Edition org to Trailhead.

  1. Make sure you’re logged in to your Trailhead account.

  2. In the Challenge section at the bottom of this page, select Connect Org from the picklist.

  3. On the login screen, enter the username and password for the Developer Edition org you just set up.

  4. On the Allow Access? page, click Allow.

  5. On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge unit.

  6. Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.


Note

Note

Before you begin the challenges, please review Security Governance Specialist Superbadge: Trailhead Challenge Help.

Make sure you’re using a new Developer Edition org from this sign-up link to complete the challenges in this superbadge unit. If you use an org that has been used for other work, you won’t pass the challenges in this superbadge unit.

This superbadge unit is part of the Security Governance Specialist Superbadge. Complete the capstone assessment and related superbadge units to receive the Security Governance Specialist Superbadge.

Review Superbadge Challenge Help for information about the Salesforce Certification Program and Superbadge Code of Conduct.

Use Case

Cloud Nine Credit Lines (CNCL) maintains strict security policies for its Salesforce org. CNCL's customers trust the company to protect their data, and they expect a proactive approach to address security vulnerabilities. User authentication is the first line of defense in securing a Salesforce org. But any admin worth their weight in Golden Hoodies knows it's not something you can simply “set and forget.” Effective security controls and policies include regular auditing activities to ensure the org is in tip-top shape.

This is where you come in. As an admin at CNCL, you've been asked to review authentication policies, permissions, and assignments. You also have some great ideas to improve the authentication monitoring procedures. Let’s get to work!

Business Requirements

This section represents the requirements for this month’s authentication auditing activities.

Note

Note

Developer Edition orgs allow only two active Salesforce users, including yourself. For this reason, most of the users in your org are set to inactive. You need to review all users, active and inactive, in order to pass these challenges.

Single Sign-On and Multi-Factor Authentication

CNCL uses single sign-on (SSO) to control user access to all applications in one place. All users must log in via SSO and complete the multi-factor authentication (MFA) challenge from the SSO identity provider (IdP).

There is one exception: Users with the Break Glass Administrator profile must be able to log in to the org directly in the event of an outage with the IdP. These users must complete an MFA challenge that originates from the Salesforce org.

Audit your org to make sure all users have the correct authentication permissions assigned and make the required updates. Your org has the following authentication permission sets.

  • Single Sign-On
  • MFA Authorization Required

The User Access and Permissions Assistant app has been installed in your org. While this tool may assist you in auditing the permission sets listed above, the method you use to identify the necessary updates will not be checked.

Note: You can exclude your user from the SSO and MFA requirements above to maintain easy access to your org for this superbadge unit.

Authentication Monitoring Reports

CNCL is growing and onboarding new employees weekly. As the number of Salesforce users increases, so does the need for monitoring logins to the org. The Login History and Identity Verification History logs in setup have been useful, but the time has come for more robust and proactive monitoring capabilities.

You’ve raised your hand to build several reports to assist in this effort. And, being the savvy admin that you are, you've outlined report needs and requirements in the table below. The new user authentication reports should filter to show All Users and display login data for the Last 30 Days. Hide the report details so only the groupings and record counts show. Finally, create a folder labeled User Authentication Reports to store these reports.

Note: The User Access and Permissions Assistant app includes a Report tab that is different from the standard Reports object.

Report Name Description
Login Attempts by Status All login attempts grouped by login status
Failed Login Attempts by User All unsuccessful login attempts grouped by username and login status
Verification Challenges by Method All identity verification challenges grouped by method and status
Logins without SSO and MFA All successful login attempts where login type does not include SSO and (Identity Verification) Method is blank; grouped by username and login type

Concurrent Session Email Notification

Note

Note

Check out the accessibility section in the Security Governance Specialist Superbadge: Trailhead Challenge Help article to learn more about screen reader and keyboard accessibility within Flow Builder.

Last year, it came to your team’s attention that some users were sharing login credentials to get around access restrictions. While it's acceptable for users to have an active session on both their desktop and mobile device, there's no need to allow more than two concurrent sessions for each user.

With the help of a developer, the admins at CNCL built a flow, Concurrent User Authentication Login Flow, that blocks more than two concurrent sessions for one user. The new flow has been tested and is working as expected. Now, the security team at CNCL would like an email every time a concurrent session is blocked in this flow.

Modify the existing flow with an action that sends an email to the security team when a concurrent session is blocked. Place the new action before the existing “Block” screen element, and make sure it’s only triggered by the block outcome. You do not need to modify any of the existing elements.

Note: The resources for the email subject and body have already been built in the flow.

Element API Name AlertAdmins
Body {!EmailBody}
Subject {!EmailSubject}
Recipient Address List Security@CloudNineCreditLines.example.com

Once the new version of the flow is activated, complete the steps to make sure this flow runs for all users with the Standard User and the Custom: Sales Profile profiles. This flow should not apply to those with administrator profiles.

Use the following names for the new login flows.

  1. Standard User - Concurrent User Authentication Login Flow
  2. Sales Profile - Concurrent User Authentication Login Flow

*Testing Tip: Set yourself as the email recipient for testing purposes. You can also use multiple tabs in an incognito browser to test concurrent sessions for an active user with an applicable profile.

Ready to Tackle This Superbadge?

Please first complete the prerequisites and the challenge for Authentication Governance Superbadge Unit will be unlocked.

~1 hr