Authentication Governance Superbadge Unit
Prepare your org to proactively monitor authentication activities.
Authentication Governance Superbadge Unit
Ce que vous devez accomplir pour gagner ce superbadge
- Audit single sign-on and multi-factor authentication users.
- Build authentication monitoring reports and dashboards.
- Customize a flow with a concurrent sessions email action.
Concepts testés avec ce Superbadge
- Authentication Governance
Prework and Notes
Sign Up for a Developer Edition Org with Special Configuration
To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.
-
Sign up for a free Developer Edition org with special configuration.
Fill out the form. For Email address, enter an active email address.
- After you fill out the form, click Sign me up.
When you receive the activation email (this might take a few minutes), open it and click Verify Account.
Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
You are logged in to your superbadge Developer Edition org.
Now, connect your new Developer Edition org to Trailhead.
Make sure you’re logged in to your Trailhead account.
In the Challenge section at the bottom of this page, select Connect Org from the picklist.
On the login screen, enter the username and password for the Developer Edition org you just set up.
On the Allow Access? page, click Allow.
On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge unit.
Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.
Use Case
Cloud Nine Credit Lines (CNCL) maintains strict security policies for its Salesforce org. CNCL's customers trust the company to protect their data, and they expect a proactive approach to address security vulnerabilities. User authentication is the first line of defense in securing a Salesforce org. But any admin worth their weight in Golden Hoodies knows it's not something you can simply “set and forget.” Effective security controls and policies include regular auditing activities to ensure the org is in tip-top shape.
This is where you come in. As an admin at CNCL, you've been asked to review authentication policies, permissions, and assignments. You also have some great ideas to improve the authentication monitoring procedures. Let’s get to work!
Business Requirements
This section represents the requirements for this month’s authentication auditing activities.
Single Sign-On and Multi-Factor Authentication
CNCL uses single sign-on (SSO) to control user access to all applications in one place. All users must log in via SSO and complete the multi-factor authentication (MFA) challenge from the SSO identity provider (IdP).
There is one exception: Users with the Break Glass Administrator profile must be able to log in to the org directly in the event of an outage with the IdP. These users must complete an MFA challenge that originates from the Salesforce org.
Audit your org to make sure all users have the correct authentication permissions assigned and make the required updates. Your org has the following authentication permission sets.
- Single Sign-On
- MFA Authorization Required
The User Access and Permissions Assistant app has been installed in your org. While this tool may assist you in auditing the permission sets listed above, the method you use to identify the necessary updates will not be checked.
Note: You can exclude your user from the SSO and MFA requirements above to maintain easy access to your org for this superbadge unit.
Authentication Monitoring Reports
CNCL is growing and onboarding new employees weekly. As the number of Salesforce users increases, so does the need for monitoring logins to the org. The Login History and Identity Verification History logs in setup have been useful, but the time has come for more robust and proactive monitoring capabilities.
You’ve raised your hand to build several reports to assist in this effort. And, being the savvy admin that you are, you've outlined report needs and requirements in the table below. The new user authentication reports should filter to show All Users and display login data for the Last 30 Days. Hide the report details so only the groupings and record counts show. Finally, create a folder labeled User Authentication Reports
to store these reports.
Note: The User Access and Permissions Assistant app includes a Report tab that is different from the standard Reports object.
Report Name | Description |
---|---|
Login Attempts by Status | All login attempts grouped by login status |
Failed Login Attempts by User | All unsuccessful login attempts grouped by username and login status |
Verification Challenges by Method | All identity verification challenges grouped by method and status |
Logins without SSO and MFA | All successful login attempts where login type does not include SSO and (Identity Verification) Method is blank; grouped by username and login type |
Concurrent Session Email Notification
Last year, it came to your team’s attention that some users were sharing login credentials to get around access restrictions. While it's acceptable for users to have an active session on both their desktop and mobile device, there's no need to allow more than two concurrent sessions for each user.
With the help of a developer, the admins at CNCL built a flow, Concurrent User Authentication Login Flow, that blocks more than two concurrent sessions for one user. The new flow has been tested and is working as expected. Now, the security team at CNCL would like an email every time a concurrent session is blocked in this flow.
Modify the existing flow with an action that sends an email to the security team when a concurrent session is blocked. Place the new action before the existing “Block” screen element, and make sure it’s only triggered by the block outcome. You do not need to modify any of the existing elements.
Note: The resources for the email subject and body have already been built in the flow.
Element API Name | AlertAdmins |
---|---|
Body | {!EmailBody} |
Subject | {!EmailSubject} |
Recipient Address List | Security@CloudNineCreditLines.example.com |
Once the new version of the flow is activated, complete the steps to make sure this flow runs for all users with the Standard User and the Custom: Sales Profile profiles. This flow should not apply to those with administrator profiles.
Use the following names for the new login flows.
Standard User - Concurrent User Authentication Login Flow
Sales Profile - Concurrent User Authentication Login Flow
*Testing Tip: Set yourself as the email recipient for testing purposes. You can also use multiple tabs in an incognito browser to test concurrent sessions for an active user with an applicable profile.