Salesforce Integration Interview Questions and Answers Part-2

 1) What is Single sign-on (SSO)?

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.

2) What is identity provider and service provider? What are the different ways that I can implement SSO? 

When you set up SSO, you configure one system to trust another to authenticate users, eliminating the need for users to log in to each system separately. The system that authenticates users is called an identity provider. The system that trusts the identity provider for authentication is called the service provider.

Salesforce supports SSO with SAML and OpenID Connect. Salesforce also has preconfigured authentication providers that you can use to enable SSO with systems that have their own authentication protocols, like Facebook.

3) What is the role of SAML in Salesforce Single Sign-On (SSO), and how does it work between two Salesforce orgs?

SAML (Security Assertion Markup Language) enables Single Sign-On (SSO) between applications. In a Salesforce SSO scenario, one Salesforce org acts as the Identity Provider (IdP), where the user logs in, and another Salesforce org acts as the Service Provider (SP), where the user is redirected after successful authentication. The IdP authenticates the user and sends a SAML assertion to the SP to grant access.

4) How do you configure Salesforce as a SAML Identity Provider for Single Sign-On?

To configure Salesforce as a SAML Identity Provider:

Enable Identity Provider in Salesforce:

Go to Setup, search for Identity Provider, and enable it.
Select a certificate (default or custom) to establish secure communication with the Service Provider (SP). 

Share Metadata or Certificate:

Download the metadata file or certificate from the Identity Provider org and share it with the SP. This metadata contains all the necessary configurations for SSO setup in the SP org.

After configuring SSO setup in SP org, Create a Connected App in IP org:

In the Identity Provider org, create a Connected App to facilitate SAML communication:

In the Identity Provider org, create a Connected App to facilitate SAML communication:

Go to Setup > App Manager > New Connected App.

Configure fields such as:

Entity ID: The unique identifier for the Service Provider.

ACS URL: The Assertion Consumer Service URL from the SP org.

Single Logout URL: The logout endpoint from the SP org.

Subject Type: Should match the SAML Identity Type in the SP org.

Upload the IdP certificate downloaded from the Identity Provider org.

Enable Single Logout and configure logout binding to match the SP settings.

Assign Access to the Connected App:

Grant user profile access to the Connected App to allow specific users to utilize the SSO feature.

After completing these steps, users can log in through the IdP-Initiated Login URL from the Connected App in the Identity Provider org and get redirected to the Service Provider org after successful authentication.

5) How do you configure Salesforce as a SAML Service Provider for Single Sign-On?

To configure Salesforce as a SAML Service Provider:

Enable SAML in the Service Provider Org:

Go to Setup > Single Sign-On Settings and check the SAML Enabled flag.

Import Metadata from the Identity Provider (IdP):

Click New from Metadata File and upload the metadata file downloaded from the IdP org.
This auto-populates the configuration fields, such as Entity ID and ACS URL.

Configure SAML Settings:

Verify or customize key fields:

SAML Identity Type: Choose how user assertion will be validated (e.g., Federation ID).
Identity Provider Certificate: Upload the certificate from the IdP org.
Request Signing Certificate: Optionally, create a self-signed certificate in the Service Provider org to sign SAML assertions.

Enable Single Logout:

Check the Single Logout Enabled flag, and configure the Logout URL and Binding Type to match the IdP settings.

Test the Integration:

Ensure the SAML Identity Type (e.g., Federation ID) matches the user information in both orgs.
If the user does not exist, consider enabling Just-in-Time Provisioning for dynamic user creation.

By following these steps, the Service Provider org is now ready to accept SAML assertions from the Identity Provider org for seamless Single Sign-On.

6) What is Just-in-Time (JIT) Provisioning in Salesforce, and how is it used in Single Sign-On (SSO)?

Just-in-Time (JIT) Provisioning in Salesforce is a feature that automatically creates or updates user accounts in the Service Provider (SP) org during the Single Sign-On (SSO) process. It simplifies user management by eliminating the need to pre-create user accounts in the SP org.

How JIT Works:

• The Identity Provider (IdP) sends user information in a SAML 2.0 assertion during the authentication process.
• Salesforce processes this information using a JIT handler (Apex class) or standard JIT settings.
• If the user does not already exist in the SP org, a new user account is created in real-time.

Example Use Case:

In a multi-org setup, if a user logs in to an Identity Provider org but their account does not exist in the SP org, JIT creates the account dynamically based on the information provided in the SAML assertion.

7) What are SAML Request, SAML Response, and SAML Assertion in the context of Single Sign-On (SSO), and how do they function?

SAML Request:

When a user tries to access a Service Provider (SP), the SP sends a SAML Request to the Identity Provider (IdP).
This request asks the IdP to authenticate the user.

SAML Response:

After authenticating the user, the IdP sends a SAML Response back to the SP.
The response includes a signed SAML Assertion containing user details.

SAML Assertion:

• A SAML Assertion is part of the SAML Response and asserts facts about the user, such as their username or email address.
• The assertion is signed by the IdP to ensure its authenticity.
• The SP validates this signature to confirm the integrity of the information.

How They Work Together:

• The SAML Request initiates the SSO process.
• The SAML Response conveys the authentication result.
• The SAML Assertion provides the necessary user details to complete the authentication and grant access.

This process ensures secure, seamless user authentication between the Identity Provider and Service Provider.

8) What is an Identity Provider-Initiated SAML Flow, and how does it work?

Identity Provider-Initiated SAML Flow is a Single Sign-On (SSO) process where the login begins at the Identity Provider (IdP).

Steps:

• The user logs in to the identity provider.
• The user clicks a button or link to access the service provider. For example, the user clicks an app on the App Launcher page in a Salesforce org.
• The identity provider initiates login by sending a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
• The service provider validates the signature in the SAML response and identifies the user.
• The user is now logged in to the service provider.

9) How does a Service Provider-Initiated SAML Flow differ from an Identity Provider-Initiated SAML Flow?

• In service provider initiated flow the user starts from service provider trying to access a service.
• The service provider initiates login by sending a SAML request to the identity provider, asking it to authenticate the user.
• The identity provider sends the user to a login page.
• The user enters their identity provider login credentials and the identity provider authenticates the user.
• The identity provider now knows who the user is, so it sends a cryptographically signed SAML response to the service provider. The SAML response contains a SAML assertion that tells the service provider who the user is.
• The service provider validates the signature in the SAML response and identifies the user.
• The user is now logged in to the service provider and can access the protected resource.

Gain a deep understanding of Salesforce integration, from creating and configuring Connected Apps to mastering advanced topics like OAuth flows, SAML-based Single Sign-On, and Streaming APIs. Our PDF course combines practical examples, real-time scenarios, and integration patterns to equip professionals with the skills needed to streamline processes and enhance productivity. Tailored for those with 2–8 years of experience, it’s your guide to unlocking seamless connectivity between Salesforce and other systems.

Link to course : Mastering Salesforce Integration