Experience Cloud Consultant User Creation and Authentication

User Creation and Authentication Detailed Explanation

Core Definition

This topic focuses on:

1. Creating users in your community and assigning them appropriate roles and permissions.
2. Implementing authentication mechanisms to ensure secure and user-friendly access to the community.

By managing users and authentication effectively, you can control who has access to the community and ensure data security.

1. User Creation

When building an Experience Cloud community, you’ll need to onboard users. Salesforce provides tools to create and manage both internal and external users.

1.1 User Groups

There are two main ways to add users to a community:

1. Registered Users:

   • These users create their own accounts through self-registration.
   • This method is used when you want users to sign up without administrator intervention.
   • Example:
     • A customer logs into your portal and clicks "Register" to create an account. Their profile is automatically added to Salesforce and linked to the community.

2. Manual Users:

   • These users are added by Salesforce administrators.
   • Administrators manually create accounts and assign appropriate roles and permissions.
   • Example:
     • A business partner's account is added by the admin, who assigns them the "Partner User" role.

1.2 User Assignment

After creating users, you must assign them roles and licenses to determine:

1. Their access to data and features.

2. The type of community experience they’ll have.

3. Roles:

   • Roles define a user's position in the role hierarchy, determining which data they can access.
   • Example:
     • A customer can only see their own cases, while a partner manager can see cases for their entire team.

4. Licenses:

   • Assign the correct license based on the user type:
     • Customer Community License: For basic functionality (e.g., submitting cases).
     • Partner Community License: For advanced collaboration (e.g., managing opportunities).

2. Authentication Methods

Authentication ensures that only authorized users can access your community. Salesforce supports several secure and flexible authentication options.

2.1 Single Sign-On (SSO)

1. Definition:

   • SSO allows users to log into the community using credentials from an external identity provider, such as Google, Microsoft, or Okta.
   • Users don’t need to remember separate login details for your community.

2. Benefits:

   • Simplifies the login process for users.
   • Reduces administrative effort for managing passwords.

3. How It Works:

   • Salesforce uses the SAML (Security Assertion Markup Language) or OAuth protocols to connect with the identity provider.
   • Example:
     • A corporate employee logs into the community using their existing Google Workspace account.

4. Steps to Configure SSO:

   • Set up the identity provider (e.g., Google, Okta).
   • Create a connected app in Salesforce for the identity provider.
   • Enable SAML or OAuth authentication in the community settings.

2.2 Multi-Factor Authentication (MFA)

1. Definition:

   • MFA adds an extra layer of security by requiring users to provide two forms of verification:
     • Something they know: Password.
     • Something they have: A mobile device or authentication app.

2. Benefits:

   • Protects sensitive data from unauthorized access.
   • Prevents security breaches even if passwords are stolen.

3. How It Works:

   • Users log in with their credentials and then verify their identity using a one-time code sent to their phone or generated by an authentication app like Salesforce Authenticator.

4. Steps to Enable MFA:

   • Go to Setup → MFA Settings.
   • Enable MFA for all users or specific profiles.
   • Educate users on how to use the Salesforce Authenticator app.

2.3 Social Login

1. Definition:

   • Social login allows users to log into the community using their social media accounts, such as Facebook, LinkedIn, or Twitter.

2. Benefits:

   • Provides a seamless and user-friendly login experience.
   • Reduces the friction of account creation.

3. How It Works:

   • Salesforce uses the OAuth protocol to integrate with social platforms.
   • Users click "Log in with Facebook," for example, and are redirected to authenticate via Facebook.

4. Steps to Configure Social Login:

   • Create a connected app in Salesforce.
   • Enable the desired social authentication provider (e.g., Facebook or LinkedIn).
   • Add the social login buttons to the community login page.

3. Practical Application

Scenario 1: Configuring SSO

Goal: Allow corporate employees to log into the community using their Google Workspace accounts.

1. Set up Google as the identity provider.
2. Configure a connected app in Salesforce with the necessary SAML settings.
3. Test the SSO functionality to ensure employees can log in seamlessly.

Scenario 2: Enabling MFA

Goal: Add an extra layer of security for all partner users.

1. Enable MFA in the Setup menu.
2. Notify partner users to download the Salesforce Authenticator app.
3. Test the login process to confirm MFA is working as expected.

Scenario 3: Setting Up Social Login

Goal: Allow customers to log in using their Facebook accounts.

1. Create a connected app in Salesforce for Facebook integration.
2. Enable OAuth settings for Facebook authentication.
3. Add a "Log in with Facebook" button to the community login page.

4. Exam Focus

4.1 Enabling and Configuring SSO

• Understand the steps to set up SSO, including creating connected apps and configuring SAML or OAuth protocols.
• Sample Question:
  • "Which protocol is commonly used for SSO authentication in Salesforce?"
    • Answer: SAML.

4.2 Use Cases and Configuration Steps for Social Login

• Be able to identify when to use social login and know the basic configuration steps.
• Sample Question:
  • "A customer wants a simplified login process using Facebook. What should you configure?"
    • Answer: Enable social login with Facebook and add a connected app.

Why Is This Knowledge Important?

1. Secure Access:

   • Authentication methods like MFA and SSO protect sensitive data and ensure only authorized users can access the community.

2. Streamlined User Experience:

   • Social login and SSO reduce login friction, improving user satisfaction and engagement.

3. Flexibility:

   • Salesforce’s robust user creation and authentication tools cater to diverse use cases, from self-registration for customers to secure SSO for corporate employees.

User Creation and Authentication (Additional Content)

1. Self-Registration Configuration & Flow

What is Self-Registration?

Self-registration allows external users (customers, partners, or community members) to create their own accounts in an Experience Cloud site without administrator intervention.

Self-Registration Process

1. User clicks "Register" on the Experience Cloud login page.
2. Salesforce creates a new user record and links it to the appropriate Experience Cloud site.
3. The user is assigned a Profile and Role based on self-registration rules.
4. A confirmation email is sent to verify the user's identity.
5. The user can log in via Single Sign-On (SSO) or manually using their credentials.

Self-Registration Configuration in Salesforce

To enable self-registration, administrators must:

1. Enable Self-Registration in Experience Cloud Settings

• Navigate to Setup → Digital Experiences → All Sites.
• Select the community and go to Administration → Login & Registration.
• Enable Allow External Users to Self-Register.

2. Configure the Self-Registration Handler

• Salesforce provides a default Apex class (SelfRegistrationController).
• For custom business logic, a custom Apex registration handler may be required.

3. Define Default Profile and Role

• New users must be assigned to a Profile (e.g., Customer Community User).
• Roles are optional for Customer Community users but required for Partner Community users.

Best Practices for Self-Registration

• Use reCAPTCHA to prevent bots from mass-registering accounts.
• Restrict registration domains if allowing registration only for specific organizations.
• Monitor new user creation using Salesforce Reports.

2. Guest User Access and Security Best Practices

Guest users are unauthenticated visitors who can access public pages but have restricted access to Salesforce data.

Key Security Considerations for Guest Users

1. Default Restrictions

• By default, guest users cannot access standard objects (e.g., Cases, Contacts, Accounts).
• Access must be explicitly granted via Guest User Profile or Sharing Rules.

2. How to Control Guest User Access

• Use Sharing Rules:
  • Grant limited access to specific public objects (e.g., Knowledge Articles).
• Configure the Guest User Profile:
  • Restrict access to sensitive fields and records.
• Disable API Access for Guest Users:
  • Prevents external users from making unauthorized API calls.

3. Recommended Security Measures

• Disable guest user record creation unless explicitly required.
• Restrict guest users to public pages and use Secure Guest User Settings.
• Implement CAPTCHA for public forms to prevent automated submissions.

3. SSO and Federated Authentication Best Practices

What is Single Sign-On (SSO)?

SSO allows users to log in to Experience Cloud using external identity providers (such as Google, Okta, Microsoft Azure AD) instead of creating separate Salesforce credentials.

Best Practices for Implementing SSO

1. Use SAML or OAuth 2.0 for Authentication

• SAML (Security Assertion Markup Language):
  • Best for enterprise authentication.
  • Commonly used with Okta, Azure AD, PingIdentity.
• OAuth 2.0:
  • Best for mobile and API-based authentication.
  • Supports social login (Google, Facebook, LinkedIn).

2. Enable Just-in-Time (JIT) Provisioning

• Allows new users to be automatically created in Salesforce when logging in via SSO for the first time.
• Reduces administrative workload.

3. Enable My Domain

• My Domain is required for SSO to work.
• Without My Domain, SAML-based authentication may fail.

4. Configure Identity Provider (IdP) Settings

• Set up IdP metadata in Salesforce.
• Define assertion conditions for user authentication.

4. Password Policies and Security Settings

Why are Password Policies Important?

Password policies enforce strong authentication measures to protect user accounts from unauthorized access.

Key Password Policy Settings

1. Strong Password Requirements

• Require at least 8 characters.
• Must include uppercase letters, lowercase letters, numbers, and special characters.

2. Password Expiration Policy

• Force password reset every 90 days.
• Prevents prolonged use of compromised passwords.

3. Account Lockout Policy

• Lock accounts after multiple failed login attempts.
• Protects against brute-force attacks.

4. Multi-Factor Authentication (MFA)

• Enforce MFA for all external users.
• Use Salesforce Authenticator or SMS verification for additional security.