User Creation and Authentication

What are the 4 ways to provision community users?

1. Mass Provisioning

2. Manual Provisioning

3. Self- Registration

4. Just-in-Time

The Mass Provisioning of users can be automated using ____ ____, ____, and ____ ____ ____

Data Loader

API

Salesforce Identity Connect

__________________________________________________________________

***For Mass User Provisioning, Contacts associated with Accounts MUST have existing records within Salesforce. This means that in order to mass provision contacts they must have a contact record in Salesforce.

***Salesforce Identity Connect - a tool that connects a company’s Microsoft Active Directory (AD) with Salesforce, so your employees can log into Salesforce using their Microsoft credentials.

Manual Provisioning a User - An internal or external user can be ‘manually added as a member’ to the Experience Cloud site by the ______?

The Administrator or a user with the ‘Manage External Users’ permission.

______________________________________________________

Internal users are provisioned using their existing Salesforce license. Profiles or Permission Sets that are needed to access the site can be selected on the ‘Members’ page under ‘Administration’.

______________________________________________________

External users can be provisioned from a contact associated with an account. ‘Enable Customer User’ or ‘Enable Partner User’ can be selected on the contact record. Then the profile and permission set can be assigned to the user.

Manually Provisioning a User - A _____ should be selected for partner users if there are multiple ______ available.

Role

Role

Who can manually assign a Customer Community, Customer Community Plus, or Partner Community licenses to contacts?

A System Administrator or a user with the ‘Manage External User’ permission.

Profile/Permission Set > App Permissions > Partner Relationship Management section > check the box ‘Manage External Users’

What 2 licenses can be assigned to Person Accounts?

What licenses can NOT be assigned to Person Accounts?

Customer Community and Customer Community Plus licenses CAN be assigned to Person Accounts

______________________________________________________

Partner Community licenses can NOT be assigned to Person Accounts

The steps to provision a customer and partner slightly differ, what are the 2 main ways they differ?

1) If it’s a customer account you’ll click [Enable Customer User] vs if it’s a partner account you’ll click [Enable Partner User]

2) If Partner User you’ll add a Role to the user record, Customer users don’t have roles assigned to them.

Mass User Provisioning - What are the 2 ways to provision partner and customer users in bulk?

1) Upload using Data Loader

2) API

______________________________________________________

Data Loader - The contact records can be exported using CSV file.

API - The createPortalUser and createPersonAccountPortalUser methods can be used in an Apex Class.

What are the 7 steps used to Mass Upload using Data Loader?

1) Setup Accounts

2) Associate Contacts to the Accounts

3) Create site role(s) to be assigned to the users

4) Generate CSV file for importing the users

5) Export Contacts for which the users will be created

6) Add Contact info to the CSV import file

7) Import CSV file via Data Loader

What fields are required for the CSV file that will be used in Data Loader?

FirstName

LastName

UserName

ContactId

ProfileId

UserRoleId

Email

Alias

TimeZoneSidKey (user record)

LocaleSidKey (user record)

EmailEncodingKey (user record)

LanguageLocaleKey (user record)

Where do you go to allow guest users to join an Experience Cloud site?

Site > Administration > click ‘Login & Registration’

What is Just-in-Time Provisioning?

It’s used to automatically create an account during the first time a user logs in with SSO.

The Identity Provider (ex: Microsoft) passes information to Salesforce in an SAML assertion to create the user account.

You MUST use the Federation ID as the user type when setting up SSO to use Just-in-Time Provisioning.

Setup > type “single” and select Single-Sign-On Settings > select the radio button ‘Assertion contains the Federation ID from the User object’ for SAML Identity Type.
______________________________________________________

A SAML assertion is like a digital permission slip. Imagine you’re trying to get into a concert (the app you want to use), but instead of showing your ID at the door, someone you trust (like your school or workplace) hands you a signed note that says, “Yep, this person is who they say they are, and they’re allowed in.”

SAML stands for Security Assertion Markup Language. It’s an open standard that allows identity providers (like Okta or Microsoft Entra ID) to securely pass authentication and authorization data to service providers (like Salesforce, Google Workspace, etc.)

Where in setup do you go to setup Just-in-Time Provisioning?

1) Setup > ‘Identity’ accordion (or type ‘Single) > select Single Sign-On Settings

2) After setting up SSO, click ‘User Provisioning Enabled’ checkbox under the section called ‘Justin-in-Time User Provisioning

3) There are 2 types of User Provisioning you can choose from…

• Standard

• Custom SAML JIT with Apex handler

When using Just-in-Time Provisioning there are 2 types available, Standard and Custom SAML JIT with Apex Handler. What is the difference between them?

Standard - Users are provisioned automatically using attributes in the SAML assertion.

______________________________________________________

Custom SAML JIT with Apex handler - users can be provisioned based on logic in an Apex Class.

______________________________________________________

SAML stands for Security Assertion Markup Language. It’s an open standard that allows identity providers (like Okta or Microsoft Entra ID) to securely pass authentication and authorization data to service providers (like Salesforce, Google Workspace, etc.)

External Users can be created by Salesforce users or external users who have the D____ E____ U____ A____ permission.

“Delegated External User Administrator” permission

The Account record used to create external users MUST be owned by who?

An Internal User

What are the steps to manually provision a user?

1) Go to Contact record page

2) Click [Enable Customer User] or [Enable Partner User]

3) You’ll be taken to the User record page, Select the profile for the new user.

***If Partner User, you must select a Role in addition to the Profile.

4) Click [Save]

______________________________________________________

IMPORTANT:

*Before creating Users make sure that the Profile you are assigning them to has already been added to the community.

Site > Administration > Members

*If you enabled the ‘Welcome Email’ for your community, and email with username and link to reset password is sent to the user.

What is ‘Login Discovery’?

Allows external users to login using something other than their username, such as a phone number or email address.

______________________________________________________

*Instead of a password, users can verify their identity with a code sent to their email address or mobile device.

Administration > Login & Registration > click dropdown for ‘Login Page Type’ and select Login Discovery Page

What are some best practices for when adding or removing a large number of members?

1) A maintenance window should be defined when traffic is low.

2) Up to 10 million users can be processed a time.

3) Test in a sandbox environment first

4) Remove inactive users from profiles and permission sets to reduce the number of members

5) You can prioritize ‘High-priority members’

6) Profiles and permission sets can be added in small batches

7) Profiles and permission sets should not be added and removed at the same time.

8) Self-registration should not be allowed while membership is processing.

What is ‘Social Login’?

Provides users the ability to login to third party accounts such as Facebook, LinkedIn, ect to access Salesforce. Salesforce supports any authentication provider that implements OAuth or the OpenID Connect Protocol.

____________________________________________________
*The third-party service is an authentication provider that verifies the identity of the user.

What is ‘Passwordless Login’?

Allows members to login with a verification code instead of a password such as email, Salesforce Authenticator, one-time password, Universal Second Factor (U2F), WebAuthn security key, or text message.

***U2F is a physical key such as a USB stick or fob.

When talking about SSO, what is the Identity Provider and what is the Service Provider?

Identity Provider (Bouncer) checks your ID and says, ‘Yep, you’re good to go!”

Service Provider (Night Club) the app or service you want to access. It trusts the bounce (Identity Provider) to do the ID check.
______________________________________________________

Salesforce can be both.

To allows users to log in to an Experience Cloud site using third party credentials, Salesforce can be configured as the Service Provider.

Explain the difference between the Identity Provider and an Authentication Provider.

• The Identity Provider is the actual system that verifies the user.

• The Authentication Provider is the Salesforce setup that connects to that system.

Think of it like this: the Identity Provider is the airport security that checks your ID, and the Authentication Provider is the airline gate that lets you board once you’re cleared.

Step-by-Step Flow

1. User clicks “Log In” on your Salesforce site

   • Maybe it’s an Experience Cloud portal or your main Salesforce org.

2. Salesforce looks at your Auth Provider configuration

   • Based on your setup, Salesforce knows which external system to talk to (Google, Okta, etc.) and how to talk to it (SAML, OpenID Connect, etc.).

3. Salesforce redirects the user to the Identity Provider

   • The IdP is where the user enters their username and password. It handles the actual login.

4. IdP authenticates the user

   • If credentials are correct, it issues a secure "login ticket"—like a SAML assertion.

5. User is sent back to Salesforce

   • Salesforce receives the login ticket (with user info and verification) and logs the user in.

Cosmic Solutions has two sites, one for partners and the other for customers. Partners need to be provided access to the customer site. How can this be done?

The Partner profile can be added to the customer site in the ‘Members’ section of ‘Administration’ in Workspaces

Users who need access to opportunities, leads, or campaigns must be enabled as _______ users?

Partner Users

What is the difference between the ‘Manage External Users’ and ‘Manage External Users (Limited)’ permissions?

Manage External Users - Create partner accounts and partner users

Manage External Users (Limited) - Create and manage only external users that you have Rea/Write access to.

If you want to customize your login page for youe salesforce org, where do you go?

Setup > My Domain > Authentication Configuration

Inbound SSO?

Outbound SSO?

• Inbound SSO - Users log in somewhere else and then access Salesforce without logging in.

• Outbound SSO - Users log in to Salesforce and then access other apps without logging in again.