Identity Flows & Security

This deck explains Identity Flows, which streamline user authentication and access to applications and resources, often used with IAM solutions like Okta or PingFederate.

• It covers various Identity Flow types, including Authorization Code Flow (most common), Implicit Flow (less secure, not recommended), Resource Owner Password Credentials Flow (not recommended), Client Credentials Flow, Device Code Flow, and Hybrid Flow. Each flow has different security implications and use cases.
• The deck also explains TLS (Transport Layer Security), the successor to SSL (Secure Sockets Layer), for securing internet communications. It details the role of Certificate Authorities (CAs) in issuing and managing digital certificates for trust and security.
• Keystores (for storing private keys and trusted certificates) and Truststores (for storing trusted CA certificates) are explained, differentiating between Standard (one-way) TLS and Mutual TLS (two-way) where both client and server authenticate each other.
• The OAuth 2.0 JWT Bearer Flow is described for secure server-to-server communication using JSON Web Tokens (JWT) without transmitting sensitive information.
• The presentation illustrates Service Provider (SP) initiated and Identity Provider (IdP) initiated SSO (Single Sign-On) with examples.
• It also covers OAuth 2.0 User-Agent flow with Social Sign On and OpenID Connect (OIDC) for simplified user authentication and authorization.
• The deck explains the Authorization Code flow with PKCE (Proof Key for Code Exchange) for enhanced security in mobile app access to Salesforce data.
• It provides details on SHA-256 (Secure Hash Algorithm 256) for data integrity and password hashing, and the use of Salt for added password security.
• Base64 encoding for binary data and Nonces for preventing replay attacks are also discussed.
• The presentation concludes by explaining URIs (Uniform Resource Identifiers), including URLs and URNs, and their components (scheme, authority, path, query, fragment).