How to Troubleshoot SAML Assertions in Salesforce?

1. Go to Single Sign-On Settings.

2. Click SAML Assertion Validator.

3. The SAML Validator shows the last recorded SAML login failure with some details as to why it failed.

4. To test the SAML assertion from the app, copy the Formatted SAML Response from the app.

5. In the Salesforce SAML Validator, paste the SAML assertion in the SAML Response box at the bottom of the page.

6. Click Validate.

The page displays some results to help you troubleshoot the assertion. For example, if the assertion was generated a while before it was used to log in, the timestamp expires and the login isn’t valid. In that case, regenerate the SAML assertion and try again.


Difference between Web server OAuth flow, User agent flow OAuth Authentication flow and Username-Password OAuth Authentication flow

Web server OAuth flow 

Typically used for web applications where server-side code needs to interact with APIs on the user’s behalf, for example DocuSign. Trust that the web server is secure to protect the consumer secret. Client application

1. Client directs user to authorisation end point.
2. User logs in to authorization end point and does not interact with client application at all.
3. Redirect is sent back to users browser appended with authorization code.
4. Client application extracts the access code and sends to authorisation end point.
5. If successful authorisation end point returns access and refresh tokens.
6. Client application uses token to access users data

User agent flow OAuth Authentication flow

Flow is used for authentication for client applications that reside on users device. Key difference with web server flow is that client cannot keep consumer secret confidential.

1. Client directs user to authorization end point.
2. User logs in to authorisation end point and does not interact with client application at all
3. Redirect is sent back to users browser appended with access token
4. Client application uses access token to access user data

Username-Password OAuth Authentication flow

This flow can be used where the client application already has the username password of the user. The flow is discouraged due to username and password being used back and forth in requests.

1. Client application requests access code with username/password
2. Authentication end point returns access token if successful
3. Client application uses access token for access


Event Monitoring in Salesforce

Event monitoring is one of many tools that Salesforce provides to help keep your data secure. It lets you see the granular details of user activity in your organization. We refer to these user activities as events. You can view information about individual events or track trends in events to swiftly identify abnormal behavior and safeguard your company’s data.

So what are some of the events that you can track? Event monitoring provides tracking for lots of types of events, including:
  • Logins
  • Logouts
  • URI (web clicks in Salesforce Classic)
  • Lightning (web clicks, performance, and errors in Lightning Experience and the Salesforce mobile app)
  • Visualforce page loads
  • API calls
  • Apex executions
  • Report exports
All these events are stored in event log files. An event log file is generated when an event occurs in your organization and is available to view and download after 24 hours. The event types you can access and how long the files remain available depends on your edition.
  • Developer Edition (DE) organizations have free access to all log types with one-day data retention.
  • Enterprise, Unlimited, and Performance Edition organizations have free access to the login and logout log files with one-day data retention. For an extra cost, you can access all log file types with 30-day data retention.
Check the below link for API

To download event log file from browser, follow the below steps

1. Go to

2. Click Sandbox or Production based on the environment where you want to download.

3. Click "Allow Access".

4. Enter Date Range.

5. Click Apply.


Methods to Provision or give Access to Salesforce Communities Users

Contact associated with and Impact on user provisioning

Person account - Can only create customer users

Non-partner account - Can only create customer users

Partner account - Can create customer and partner users

Manual Creation

To manually provision an external user for a Person account or non-partner account:

1. Go to the Contact detail page.

2. Click Manage External User.

3. Click Enable Customer User or Enable Partner User.

Enable Self-Registration in the Community

Go to the Communities setup overlay, select the “Login Page” tab, and enable Self-Registration. Optionally, select a default profile to assign to self-registered users. Only profiles that were previously added to the community are shown.

API Provisioning

You can provision community users by using the SOAP or REST API on the User object. When using this API, keep in mind that the Community user has to be associated to a valid contact and account so these fields need to be set. The account must also be owned by a Salesforce user that has a role.

We also provide the following methods to provision a new user through Apex:

createPortalUser(user, accountId, password) lets you create an external user associated to a Customer or Partner account.

createPersonAccountPortalUser(user, ownerId, password) lets you create an external user associated to a Person Account.

Social Sign-On Provisioning

Social Sign-On enables users to authenticate from a range of identity providers, including Facebook, Google, Microsoft, Amazon, Paypal, any OpenID Connect provider, and even other orgs  ( future plans include support for LinkedIn and Twitter as well ). Social sign-on is key to a new way of acquiring prospects, and servicing customers.   As part of the process users are created or updated on the fly using Registration Handlers.

Just-In-Time Provisioning over SAML 

With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you have a customer that needs access to your support Community, you don’t need to manually create the user in Salesforce. When they log in with single sign-on, their account is automatically created for them, eliminating the time and effort with on-boarding the account. This greatly simplifies the integration work required in scenarios where users need to be dynamically provisioned, by combining the provisioning and single sign-on processes into a single message.

Just-in-Time provisioning works with your SAML identity provider to pass the correct user information to Salesforce in a SAML 2.0 assertion attribute statement. You can both create and modify users, contacts, and accounts this way. Because Just-in-Time provisioning uses SAML to communicate, your organization must have SAML-based single sign-on enabled.

Mass-User Provisioning

Data Loader
Data Loader is a great option for non-developers who want to mass upload users.

Follow these steps to mass upload users using Data Loader:

1. Set up your Community accounts (Partner or Customer).

2. Add contacts to the accounts.

3. Create the Community Role that your Users will be using (for role-based users only).

4. Create a .csv import file for importing users.

5. Export the contacts for which you want to create users.

6. Add contact info to the .csv import file; complete empty fields.

7. Import the .csv file through Data Loader.

Once your accounts and contacts are set up, create a .csv file with the following information to create new users:

– RoleId (optional, otherwise default to user role)

– FirstName

– LastName

– ContactId (use the contact id of previously created contact)

– ProfileId

– Username

– Email

– Alias

– TimeZoneSidKey

– LocaleSidKey

– EmailEncodingKey

– LanguageLocaleKey


Difference between SAML and OAuth

Overview of SAML
1. The user makes a request to for a specific resource.
2. detects the user needs to authenticate and redirects the user to their SAML Identity Provider.
3. The user accesses their IdP and authenticates.
4. Once authenticated, the IDP sends a SAML Response back to
5. processes the SAML assertion and logs the user in.

Overview of OAuth

1. The OAuth Client makes an authorization request.
2. The Authorization Server authenticates the user.
3. The user authorizes the application.
4. The application is issued an OAuth token.


App Launcher in Salesforce

Setup, use and manage the Salesforce App Launcher, which provides a single sign-on portal for your users to launch approved Salesforce apps and external applications (also called "Connected Apps") from one interface. Administrators can leverage profiles and permission sets for granular control over who sees the App Launcher and the apps available in each user's App Launcher. Salesforce also provides tools and API support to customize the App Launcher, monitor usage, and block or unblock specific apps, as needed.

1. Enable Use Identity Features in System Permissions.

2. Enable App Launcher Tab Settings

3. Select App Launcher.

4. Use App Menu to organize Apps.


How to set Session Security Levels in Salesforce?

1. Go to Session Settings.

2. Add/Remove Session Security Levels.


Single Sign On Security in Salesforce

It is important to test the security of Single Sign-On implemented. Since it doesn't require username and password, it may expose sensitive data to the attacker.

Single sign on issues arise for developers integrating with when either the API Partner Server URL is not validated or SSL is not used when a non-native application calls back to an external server with a user’s session id. This may result in exposure of the API Session ID or Salesforce data to an attacker.

Check the below link


How to setup Federated Single Sign-On Using SAML in Salesforce?

1. Go to Single sign-On Settings.

2. Enable SAML Enabled in Federated Single Sign-On Using SAML section and click New button in SAML Single Sign-On Settings to configure section.


How to setup Delegated Authentication in Salesforce?

1. Go to Single Sign-On Settings.

2. Set Delegated Gateway URL.

Forces a callout to the gateway URL, even after a failure due to restrictions set in the profile (such as IP range restrictions).


What is the purpose of Auth. Providers in Salesforce?

Auth. Providrs let users log in to your Salesforce org using their non-Salesforce credentials. Implement a custom external authentication provider if your OAuth app doesn’t support OpenID Connect. If your app supports OpenID Connect, you can use one of the authentication providers that Salesforce provides.

External users can log in using their credentials from Facebook©, Janrain©, or another Salesforce organization if you set up authentication providers on the Auth. Providers page in Setup and choose to display them on the community login page.

To configure, check the below link

Sample Examples:


Salesforce Certified Platform Developer I - BETA - WI18 is available for Free!!!

To Register for the Certification, follow the below steps

1. Visit and create a new account for you if you are applying for Salesforce certification for the first time.

2. Click Register Exam.

3. Click Register button to register for the exam.


All the best!!!

Salesforce Interview Questions with Answers Part 47

1. What does the data type sObject represent?
An sObject variable represents a row of data and can only be declared in Apex using the SOAP API name of the object.
For example:
Account a = new Account();
MyCustomObject__c co = new MyCustomObject__c();

2. What are some of the collections types you can use in Apex?

3. Syntax for catching errors in Apex?

4. Unit testing in Salesforce?

5. What is the use of Metadata API?

6. Difference between Enterprise and Partner wsdl in Salesforce

7. When to use Trigger instead of workflow rules?

8. What is the use of With Sharing keyword?

9. What is the use of transient keyword in Salesforce?

10. What are future methods?

11. What VF standard component would you use to display data in a table?


12. What is the use of reRender attribute?

13. What is the use of apex:actionStatus?

14. Order of execution in Salesforce

15. Difference between Lookup and Master-Detail relationship in Salesforce

16. Test classes for webservice classes?

17. How to handle locking exception?

18. How to improve VF performance?


How to handle locking exception?

When an sObject record is locked, no other client or user is allowed to make updates either through code or the Salesforce user interface. The client locking the records can perform logic on the records and make updates with the guarantee that the locked records won’t be changed by another client during the lock period.

Apex has the possibility of deadlocks, as does any other procedural logic language involving updates to multiple database tables or rows.

To avoid such deadlocks, the Apex runtime engine:

1. First locks sObject parent records, then children.

2. Locks sObject records in order of ID when multiple records of the same type are being edited.

As a developer, use care when locking rows to ensure that you are not introducing deadlocks. Verify that you are using standard deadlock avoidance techniques by accessing tables and rows in the same order from all locations in an application.


How to view Feed tab of Case record in Console app in Salesforce?

1. Open Console app.

2. Open any Case Record.

3. Click Feed Tab.


Salesforce Interview Questions with Answers Part 46

1. How to show setup in Visualforce page as Side Bar?

2. File Upload and Download Security in Salesforce

3. In converting VF to Lightning should we replace the whole page?

No. We can change wherever required.

To style your Visualforce page to match the Lightning Experience UI when viewed in Lightning Experience or the Salesforce app, set lightningStylesheets="true" in the <apex:page> tag. When the page is viewed in Salesforce Classic, it doesn’t get Lightning Experience styling.

4. When using APIs, REST APIs – how do we make the user stay on the same page even if the response takes more time? 

apex:actionStatus can be used.

5. Why we use SOSL instead of SOQL?