Salesforce Certified Identity and Access Management Practice

What is a best practice when implementing Delegated Authentication SSO in Salesforce?

• A. Use any server for deploying the web service
• B. Deploy the web service on a server in your DMZ
• C. Do not implement trusted IP ranges
• D. Generate server stub without using WSDL

The correct answer is: Deploy the web service on a server in your DMZ

When implementing Delegated Authentication Single Sign-On (SSO) in Salesforce, deploying the web service on a server in your Demilitarized Zone (DMZ) is indeed a best practice. This is because placing the web service in the DMZ enhances the security of the authentication process. The DMZ acts as a buffer zone between the external network (the Internet) and the internal network, allowing you to control access to sensitive data and applications. By hosting the web service in the DMZ, you minimize direct exposure of your internal resources to the outside world. This setup allows the authentication requests to be processed securely while maintaining a layer of protection against malicious attempts to access your internal systems directly. It enables Salesforce to communicate with the authentication service without compromising the security of your internal network. Other practices, such as using any server for deploying the web service or generating a server stub without using the Web Services Definition Language (WSDL), do not provide the same level of security and may expose your organization to vulnerabilities. Furthermore, implementing trusted IP ranges typically aims to enhance security and is often recommended to prevent unauthorized access, making it another practice that aligns well with secured environments.