IAM June 2023 Set 2
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the requirement? Choose 2 answers A. Salesforce Identity Connect B. Configure Cloud Provider Load Balancer C. Active Directory Password Sync Plugin D. Salesforce Trigger & Field on Contact Object
A C
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or LinkedIn credentials. Once enabled, what role will Salesforce play? A. Salesforce will be the service provider (SP) B. Salesforce will be the identity provider (Idp) C. Facebook and LinkedIn will be the SPS. D. Facebook and LinkedIn will act as the IdPs and SPs
A
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice. Which authentication mechanism should an identity architect recommend to meet the requirements? A. Delegated Authentication B. Just-in-Time Provisioning C. OAuth Web-Server Flow D. Identity Connect
A
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following Requirements: 1) Customer purchases the device. 2) Customer registers the device using their mobile app. 3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking. Which OAuth flow should be used to meet these requirements? A. OAuth 2.0 Asset Token Flow B. OAuth 2.0 Username-Password Flow C. OAuth 2.0 SAML Bearer Assertion Flow D. OAuth 2.0 User-Agent Flow
A
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol. What should an identity architect use to fulfill this requirement? A. Connected App and OAuth Scopes B. Canvas App Integration C. OAuth Tokens D. Authentication Providers
A
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community. Which should be used to satisfy this requirement? A. OAuth Device Flow B. Single Sign-On Settings C. Named Credentials D. Login Flows
A
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party App? A. Use a connected app with user provisioning flow B. Redirect users to the third-party app for registration. C. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users D. Create Canvas app in Salesforce for third-party app to provision users.
A
A web service is developed that allows secure access to customer order status on the Salesforce Platform. The Service connects to Salesforce through a connected app with the web server flow. The following are the required Actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow? A. 4, 5, 2, 3, 1 B. 2, 1, 3, 4, 5 C. 1, 4, 5, 2, 3 D. 4, 1, 5, 2, 3
A
An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM do to fulfill this requirement? A. Confirm performance considerations with Salesforce Customer Support due to high peaks B. Create a default account for capturing all ecommerce contacts registered on the community because person Account is not supported for this case C. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider D. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce
A
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements? A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used And then set the connected app access settings to "Admin Pre Approved". B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected C. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize" D. Enable the Full Access Scope and then set the connected app access settings to 'Admin Pre-Approved'.
A
Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should NTO's first step be in gathering signals that could indicate account compromise? A. Download the Login History and evaluate the details of logins performed by the user. B. Download the Setup Audit Trail and review all recent activities performed by the user. C. Download the Identity Provider Event Log and evaluate the details of activities performed by the User D. Review the User record and evaluate the login and transaction history.
A
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature? A. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user B. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user C. Password less authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record D. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account
A
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce? A. Configure SSO to use the third party portal as an identity provider. B. Add the third-party portal as a connected app. C. Configure Salesforce for Delegated Authentication. D. Create a custom external authentication provider.
A
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event. Which approach will meet this requirement? A. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information B. Create tasks for users who need to update their data or accept the new community rules. C. Add a banner to the community Home page asking users to update their profile and accept the new community rules. D. Create a custom landing page and email campaign asking all community members to login and verify their data.
A
Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement? A. OAuth 2.0 Asset Token Flow for Securing Connected Devices B. Oauth 2.0 Username-Password Flow for Special Scenarios C. 2.0 JWT Bearer Flow for Server-to-Server Integration D. OAuth 2.0 Web Server Flow for Web App Integration
A
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature. What should the logout function perform in this scenario, where user sessions are refreshed automatically? A. Invoke the revocation URL and pass the refresh token. B. Clear out the client Id to stop auto session refresh. C. Invoke the revocation URL and pass the access token. D. Clear out all the tokens to stop auto session refresh.
A
Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to meet the requirement? A. Set trusted IP ranges for the organization B. Implement multi-factor authentication for the Salesforce org C. Implement 2FA authentication for the Salesforce org D. Implement an single sign-on for Salesforce using an external identity provider
A
Which item should an Identity architect consider when designing a Delegated Authentication implementation? A. The web server should be secured with TLS using Salesforce trusted certificates B. The web server should be able to accept one to four inout method parameters. C. The web service should use the Salesforce Federation ID to identify the users D. The web service should implement a custom password decryption method
A
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IDP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to fulfill this requirement? A. Identity Only B. Identity Verification C. Identity Connect D. External Identity
A The "Identity Only" license is designed for scenarios where an organization wants to use Salesforce solely as an identity provider (IdP) for external users, such as partners, customers, or employees who do not require full Salesforce user licenses. The "External Identity" license may offer additional capabilities beyond pure identity authentication, but if only identity authentication is required, the "Identity Only" license would be sufficient and could be a more cost-effective option.
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as part of the login process. Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 A. To use dynamic branding, the community must be built with the Customer Account Portal template B. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. C. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites D. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template
A B
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow (this flow uses the OAuth 2.0 authorization code grant type). Which three OAuth concepts apply to this flow? Choose 3 answers A. Client Secret B. Scopes C. Access Token D. Authentication Token E. Verification URL
A B C
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal should be able to self register, but be unable to automatically be assigned to a contact record, until verified. External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user. Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers A. Enable "Allow customers and partners to self-register". B. Customize the self-registration Apex handler to create only the user record. C. Set up an external login page and call Salesforce APIs for user creation D. Select the "Configurable Self-Reg Page" option under Login & Registration. E. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.
A B D
Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that does not support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers A. Authentication Providers B. Connected Apps C. Delegated Authentication D. Embedded Login E. Identity Connect
A B D Delegated Authentication allows Salesforce to delegate user authentication to an external system. It is not specifically designed for providing social sign-in capabilities with social identity providers like Google or Facebook Identity Connect is an on-premises solution provided by Salesforce that allows organizations to synchronize user identities between their on-premises directory (e.g., Active Directory) and Salesforce.
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers A. Client ID B. Refresh Token C. Authorization Code D. Verification Code E. Scopes
A B E
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Choose 2 answers A. SAML Service Provider B. OAuth Client C. OAuth Resource Server D. SAML Identity Provider
A C
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to see where Refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers A . Web server B . JWT bearer token C . User-Agent D . Username-password
A C
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers A. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. B. Use SAML Just-in-Time (JIT) Handler class run as current user to update role and permission sets. C. Use Login Flow in System Context to update role and permission sets. D. Use Login Flow in User Context to update role and permission sets.
A C
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers A. Set each of the Connected App access settings to Admin Pre-Approved B. Assign the connected app to the customer community, and enable the users profile in the Community settings C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps D. Manage which connected apps a user has access to by assigning authentication providers to the users profile
A C
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which Salesforce security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers A. Roles B. Field-Level Security C. Profiles and Permission Sets D. Public Groups E. Sharing Rules
A C D
Universal Containers (UC) has decided to use Identity Connect as it's identity provider. UC uses Active Directory (AD) and has a team that is very familiar and comfortable with managing AD groups. UC would like to use AD groups to help configure Salesforce users . Which three actions can AD groups control through Identity Connect? Choose 3 answers A . Public Group Assignment B . Granting report folder access C . Role Assignment D . Custom permission assignment E . Permission sets assignment
A C E
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party Application? Choose 2 answers A. Use a connected app. B. External a Data source with Named Principal identity type. C. Use Delegated Authentication. D. Use the App Launcher with single sign-on (SSO).
A D
Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site? Choose 2 answers A. Embedded Login Page B. Experience Builder Page C. Lightning Experience Page D. Login Discovery Page
A D
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers. A. Use a trusted CA-signed certificate for Salesforce and a trusted CA-signed certificate for the external system B. Use a trusted CA-signed certificate for Salesforce and a self-signed certificate for the external system C. Use a self-signed certificate for Salesforce and a self-signed certificate for the external system D. Use a self-signed certificate for Salesforce and a CA-signed certificate for the external system
A D
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected' and 'Assertion Invalid' login errors. Which two issues would cause these errors? Choose 2 answers A. The subject element is missing from the assertion sent to Salesforce B. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes C. The certificate loaded into SSO configuration does not match the certificate used by the IdP. D. The assertion sent to Salesforce contains an assertion ID previously used.
AD
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce. How should an identity architect meet the above requirements with the privately distributed mobile app? A. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps. B. Configure Mobile App settings in connected app and Salesforce as identity provider for non Salesforce internal apps. C. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps D. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps
B
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party Identity Provider (IdP) to validate user credentials against its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as few passwords as possible. What should an identity architect recommend? A. Setup Salesforce as an IdP to authenticate against the LDAP directory B. Setup Salesforce as a Service Provider to the existing IdP C. Use Salesforce connect to synchronize LDAP passwords to Salesforce D. Setup Salesforce as an Authentication Provider to the existing IdP
B
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 Asset Token Flow B. OAuth 2.0 Device Flow C. OAuth 2.0 User-Agent Flow D. OAuth 2.0 JWT Bearer Flow
B
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements: 1. They plan to implement Partner communities to provide access to their partner network 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs. 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce Communities. 4. They would like to provide a single login for their partners. How should an Identity Architect solution this requirement with limited custom development? A. Consolidate Partner related information in a single org and provide access through Salesforce community. B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs C. Register partners in one org and access information from other orgs using APIS. D. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
B
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO). Which feature of Identity Connect is applicable for this scenario? A. Identity Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box B. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately C. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing sso as a default feature D. If the number of provisioned users exceeds Salesforce license allowances, Identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion
B
An architect has successfully configured SAML-based SSO for Universal Containers. SSO has been working for 3 months when Universal Containers manually adds a batch of new users to Salesforce. The new users receive an error from Salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access Salesforce .What is the probable cause of this behavior? A . The administrator forgot to reset the new user's salesforce password. B . The Federation ID field on the new user records is not correctly set C . The my domain capability is not enabled on the new user's profile. D . The new users do not have the SSO permission enabled on their profiles.
B
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly known as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce. Which solution is recommended to meet this requirement? A. Build a custom REST endpoint in Salesforce that Google Workspace can poll against. B. Configure User Provisioning for Connected Apps. C. Build an Apex trigger on the User Login object to make asynchronous callouts to Google APIs. D. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for User provisioning and de-provisioning
B
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system? A. Call SOAP API upsert() on User object. B. Run registration handler on incoming OAuth responses. C. OpenID Connect (OIDC)-userinfo endpoint with a valid access token. D. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
B
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users. How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets? A. Have the helpdesk initiate an IdP-initiated Just-in-Time provisioning Security Assertion Markup Language flow. B. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API. C. Use Salesforce Connect to integrate with the helpdesk application D. Use a login flow to query the helpdesk to validate user status
B
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup. What should an identity architect use to show which part of the login assertion is failing? A. Connected App Manager B. Security Assertion Markup Language Validator C. Identity Provider Metadata download D. SAML Metadata file importer
B
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third- party party SSO solution is used for all corporate applications, including Salesforce. NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce. What role does identity Connect play in the outlined requirements? A. Identity Provider B. User Management C. Single Sign-On D. Service Provider
B
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats. NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets. What should an Identity Architect do to provision, deprovision and authenticate users? A. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately B. Salesforce identity can be included but NTO will require Identity Connect C. Salesforce Identity is not needed since NTO uses Microsoft AD. D. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.
B
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of the following license types should be used to meet the requirement? A. Partner Community License B. Customer Community plus Login License C. External Apps License. D. Partner Community Login License
B
Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement? A. Identity Verification B. Identity Only C. Identity Connect D. External Identity
B
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials. The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically. Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login? A. Custom middleware and web services B. Just-in-Time (JIT) provisioning C. Third-party AppExchange solution D. Custom login flow and Apex handler
B
Universal Containers (UC) wants its Closed Won Opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure .What certificate is sent along with the Outbound Message? A . The Self-signed Certificates from the Certificate & Key Management menu. B . The default client Certificate from the Develop-> API menu. C . The default client Certificate or the Certificate and Key Management menu. D . The CA-signed Certificate from the Certificate and Key Management Menu.
B
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM SuperUser and CRM_Reporting SuperUser groups should respectively give the user the Super User and Reporting Super User permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce? A. Use a login flow to query custom SAML attributes and set permission sets B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets. C. Use a login flow to query standard SAML attributes and set permission sets. D. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
B Login Flow Use Cases Enhance or customize the login experience by adding a logo or login message. Collect and update user data, such as an email address, phone number, or mailing address. Interact with users, and ask them to perform an action. For instance, you can ask them to complete a survey or accept terms of service. Connect to a Salesforce Customer Identity service or geo-fencing service, and collect or verify user information. Enforce strong authentication, like implementing a multi-factor authentication (MFA) method using hardware, biometric, or another authentication technique. Run a confirmation process. For example, have a user define a secret question, and validate the answer during login. Create more granular policies like setting up a policy that sends a notification every time a user logs in during non-standard working hours.
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which two Salesforce features should an identity architect use in order to provide username/password? authentication for the website? Choose 2 answers A. Identity Connect B. Embedded Login C. Delegated Authentication D. Connected Apps
B C
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to self register. NTO would like to have customers set their own passwords when provided access to the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers A. Add customers as contacts and add them to Experience Cloud site B. Allow Password reset using the API to update Experience Cloud site membership. C. Use Login Flows to allow users to reset password in Experience Cloud site D. Enable Welcome emails while configuring the Experience Cloud site.
B C
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers A. Build custom pages for branding requirements in Experience Cloud. B. Use Experience Builder to build branded Reset and Forgot Password pages. C. Login & Registration pages can be branded in the Community Administration settings. D. Build custom site pages for reset and forgot password features.
B C
Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers A. The "eclair_api" OAuth scope in the connected app. B. The "api" OAuth scope in the connected app. C. The Use Digital Signature option in the connected app. D. The "web" OAuth scope in the connected app.
B C
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce? Choose 2 answers A. Request Salesforce Support to enable delegated authentication B. Enable My Domain and select "Prevent login from https://login.salesforce.com" C. Assign user "Is Single Sign-On Enabled" permission via profile or permission set D. Once SSO is enabled, users are only able to login using Salesforce credentials
B C
An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue? A. Session Policy is set as "High Assurance Session required" for this connected app. B. StartURL for the connected app is not set in Connected App settings. C. The connected app is not set in the App menu as "Visible in App Launcher". D. Auth scope does not include "openid".
B C For a connected app to be visible on the App Launcher, it must have a Start URL defined on the Manage connected app page, the user must be authorized to see it, and it must be marked as "Visible in App Launcher" on the "App Menu" setup page.
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers A. Contact Salesforce Support to enable business accounts B. Enable access to person and business account record types under Public Access Settings. C. Contact Salesforce Support to enable person accounts. D. Set organization-wide default sharing for Contact to Public Read Only E. Under Login and Registration settings, ensure that the default account field is empty.
B C E
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Facebook and Twitter credentials. Which two actions should an identity architect recommend to meet these requirements? Choose 2 answers A. Create a custom external authentication provider for Twitter B. Configure a predefined authentication provider for Twitter C. Create a custom external authentication provider for Facebook D. Configure a predefined authentication provider for Facebook
B D
Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it contributes to successful Customer 360 Truth project. What are two are key benefits of Customer 360 Identity as it relates to Customer 360? Choose 2 answers A. Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data B. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple corporate brands and user experiences C. Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user's login activity across all its digital properties and applications D. Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves
B, C
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication. Which three functions meet the Salesforce criteria for secure MFA? Choose 3 answers A. Username and password + SMS passcode B. Third-party single sign-on with Mobile Authenticator app C. Certificate-based Authentication D. Lightning Login E. Username and password + security key
B, D, E If you use certificate-based authentication for your Salesforce org, or if your SSO implementation uses user certificates instead of usernames and passwords, you don't satisfy the MFA requirement. Lightning Login relies on Salesforce Authenticator (version 2 or later), the multi-factor authentication mobile app that's available as a free download for iOS and Android devices. By requiring two factors of authentication for login, Lightning Login adds an extra layer of security. You can use the free multi-factor authentication (MFA) service included in Salesforce for users that log in via a third-party single sign-on (SSO) provider.
Universal Containers (UC) has implemented SAML-based Single Sign-On for their Salesforce application and is planning to provide access to Salesforce mobile devices using the Salesforce1 mobile app. UC wants to ensure that SSO is used for accessing the Salesforce1 mobile app. Which 2 recommendations should an Architect make. Choose 2 answers A. Configure the Embedded Web Browser to use My Domain URL B. Configure the Salesforce1 mobile app C. Use the existing SAML-SSO flow along with User-Agent flow D. Use the existing SAML-SSO flow along with Web User flow
BC
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this? A. Enable Single Logout with a secure logout URL B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token C. Use a HTTP POST to make a call to the revoke token endpoint D. Use a HTTP POST to request the refresh token for the current user
C
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification. Which feature should an identity architect recommend to meet the requirements? A. Integrate with social websites (Facebook, LinkedIn, Twitter) B. Create a custom Lightning Web Component C. Use Login Discovery D. Use an external Identity Provider
C
An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO). How can end users change their password? A. Users can request the Salesforce Admin to reset their password. B. Users once logged in, can go to the Change Password screen in Salesforce. C. Users can change it on the enterprise LDAP authentication portal. D. Users can click on the "Forgot your Password" link on the Salesforce.com login page
C
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands? A. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand. B. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience. C. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience D. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows
C
Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect recommend to fulfill this requirement? A. Identity Verification Credits Add-On License B. Identity Connect License C. Identity Only License D. External Identity License
C
Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this solution? A. Create a person account B. Create only a contact C. Create a user and a related contact D. Create a contactless user
C
Northern Trail Outfitters manages functional group permissions in a custom security application supported by a relational database and a REST service layer. Group permissions are mapped as permission sets in Salesforce. Which action should an identity architect use to ensure functional group permissions are reflected as permission set assignments? A. Use the Apex Just-in-Time (JIT) handler to query the Security Assertion Markup Language (SAML) attributes and set permission sets. B. Use a Login Flow to query SAML attributes and set permission sets. C. Use a Login Flow with invocable Apex to callout to the security application and set permission sets D. Use the Apex JIT handler to callout the security application and set permission sets.
C
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement? A. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data B. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data C. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data
C
Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection? A. Create a custom OAuth scope B. Query using OpenID Connect discovery endpoint C. Leverage OpenID Connect Token Introspection D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint
C
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement? A. Create a custom external authentication provider B. Contact Salesforce Support and enable delegate single sign-on. C. Configure OpenID Connect authentication provider D. Use certificate-based authentication.
C
Universal containers uses an Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario? A . Identity store B . Authentication store C . Identity provider D . Service provider
C
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML? A. They are equivalent protocols and there is no real reason to choose one over the other. B. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP. C. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. D. OpenID Connect (OIDC) is more secure than SAML and therefore is the obvious choice.
C 1. If fast and easy implementation is your primary consideration, choose OIDC. It is much simpler to get up and running than SAML. 2. If your organization uses an API-centered architecture, OIDC will provide a better experience for users of native and single-page applications. OIDC is lightweight and more performance-friendly than SAML. 2. For large enterprises that require a higher level of security, SAML might be the better choice. SAML allows multi-factor authentication. It is a more mature standard with a proven track record and more feature-rich than OIDC.
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to be able to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce minimizes the need for end user interaction and maximizes security. Which OAuth flow should be used to fulfill the requirement? A. User Agent Flow B. Username-Password Flow C. JWT Bearer Flow D. Web Server Flow
C JWT Bearer Flow: For machine-to-machine communication without user involvement. - minimizes user interaction and maximizes security Web Server Flow: For user-involved scenarios where the application needs to access user data with explicit consent. User-Agent Flow: For user-involved scenarios where the application runs in a user-agent (e.g., browser) and requires user consent but doesn't have a secure backend.
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help. Which two considerations should the architect keep in mind? Choose 2 answers A. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP. B. High-assurance sessions must be configured under Session Security Level Policies. C. AMR field shows the authentication methods used at IdP. D. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be Implemented at IdP.
C D
A technology enterprise is planning to implement Single Sign-On login for users. When users log in to the Salesforce User object, custom field data should be populated for new and existing users. Which two steps should an identity architect recommend? Choose 2 answers A. Implement Session Management Class B. Implement RegistrationHandler Interface C. Create and update methods D. Implement Auth.SamlJitHandler Interface
C D
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case (2 Answers)? A. Set the Session Timeout value to 3 months B. Set Permitted Users to "Admin approved users are pre-authorized". C. Set Permitted Users to "All users may self-authorize". D. Set the Refresh Token Policy to expire refresh token after 3 months.
C D All users may self-authorize—Default. Allows all users in the org to authorize the app after successfully signing in. Users must approve the app the first time they access it. Admin approved users are pre-authorized—Allows only users with the associated profile or permission set to access the app without first authorizing it.
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security? A. Define a permission set that grants access to the app and assign to authorized users. B. Select "Admin approved users are pre-authorized" and assign specific profiles. C. Leverage external objects and data classification policies. D. Create custom scopes and assign to the connected app
D
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements? A. JWT Bearer Token Flow B. OpenID Connect C. User Agent Flow D. Web Server Flow
D
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Access Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this from happening in the future? A. Configure an authentication provider to delegate authentication to the LDAP directory. B. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce As they are disabled in LDAP. C. Use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
D
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend? A. Use Heroku to build the new brand site and embedded login to reuse identities. B. Configure an additional community site on the same org that is dedicated for the new brand. C. Create a full sandbox to replicate the portal site and update the branding accordingly. D. Implement Experience ID in the code and extend the URLs and endpoints, as required
D
Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce. How should the combined company's employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP? A. Have generated links be prefixed with the appropriate IdP URL to invoke an Idp-initiated Security Assertion Markup Language flow when clicked. B. Have generated links append a querystring parameter indicating the IdP. The login service will redirect to the appropriate IdP. C. Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL. D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.
D
Universal Containers (UC) is building a custom employee hub application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating different solutions for authentication and authorization between AWS and Salesforce. How should an identity architect configure AWS to authenticate and authorize Salesforce users? A. Develop a custom Auth server in AWS. B. Configure the custom employee app as a connected app. C. Create a custom external authentication provider D. Configure AWS as an OpenID Connect Provider.
D
Universal Containers (UC) is building custom Innovation platform Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the data. UC would like all users to be able to access the system without having to log in Salesforce credentials. UC will utilize a third-party IdP using SAML SSO.What is the optimal Salesforce license type for all of the UC employees? A. Identity license B. Salesforce C. External Identity D. Salesforce Platform
D
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite? A. Identity Provider B. External Identity C. Multi-Factor Authentication D. My Domain
D
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML. What role does Salesforce Identity play in its relationship with the enterprise SSO system? A. Client Application B. Identity Provider (IDP) C. Resource Server D. Service Provider (SP)
D
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 User-Agent Flow B. SAML Assertion Flow C. OAuth 2.0 JWT Bearer Flow D. OAuth 2.0 SAML Bearer Assertion Flow
D
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented? A. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value. B. The Audience ID, which can be set in a shared cookie. C. Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce D. The Experience ID, which can be included in OAuth/Open ID flows and E. Security Assertion Markup Language (SAML) flows as a URL parameter.
D
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to generate sensor information in Salesforce. Which OAuth flow should the architect recommend? A. OAuth 2.0 SAML Bearer Assertion Flow B. OAuth 2.0 JWT Bearer Token Flow C. OAuth 2.0 Device Authentication Flow D. OAuth 2.0 Asset Token Flow
D OAuth 2.0 Asset Token Flow does not involve any user interaction, and the IoT device uses a pre-authorized asset token to request an access token directly from the resource server. OAuth 2.0 Device Authentication Flow requires user interaction, as the device needs to display a user code and verification URL to the end-user. The end-user must manually enter the code on a separate device and visit the verification URL to authorize the device's access. In the context of the farming enterprise's smart farming technology, where sensors need to communicate with Salesforce, the more appropriate OAuth flow is the OAuth 2.0 Asset Token Flow. Since sensors are IoT devices and might not have user interfaces for direct interaction, the Asset Token Flow allows them to securely authenticate and access Salesforce resources without relying on user involvement.
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers. How should this functionality be enabled for UC, assuming all social sign-on providers support OpenID Connect? A. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider B. Configure a single sign-on setting and a JIT handler for each social sign-on provider C. Configure a single sign-on setting and a registration handler for each social sign-on provider. D. Configure an authentication provider and a registration handler for each social sign-on provider
D OpenID Connect - authentication provider and registration handler
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor Authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or Via single sign-on against NTO's corporate Identity Provider, which includes built in MFA. Which configuration will meet this requirement? A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins." B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees. C. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels. D. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.
D Setup > Identity Verification > Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours? A. Login History B. Login Report C. Login Inspector D. Login Forensics
D - Login Forensics Login forensics helps you identify suspicious login activity. It provides you key user access data, including: The average number of logins per user per a specified time period Who logged in more than the average number of times Who logged in during non-business hours Who logged in using suspicious IP ranges
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 User-Agent Flow B. OAuth 2.0 SAML Bearer Assertion Flow C. OAuth 2.0 JWT Bearer Flow D. SAML Assertion Flow
D - SAML Assertion Flow Essentially, this is SSO for API's - no human interaction required - it's all automated systems communicating with each other Can be used without a Connected App Communities do not support this flow JSON based