Identity and Access Management 2
Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers A. Session ID B. Authentication Token C. Access Token D. Refresh Token
AC
A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue? A. The users do not have the correct permission set assigned to them. B. The use of high assurance sections are required for the connected App. C. The connected App setting "All users may self-authorize" is enabled. D. The salesforce administrators gave revoked the Oauth authorization.
A
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:1. Users should not have to login every time they use the app.2. The app should be able to make calls to the Salesforce REST API.3. End users should NOT see the OAuth approval page.How should the identity architect configure the Salesforce connected app to meet the requirements? A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved". B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved". C. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize". D. Enab
A
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce.What role does identity Connect play in the outlined requirements? A. User Management B. Single Sign-On C. Service Provider D. Identity Provider
A
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:1. Enter a phone number and/or email address2. Enter a verification code that is to be sent via email or text.What is the recommended approach to fulfill this requirement? A. Create a Login Discovery page and provide a Login Discovery Handler Apex class. B. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service. C. Create an Authentication provider and implement a self-registration handler class. D. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
A
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.How should an identity architect implement this requirement? A. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. B. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile. C. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. D. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
A
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site. NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization. A. Authorize third-party service by sending authorization requests B. For each brand create different communities and redirect users to the appropriate community C. Authorize third-party service by sending authorization requests D. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.
A
Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend? A. JWT Bearer Token flow B. User Agent Flow C. Username and Password Flow D. Web Server Authentication Flow
A
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.How can the Architect meet these requirements? A. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication. B. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly. C. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly. D. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.
A
Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.What role combination is represented by the systems in this scenario'' A. Salesforce Org1 and PingFederate are acting as Identity Providers. B. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers. C. Salesforce Org1 and Salesforce Org2 are the only Service Providers. D. Financial System and CPQ System are the only Service Providers.
A
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Dat a. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees? A. Salesforce Platform Licence. B. Identity Licence. C. Salesforce Licence. D. External Identity Licence.
A
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message? A. The default Client Certificate from the Develop--> API Menu. B. The CA-Signed Certificate from the Certificate and Key Management menu. C. The default Client Certificate or a Certificate from Certificate and Key Management menu. D. The Self-Signed Certificates from the Certificate & Key Management menu.
A
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.What rote does Salesforce Identity play in its relationship with the enterprise SSO system? A. Identity Provider (IdP) B. Client Application C. Resource Server D. Service Provider (SP)
A
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server? A. Add the employee portals IP address to the login IP range on the user profile. B. Use a dedicated profile for the user the Employee portal uses. C. Use a digital certificate signed by the employee portal Server. D. Add the Employee portals IP address to the Trusted IP range for the connected App
A
What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML? A. Create token B. Validate token C. Revoke token D. Consume token
A
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.How should the quantity of required Identity Verification Credits be estimated? A. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users. B. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that will incur a verification challenge. C. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses. D. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate add
AB
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers. A. Api B. Refresh_token C. Custom_permissions D. Full
AB
Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login. What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers A. Create custom Registration Handlers to link Linkedin and facebook accounts to user records. B. Enable Facebook and Linkedin as Login options in the login section of the Community configuration. C. Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page. D. Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.
AB
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers A. Set up my domain B. Configure SAML SSO settings. C. Create a connected App D. Configure Delegated Authentication
AB
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers A. The clock on the Identity Provider server is twenty minutes behind Salesforce. B. The Issuer Certificate from the Identity Provider expired two weeks ago. C. The default language for the Identity Provider and Salesforce are Different. D. The Identity Provider is also used to SSO into five other applications.
AB
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).Which three OAuth concepts apply to this flow?Choose 3 answers A. Client Secret B. Scopes C. Access Token D. Verification URL
ABC
What are three capabilities of Delegated Authentication? Choose 3 answers A. It can connect to SOAP services. B. It can be assigned by Profiles. C. It can connect to REST services. D. It can be assigned by Custom Permissions. E. It can be assigned by Permission Sets.
ABE
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. The customer has the following requirements:The development team has decided to use a Canvas app to expose the pricing application to agents. Agents should be able to access the Canvas app without needing to log in to the pricing application.Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? A. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. B. Select "Enable as a Canvas Personal App" in the connected app settings. C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated
AC
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers A. Set up My Domain. B. Configure Delegated Authentication. C. Configure SAML SSO settings. D. Create a Connected App.
AC
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take? A. Create a Custom Apex Registration Handler to handle new and existing users. B. Configure SSO Settings For Facebook to serve as a SAML Identity Provider. C. Configure an Authentication Provider for LinkedIn Social Media Accounts. D. Use Delegated Authentication to call the Twitter login API to authenticate users.
AC
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit? A. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload. B. Use Salesforce's Certificate to digitally sign the SAML Asse
AC
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.What should be done to fulfill the requirement?Choose 2 answers A. Setup Salesforce as an identity provider (IdP) for order Tracking. B. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking, C. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion. D. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
AC
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers A. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system B. Use a self-signed certificate for salesforce and a self-signed cert for the external system C. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system D. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
AC
Which two statements are capable of Identity Connect? Choose 2 answers A. Support multiple orgs connecting to multiple Active Directory servers. B. Synchronization of Salesforce Permission Set Licence Assignments. C. Automated user synchronization and de-activation. D. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.
AC
Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers A. The return type of the Web service method should be a Boolean value B. The web service can be written using either the soap or rest protocol. C. The web service needs to include Source IP as a method parameter. D. Delegated Authentication is enabled for the system administrator profile. E. UC should whitelist all salesforce ip ranges on their corporate firewall.
ACE
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants add to an authentication provider for the new site.Which two options should be utilized in creating an authentication provider?Choose 2 answers A. A custom registration handier can be set. B. The default login user can be set. C. The default authentication provider certificate can be set. D. A custom error URL can be set.
AD
Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP. B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp. C. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp. D. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.
AD
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers A. Salesforce users will be locked out of Salesforce if the web service goes down. B. The web service must reside on a public cloud service, such as Heroku. C. Delegated Authentication is enabled or disabled for the entire Salesforce org. D. UC will be required to develop and support a custom SOAP web service.
AD
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours? A. Login Inspector B. Login Forensics C. Login History D. Login Report
B
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:1) Customer purchases the device.2) Customer registers the device using their mobile app.3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.Which OAuth flow should be used to meet these requirements? A. OAuth 2.0 Asset Token Flow B. OAuth 2.0 SAML Bearer Assertion Flow C. OAuth 2.0 Username-Password Flow D. OAuth 2.0 User-Agent Flow
B
A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.What is recommended to ensure these requirements are met ? A. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems. B. Configure Each ADFS system under single sign-on settings C. Add a central identity system that federates between the ADFS D. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS
B
An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user? A. Consumer key and consumer secret B. Apex registration handler C. User info endpoint URL D. Federation ID
B
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP? A. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. B. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate. C. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP. D. Ensure that there is an HTTPS connection between IDP and SP.
B
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets? A. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API. B. Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow. C. Use Salesforce Connect to integrate with the helpdesk application. D. Use a login flow to query the helpdesk to validate user status.
B
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.How can a guest register using data previously collected during order placement? A. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data. B. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. C. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data. D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
B
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.What should an identity architect do to fulfill this requirement? A. Create a custom external authentication provider. B. Configure OpenID Connect authentication provider. C. Contact Salesforce Support and enable delegate single sign-on. D. Use certificate-based authentication.
B
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce, Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 JWT Bearer Flow B. OAuth 2.0 SAML Bearer Assertion Flow C. A SAML Assertion Row D. OAuth 2.0 User-Agent Flow
B
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue? A. The users forget to check the box to remember their credentials. B. The refresh token expiration policy is set incorrectly in salesforce C. The Oauth authorizations are being revoked by a nightly batch job. D. The app is requesting too many access Tokens in a 24-hour period
B
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement? A. Visualforce B. Full C. Web D. API
B
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first? A. My domain is configured and active within salesforce. B. The identity provider is correctly preserving the Relay state C. The salesforce SSO settings are using http post D. The users have the correct Federation ID within salesforce.
B
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.Which two actions should an identity architect recommend to meet these requirements?Choose 2 answers A. Create a custom external authentication provider for Facebook. B. Configure a predefined authentication provider for Facebook. C. Configure a predefined authentication provider for Twitter. D. Create a custom external authentication provider for Twitter.
BC
Which three are features of federated Single sign-on solutions? Choose 3 Answers A. It solves all identity and access management problems. B. It enables quick and easy provisioning and deactivating of users. C. It federates credentials control to authorized applications. D. It improves affiliated applications adoption rates. E. It establishes trust between Identity Store and Service Provider.
BDE
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.Which two Salesforce tools should an identity architect recommend to satisfy the requirements?Choose 2 answers A. salesforce Canvas B. App Launcher C. Connected Apps D. Identity Connect
BC
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers A. Use Login Flow to bypass IP range restriction for the mobile app. B. Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app. C. Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app. D. Remove existing restrictions on IP ranges for all types of user access.
BC
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers A. Login forensics B. Resource deep linking C. SSO from salesforce1 mobile app. D. App launcher
BC
Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers A. Use Active Directory Federation Services to sync users from active directory to salesforce. B. Use Identity connect to sync users from Active Directory to salesforce C. Use an app exchange product to sync users from Active Directory to salesforce. D. Use the salesforce REST API to sync users from active directory to salesforce
BC
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.Which three functions meet the Salesforce criteria for secure mfa?Choose 3 answers A. Lightning Login B. Username and password + security key C. username and password + SMS passcode D. Certificate-based Authentication E. Third-party single sign-on with Mobile Authenticator app
BCE
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers A. Custom permission assignment B. Permission sets assignment C. Public Group Assignment D. Granting report folder access E. Role Assignment
BCE
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.Which two roles are being performed by Salesforce?Choose 2 answers A. SAML Identity Provider B. SAML Service Provider C. OAuth Client D. OAuth Resource Server
BD
Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA.UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.Which two Salesforce license types does UC need for its employees'Choose 2 answers A. Company Community and Identity licenses B. Salesforce and Identity Connect licenses C. Chatter Only and Identity licenses D. Identity and Identity Connect licenses
BD
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.Which two settings need to be configured in the connect app to support this requirement?Choose 2 answers A. The "edair_api" OAuth scope m the connected app. B. The "api" OAuth scope in the connected app. C. The "web" OAuth scope in the connected app, D. The Use Digital Signature option in the connected app.
BD
Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers A. Enable the "Enforce Ip restrictions" settings in the connected App. B. Enable the "All users may self-authorize" setting in the Connected App. C. Enable the "High Assurance session required" setting in the Connected App. D. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.
BD
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers A. Oauth Username-password flow B. Oauth refresh token flow C. Oauth SAML bearer assertion flow D. Oauthjwt bearer token flow
BD
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.Which two options should the identity architect recommend to support dynamic branding for the site?Choose 2 answers A. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template. B. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. C. To use dynamic branding, the community must be built with the Customer Account Portal template. D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.
BD*
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type).Which three OAuth concepts apply to this flow?Choose 3 answers A. Verification Code B. Refresh Token C. Authorization Code D. Client ID E. Scopes
BDE
Containers (UC) has an existing Customer Community. UC wants to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process. What is the recommended approach an Architect Should recommend to UC? A. Create an After Insert Apex trigger on the user object to assign specific custom permissions. B. Modify the Community pages to utilize specific fields on the User and Contact records. C. Modify the existing Communities registration controller to assign different profiles. D. Create separate login flows corresponding to the different community user personas.
C
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.What is recommended to ensure new employees have immediate access to Salesforce using their current IdP? A. Install Salesforce Identity Connect to automatically provision B. Build an integration that queries LDAP periodically C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce. D. Build an integration that queries LDAP and creates new inactive users
C
Northern Trail Outfitters is implementing a busiess-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access.How should a partner identity be provisioned in Salesforce for this solution? A. Create only a contact. B. Create a person account. C. Create a user and a related contact. D. Create a contactless user.
C
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.Which of the following license types should be used to meet the requirement? A. Partner Community License B. External Apps License C. Partner Community Login License D. Customer Community plus Login License
C
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org? A. Use the Salesforce Username as the SAML Identity Type. B. Use the same SAML Identity location as the first org. C. Use a different Entity ID than the first org. D. Use the same request bindings as the first org.
C
Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community? A. Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO. B. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO. C. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site. D. Use the standard
C
Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC? A. Configure the web application as an item in the Salesforce App Launcher. B. Rewrite the web application as a set of Visualforce pages and Apex code. C. Create a Canvas app and use Signed Requests to authenticate the users. D. Add the web application as a ConnectedApp using OAuth User-Agent flow.
C
Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.Which OAuth flow should the identity architect recommend to meet the requirement? A. OAuth 2.0 Username-Password Flow for Special Scenarios B. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration C. OAuth 2.0 Asset Token Flow for Securing Connected Devices D. OAuth 2.0 Web Server Flow for Web App Integration
C
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.What should an identity architect recommend to optimize license usage and reduce maintenance overhead? A. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration. B. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required. C. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. D. Merge three orgs
C
Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-BASED SSO to get into the company portal and would like to leverage it to access salesforce. Most of the users don't exist in salesforce and they would like the user records created in salesforce communities the first time they try to access salesforce. What recommendation should an architect make to meet this requirement? A. Use Identity connect to sync users B. Use salesforce APIs to create users on the fly C. Use just-in-time provisioning D. Use on-the-fly provisioning
C
Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal? A. Mobile pins B. Access Tokens C. Scopes D. Refresh Tokens
C
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce .Which two options allow the Identity Architect to fulfill the requirements?Choose 2 answers A. Redirect the user to a custom page B. Use Login Flows to call an authentication registration C. Use the custom registration handler to link social identities to Sa
CD
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers A. Require users to enter a second password after the first Authentication B. Require users to supply their email and phone number, which gets validated. C. Require users to use a biometric reader as well as their password D. Require users to provide their RSA token along with their credentials.
CD
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.Which two mechanisms are used to provision agents with the appropriate permissions?Choose 2 answers A. Use Login Flow in User Context to update role and permission sets. B. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets. C. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. D. Use Login Flow in System Context to update role and permission sets.
CD
Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers A. Set login IP ranges to the internal network for all of the app users profiles. B. Disallow the use of single Sign-on for any users of the mobile app. C. Use Google Authenticator as an additional part of the logical processes. D. Require high assurance sessions in order to use the connected App
CD
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers A. Web B. full C. Refresh token D. API
CD
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?Choose 2 answers A. Once SSO is enabled, users are only able to login using Salesforce credentials. B. Request Salesforce Support to enable delegated authentication. C. Assign user "is Single Sign-on Enabled" permission via profile or permission set. D. Enable My Domain and select "Prevent login from https://login.salesforce.com".
CD
Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers A. User Full Name B. Salesforce User ID C. Federation ID D. Salesforce Username E. User Email Address
CDE
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.Which authentication mechanism should an identity architect recommend to meet the requirements? A. Identity Connect B. Just-in-Time Provisioning C. OAuth Web-Server Flow D. Delegated Authentication
D
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.Which action will accomplish this? A. Enable Single Logout with a secure logout URL. B. Use a HTTP POST to request the refresh token for the current user. C. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token. D. Use a HTTP POST to make a call to the revoke token endpoint.
D
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.What should an identity architect recommend to configure the requirement with limited changes to the third-party app? A. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users. B. Create Canvas app in Salesforce for third-party app to provision users. C. Redirect users to the third-party app for registration. D. Use a connected app with user provisioning flow.
D
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).Which feature of Identity Connect is applicable for this scenano? A. Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box. B. If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion. C. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature. D. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.
D
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 User-Agent Flow B. SAML Assertion Flow C. OAuth 2.0 JWT Bearer Flow D. OAuth 2-0 SAML Bearer Assertion Flow
D
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario? A. Connected App, because Salesforce is connected with Employee portal via API. B. An independent system, because Salesforce is not part of the SSO setup. C. Identity Provider, because the API calls are authenticated by Salesforce. D. Service Provider, because Salesforce is the application for managing ideas.
D
IT security at Unversal Containers (UC) is concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue? A. Lock sessions to the IP address from which they originated. B. Implement Single Sign-on using a corporate Identity store. C. Increase Password complexity requirements in Salesforce. D. Use the Salesforce Authenticator mobile app with two-step verification
D
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates? A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained. B. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain. C. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA D. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.
D
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met? A. Use SAML Just-In-Time Provisioning between Facebook and Salesforce. B. Use information in the Signed Request that is received from Facebook. C. Develop a scheduled job that calls out to Facebook on a nightly basis. D. Use the updateUser() method on the Registration Handler class.
D
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider? A. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce. C. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce. D. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
D
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC? A. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT B. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT C. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs. D. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
D
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message? A. The default client Certificate from the Develop--> API menu. B. The Self-signed Certificates from the Certificate & Key Management menu. C. The CA-signed Certificate from the Certificate and Key Management Menu. D. The default client Certificate from the Certificate and Key Management menu.
D
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation? A. Neither SP- nor IdP-initiated SSO will work. B. IdP-initiated SSO will NOT work. C. Either SP- or IdP-initiated SSO will work. D. SP-initiated SSO will NOT work
D
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens? A. Web Server flow B. Username-Password flow C. User Agent flow D. JWT Bearer Token flow
D
Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record? A. Implement an Oauthjwt flow to pass the profile credentials between systems. B. Create an apex scheduled job in one org that will synchronize the other orgs profile. C. Implement Delegated Authentication that will update the user profiles as necessary. D. Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
D
Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community. What SSO flow should an architect recommend? A. Sp-Initiated B. User-Agent C. Web server D. IDP-initiated
D
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario? A. Identity provider B. Authentication store C. Service provider D. Identity store
D
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users? A. Use a custom attribute on the user object to control access to the mobile app B. Add a new identity provider to authenticate and authorize mobile users. C. Use the permission set license to assign the mobile app permission to sales users D. Use connected apps Oauth policies to restrict mobile app access to authorized users.
D
