Salesforce IAM Architect

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and Single Sign-On (SSO). Which feature of Identity Connect is applicable for this scenario? A. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked immediately. B. If the number of provisioned users exceeds Salesforce license allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion. C. Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box. D. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

A

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network? A . Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed. B . Add the list of company's network IP addresses to the Login Range list under 2FA Setup. C . Use an Apex Trigger on the User Login object to detect the user's IP address and prompt for 2FA if needed. D . Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

A

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network? A. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed. B. Add the list of company's network IP addresses to the Login Range list under 2FA Setup. C. Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed. D. Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

A

Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization .Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization? A . Redirect_uri B . State C . Scope D . Callback_uri

A

Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate? Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate? A. Check the Refresh Token policy defined in the Salesforce Connected App. B. Validate that the users are checking the box to remember their passwords. C. Verify that the Callback URL is correctly pointing to the new URI Scheme. D. Confirm that the access Token's Time-To-Live policy has been set appropriately.

A

Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community? A. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site. B. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO. C. Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO. D. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO

A

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new JavaScript code and/or libraries to the application. What implementation should an Architect recommend to UC? A. Create a Canvas app and use Signed Requests to authenticate the users. B. Rewrite the web application as a set of Visualforce pages and Apex code. C. Configure the web application as an item in the Salesforce App Launcher. D. Add the web application as a ConnectedApp using OAuth User-Agent flow.

A

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned by UC and the UC team that is responsible for it is willing to add a new JavaScript code and/or libraries to the application. What implementation should an Identity Architect recommend to UC? A . Create a Canvas app and use Signed Requests to authenticate the users. B . Rewrite the web application as a set of Visualforce pages and Apex code. C . Configure the web application as an item in the Salesforce App Launcher. D . Add the web application as a Connected App using OAuth User-Agent flow.

A

Universal Containers (UC) has implemented SAML -based Single Sign-on for their Salesforce application. UC is using PingFederate as the Identity Provider. To access Salesforce, users usually navigate to a bookmarked link to My Domain URL .What type of single Sign-on is this? A . SP-Initiated B . IdP-initiated with deep linking C . IdP-initiated D . Web server flow.

A

Universal Containers (UC) has implemented a multi-org strategy and would like to centralize the management of their Salesforce user profiles. What should the architect recommend to allow Salesforce profiles to be managed from a central system of record? A. Implement JIT provisioning on the SAML IDP that will pass the profile id in each assertion. B. Create an Apex scheduled job in one org that will synchronize the other orgs profile. C. Implement Delegated Authentication that will update the user profiles as necessary. D. Implement an OAuth JWT flow to pass the profile credentials between systems.

A

Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled "User Provisioning" on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system .What is the most likely reason for this behavior? A . User Provisioning for Connected Apps does not support role sync. B . Required operation(s) was not mapped in User Provisioning Settings. C . The Approval queue for User Provisioning Requests is unmonitored. D . Salesforce roles have more than three levels in the role hierarchy.

A

Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled "User Provisioning" on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behavior? A. User Provisioning for Connected Apps does not support role sync. B. Required operation(s) was not mapped in User Provisioning Settings. C. The Approval queue for User Provisioning Requests is unmonitored. D. Salesforce roles have more than three levels in the role hierarchy

A

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about? A. Identity Connect will not support user provisioning in UC's current environment. B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment. C. Identity Connect will only support SP-initiated SAML flows in UC's current environment. D. Identity connect is not compatible with UC's current identity environment.

A

Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers. How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID Connect? A . Configure an authentication provider and a registration handler for each social sign-on provider. B . Configure a Single Sign-On setting and a registration handler for each social sign-on provider. C . Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider. D . Configure a single sign-on setting and a JIT handler for each social sign-on provider.

A

Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce. What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce? A . Require the use of Salesforce security tokens on passwords. B . Enforce mutual authentication between systems using SSD C. Include Client Id and Client Secret in the login header callout. D . Set up a proxy service for the login service in the DM

A

Universal Containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community? A. The self-registration process will produce an error to the user. B. The self-registration page will ask user to select an account. C. The self-registration process will create a person Account record. D. The self-registration page will create a new account record.

A

Universal Containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection .How can the connection to salesforce be restricted only to the employee portal server? A . Add the Employee portals IP address to the Trusted IP range for the connected App B . Use a digital certificate signed by the employee portal Server. C . Add the employee portals IP address to the login IP range on the user profile. D . Use a dedicated profile for the user the Employee portal uses.

A

Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite? A. My Domain B. External Identity C. Identity Provider D. Multi-Factor Authentication

A

Universal Containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met? A. Use the updateuser() method on the registration handler class. B. Use SAML Just-In-Time provisioning between Facebook and Salesforce C. Use information in the signed request that is received from Facebook. D. Develop a schedule job that calls out to Facebook on a nightly basis.

A

What item should an Architect consider when designing a Delegated Authentication implementation? A. The Web service should be secured with TLS using Salesforce trusted certificates. B. The Web service should be able to accept one to four input method parameters. C. The web service should use the Salesforce Federation ID to identify the user. D. The Web service should implement a custom password decryption method.

A

Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible .Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers A . As part of the body of a Salesforce Knowledge article. B . In the mobile navigation menu on Salesforce for Android C . The sidebar of a Salesforce Console as a console component. D . Included in the Call Control Tool that's part of Open CT

A, C

Which two roles of the systems are involved in an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App launcher and connected App set up? Choose 2 answers A . Google is the identity provider B . Salesforce is the identity provider C . Google is the service provider D . Salesforce is the service provider

A, D

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app .Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers A . Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's Id B . Utilize Authorization Providers to allow the third-party application to authenticate itself against Salesforce as the IdP. C. Utilize Canvas OAuth flow to allow the third-party application to authenticate itself against Salesforce as the IdP. D . Create a registration handler Apex class to allow the third-party application to authenticate itself against Salesforce as the IdP.

A,B

Universal Containers (UC) would like its community users to be able to register and log in with LinkedIn or Facebook Credentials. UC wants users to clearly see Facebook & LinkedIn Icons when they register and login .What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers A . Enable Facebook and LinkedIn as Login options in the login section of the Community configuration. B . Create custom Registration Handlers to link LinkedIn and Facebook accounts to user records. C . Store the LinkedIn or Facebook user IDs in the Federation ID field on the Salesforce User record. D . Create custom buttons for Facebook and LinkedIn using JavaScript/CSS on a custom Visualforce page.

A,B

Universal containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to rollout Salesforce1 mobile app and make it accessible from any location .Which two options should an architect recommend? Choose 2 answers A . Relax the IP restriction in the connect app settings for Salesforce1 mobile app B . Use login flow to bypass IP range restriction for the mobile app. C . Relax the IP restrictions with a second factor in the connect app settings for Salesforce1 mobile app D . Remove existing restrictions on IP ranges for all types of user access.

A,B

Universal containers (UC) wants to integrate a Web application with Salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process .Which two considerations should an architect point out to UC? Choose 2 answers A . The web application should be hosted on a secure server. B . The web server must be able to protect consumer privacy C . The flow involves passing the user credentials back and forth. D . The flow will not provide an OAuth refresh token back to the server.

A,B

Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values. Which two actions should the Architect recommend to UC? Choose 2 answers A . Configure Registration for Communities to use a custom Visualforce Page. B . Modify the SelfRegistration trigger to assign Profile and Account. C . Modify the CommunitiesSelfRegController to assign the Profile and Account. D . Configure Registration for Communities to use a custom Apex Controller.

A,C

Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers A . The Use Digital Signature option in the connected app. B . The "web" OAuth scope in the connected app, C . The "api" OAuth scope in the connected app. D . The "edair_api" OAuth scope in the connected app.

A,C

Which two things should be done to ensure end users can only use Single Sign-On (SSO) to login in to Salesforce? Choose 2 answers A . Enable My Domain and select "Prevent login from https://login.salesforce.com". B . Request Salesforce Support to enable delegated authentication. C . Once SSO is enabled, users are only able to login using Salesforce credentials. D . Assign user "is Single Sign-on Enabled" permission via profile or permission set.

A,D

Which three types of attacks would a 2-Factor Authentication solution help garden against? A . Key logging attacks B . Network perimeter attacks C . Phishing attacks D . Dictionary attacks E . Man-in-the-middle attacks

A,C,D

Which two roles of the systems are involved in an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App launcher and Connected App set up? Choose 2 answers A . Google is the identity provider B . Salesforce is the identity provider C . Google is the service provider D . Salesforce is the service provider

A,D

Which three are capabilities of SAML-based Federated authentication? Choose 3 answers A . Trust relationships between Identity Provider and Service Provider are required. B . SAML tokens can be in XML or JSON format and can be used interchangeably. C . Web applications with no passwords are more secure and stronger against attacks. D . Access tokens are used to access resources on the server once the user is authenticated. E . Centralized federation provides single point of access, control and auditing.

A,D,E

Universal Containers wants to set up SSO for a selected group of users to access external applications from salesforce through App launcher. Which three steps must be completed in salesforce to accomplish the goal? A. Associate user profiles with the connected Apps. B. Complete My Domain and Identity provider setup. C. Create connected apps for the external applications. D. Complete Single Sign-On settings in security controls. E. Create named credentials for each external system.

ABC

Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers A. The web service needs to include Source IP as a method parameter. B. UC should whitelist all Salesforce IP ranges on their corporate firewall. C. The web service can be written using either the soap or rest protocol. D. Delegated Authentication is enabled for the system administrator profile. E. The return type of the Web service method should be a Boolean value

ABE

Universal Containers (UC) does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers A. Resource deep linking B. App launcher C. SSO from Salesforce1 mobile app. D. Login forensics

AC

Universal Containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers A. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App. B. Enable the "Enforce IP restrictions" settings in the connected App. C. Enable the "All users may self-authorize" setting in the Connected App. D. Enable the "High Assurance session required" setting in the Connected App.

AC

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP. B. Utilize Authorization Providers to allow the third-party application to authenticate itself against Salesforce as the IdP. C. Utilize Canvas OAuth flow to allow the third-party application to authenticate itself against Salesforce as the IdP. D. Create a registration handler Apex class to allow the third-party application to authenticate itself against Salesforce as the IdP.

AC

Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit? A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload. B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices. C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload. D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

AC

Which three different attributes can be used to identify the user in a SAML assertion when Salesforce is acting as a Service Provider? Choose 3 answers A. Federation ID B. Salesforce User ID C. User Full Name D. User Email Address E. Salesforce Username

ACD

After a recent audit, Universal Containers was advised to implement Two-factor Authentication for all of their critical systems, including Salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers A. Require users to provide their RSA token along with their credentials. B. Require users to supply their email and phone number, which gets validated. C. Require users to enter a second password after the first Authentication D. Require users to use a biometric reader as well as their password

AD

Universal Containers(UC) has implemented SAML-BASED single Sign-on for their Salesforce application and is planning to provide access to Salesforce on mobile devices using the Salesforce1 mobile app. UC wants to ensure that Single Sign-on is used for accessing the Salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers A. Use the existing SAML SSO flow along with User Agent flow. B. Configure the embedded Web browser to use My Domain URL. C. Use the existing SAML SSO flow along with Web server flow D. Configure the Salesforce1 app to use the My Domain URL

AD

A group of users try to access one of Universal Containers connected apps and receive the following error message: "Failed: Not approved for access." What is most likely to cause of the issue? A . The use of high assurance sections are required for the connected App. B . The users do not have the correct permission set assigned to them. C . The connected App setting "All users may self-authorize" is enabled. D . The Salesforce administrators revoked the OAuth authorization.

B

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements. What is recommended to ensure these requirements are met ? A. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo. B. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems. C. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on. D. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce

B

An architect has successfully configured SAML-BASED SSO for Universal Containers. SSO has been working for 3 months when Universal Containers manually adds a batch of new users to Salesforce. The new users receive an error from Salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access Salesforce. What is the probable cause of this behavior? A. The administrator forgot to reset the new user's Salesforce password. B. The Federation ID field on the new user records is not correctly set C. The My Domain capability is not enabled on the new user's profile. D. The new users do not have the SSO permission enabled on their profiles.

B

An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is recommended to fulfill this requirement with the least amount of customization? A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile. B. Use Login Flows to add a screen that shows personalized alerts. C. Build a Lightning web Component (LWC) for a homepage that shows custom alerts. D. Create custom metadata that stores user alerts and use a LWC to display alerts.

B

Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO-branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend? A. Create a full sandbox to replicate the portal site and update the branding accordingly. B. Implement Experience ID in the code and extend the URLs and endpoints, as required. C. Use Heroku to build the new brand site and embedded login to reuse identities. D. Configure an additional community site on the same org that is dedicated for the new brand.

B

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recommend to create partners? A. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping. B. Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store. C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs. D. Allow partners to register through the IdP and create partner users in Salesforce through an API.

B

Universal Container plans to develop a custom mobile app for the sales team that will use Salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team .What would be the recommended solution to grant mobile app access to sales users? A . Use a custom attribute on the user object to control access to the mobile app B . Use connected apps OAuth policies to restrict mobile app access to authorized users. C . Use the permission set license to assign the mobile app permission to sales users D . Add a new identity provider to authenticate and authorize mobile users.

B

Universal Containers (UC) has a mobile application that calls the Salesforce REST API. In order to prevent users from having to enter their credentials every time they use the app, UC has enabled the use of Refresh Tokens as part of Salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue? A. The OAuth authorizations are being revoked by a nightly batch job. B. The refresh token expiration policy is set incorrectly in Salesforce C. The app is requesting too many access tokens in a 24-hour period D. The users forget to check the box to remember their credentials.

B

Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their IdP. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same IdP for new org .What action should the IT team take while implementing the second org? A . Use the same SAML Identity location as the first org. B . Use a different Entity ID than the first org. C . Use the same request bindings as the first org. D . Use the Salesforce Username as the SAML Identity Type.

B

Universal Containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional Salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend? A. Configure the main Salesforce org as an Authentication provider. B. Configure the main Salesforce org as the Identity provider. C. Configure the regional Salesforce orgs as Identity Providers. D. Configure the main Salesforce org as a service provider.

B

Universal Containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless .Which action should an architect recommend? A . Configure the main salesforce org as an Authentication provider. B . Configure the main salesforce org as the Identity provider. C . Configure the regional salesforce orgs as Identity Providers. D . Configure the main Salesforce org as a service provider.

B

Universal Containers (UC) is building a custom (employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce. How should an identity architect configure AWS to authenticate and authorize Salesforce users? A. Configure the custom employee app as a connected app. B. Configure AWS as an OpenID Connect Provider. C. Create a custom external authentication provider. D. Develop a custom Auth server in AWS.

B

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers? A . Customer Community license B . Identity license C . Customer Community Plus license D . External Identity license

B

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers? A. Customer Community license B. Identity license C. Customer Community Plus license D. External Identity license

B

Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens? A. Web Server flow B. JWT Bearer Token flow C. Username-Password flow D. User Agent flow

B

Universal Containers wants Salesforce inbound OAuth-enabled integration clients to use SAML-based single Sign-on for authentication .What OAuth flow would be recommended in this scenario? A . User-Agent OAuth flow B . SAML assertion OAuth flow C . User-Token OAuth flow D . Web server OAuth flow

B

Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org .How does that decision impact their SSO implementation? A . SP-initiated SSO will not work. B . Neither SP- nor IdP-initiated SSO will work. C . Either SP- or IdP-initiated SSO will work. D . IdP-initiated SSO will not work.

B

Universal Containers wants to implement Single Sign-On for a Salesforce org using an external Identity Provider and corporate identity store. What type of authentication flow is required to support deep linking? A . Web Server OAuth SSO flow B . Service-Provider-Initiated SSO C . Identity-Provider-initiated SSO D . Start URL on Identity Provider

B

Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store. What type of authentication flow is required to support deep linking' A. Web Server OAuth SSO flow B. Service-Provider-Initiated SSO C. Identity-Provider-initiated SSO D. StartURL on Identity Provider

B

Universal containers (UC) has implemented an SP-Initiated SAML flow between an external IdP and Salesforce. A user at UC is attempting to login to Salesforce1 for the first time and is being prompted for Salesforce credentials instead of being shown the IdP login page .What is the likely cause of the issue? A . The "Redirect to Identity Provider" option has been selected in the my domain configuration. B . The user has not configured the Salesforce1 mobile app to use my domain for login C . The "Redirect to identity provider" option has not been selected the SAML configuration. D . The user has not been granted the "Enable single Sign-on" permission

B

Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use Salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-based SSO to get into the company portal and would like to leverage it to access Salesforce. Most of the users don't exist in Salesforce and they would like the user records created in Salesforce communities the first time they try to access Salesforce .What recommendation should an architect make to meet this requirement? A . Use on-the-fly provisioning B . Use Just-in-Time provisioning C . Use Salesforce APIs to create users real time D . Use Identity Connect to sync users

B

Universal containers (UC) would like to enable SAML-based SSO for a Salesforce partner community. UC has an existing LDAP identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community .What SSO flow should an architect recommend? A . User-Agent B . IdP-initiated C . SP-Initiated D . Web server

B

What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML? A. Validate token B. Create token C. Consume token D. Revoke token

B

Universal Containers (UC) wants to build a mobile application that will be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app .Which two scope values should an Architect recommend to UC? Choose 2 answers. A . Custom permissions B . API C . Refresh Token D . Full

B,C

Universal Containers (UC) wants to integrate a third-party reward calculation system with Salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the reward calculation system needs to be secure .Which are the recommended best practices for using OAuth flows in this scenario? Choose 2 answers A . OAuth refresh token flow B . OAuth SAML bearer assertion flow C . OAuth JWT bearer token flow D . OAuth Username-password flow

B,C

Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users .Which 2 actions should an architect recommend to UC? Choose 2 answers A . Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience. B . Build a custom visual force page for both the change password and Forgot password experiences. C . Build a custom visual force page for the change password experience and a community builder page for the Forgot password experience. D . Build a community builder page for both the change password and Forgot password experiences.

B,C

Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers A . Users leaving laptops unattended and not logging out of Salesforce. B . Users accessing Salesforce from a public Wi-Fi access point. C . Users choosing passwords that are the same as their Facebook password. D . Users creating simple-to-guess password reset questions.

B,C

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app .Which two are recommendations to make the UC? Choose 2 answers A . Disallow the use of Single Sign-on for any users of the mobile app. B . Require High Assurance sessions in order to use the Connected App. C . Set Login IP Ranges to the internal network for all of the app users Profiles. D . Use Google Authenticator as an additional part of the login process

B,D

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs .Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers A . The Federation ID must be a valid Salesforce Username B . The Federation ID must is case sensitive C . The Federation ID must be in the form of an email address. D . The Federation ID must be populated on the user record.

B,D

Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden .Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps? Choose 2 answers A . Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps. B . Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there. C . Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there. D . Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

B,D

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers A. Disallow the use of single Sign-on for any users of the mobile app. B. Require high assurance sessions in order to use the connected App C. Use Google Authenticator as an additional part of the logical processes. D. Set login IP ranges to the internal network for all of the app users profiles.

BC

Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process. Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers A. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template. B. To use dynamic branding, the community must be built with the Customer Account Portal template. C. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.

BC

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers A. App Launcher B. Resource deep linking C. SSO from Salesforce Mobile App D. Login Forensics

BC

Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org. Which three steps should the identity architect use to implement this requirement? Choose 3 answers A. Create an approval process for a custom object associated with the provisioning flow. B. Create a connected app for Concur in Salesforce. C. Enable User Provisioning for the connected app. D. Create an approval process for user object associated with the provisioning flow. E. Create an approval process for UserProvisionlngRequest object associated with the provisioning flow

BCE

Which three are features of federated Single Sign-on solutions? Choose 3 answers A. It federates credentials control to authorized applications. B. It establishes trust between Identity store and service provider. C. It solves all identity and access management problems. D. It improves affiliated applications adoption rates. E. It enables quick and easy provisioning and deactivating of users.

BCE

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Regional Leads and the GS Capacity Planners? Choose 2 Answers A. Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners. B. Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners. C. Identity License for GS Regional Leads and External Identity license for GS capacity Planners. D. Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

BD

Universal Containers (UC) would like to enable SSO between their existing Active Directory (AD) infrastructure and Salesforce. The IT team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in Salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in Salesforce? Choose 2 answers A. Use the Salesforce REST API to sync users from Active Directory to Salesforce B. Use an AppExchange product to sync users from Active Directory to Salesforce. C. Use Active Directory Federation Services to sync users from active directory to Salesforce. D. Use Identity connect to sync users from Active Directory to Salesforce

BD

Universal Containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The IT team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers A. Use the salesforce REST API to sync users from active directory to salesforce B. Use an AppExchange product to sync users from Active Directory to Salesforce. C. Use Active Directory Federation Services to sync users from active directory to Salesforce. D. Use Identity Connect to sync users from Active Directory to Salesforce

BD

Which two statements are capable of Identity Connect? Choose 2 answers A. Synchronization of Salesforce Permission Set License Assignments. B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO. C. Support multiple orgs connecting to multiple Active Directory servers. D. Automated user synchronization and de-activation.

BD

Which two statements are capable of Identity Connect? Choose 2 answers A. Synchronization of Salesforce Permission Set License Assignments. B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO. C. Support multiple orgs connecting to multiple Active Directory servers. D. Automated user synchronization and de-activation.

BD

An Architect needs to advise a team that manages an Identity Provider on how to differentiate Salesforce from other Service Providers .What SAML SSO setting in Salesforce provides this capability? A . Identity Provider Login URL B. Issuer C. Entity ID D . SAML Identity Location

C

A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this? A. Use a HTTP POST to request the refresh token for the current user. B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token. C. Use a HTTP POST to make a call to the revoke token endpoint. D. Enable Single Logout with a secure logout URL.

C

Customer Service representatives at Universal Containers (UC) are complaining that whenever they click on links to Case records and are asked to login with SAML SSO, they are being redirected to the Salesforce Home tab and not the specific Case record .What item should an architect advise the identity team at UC to investigate first? A . My domain is configured and active within Salesforce. B . Salesforce SSO settings are using Http Post C . The identity provider is correctly preserving the Relay state D . The users have the correct Federation ID within Salesforce.

C

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization flow should be used? A. OAuth 2-0 SAML Bearer Assertion Flow B. OAuth 2.0 JWT Bearer Flow C. SAML Assertion Flow D. OAuth 2.0 User-Agent Flow

C

In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates? A . Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained. B . Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA C . Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain. D . Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their trust store.

C

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA. Which configuration will meet this requirement? A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins." B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees. C. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification. D. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

C

Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide Single Sign-On to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this solution? A. Create only a contact. B. Create a contactless user. C. Create a user and a related contact. D. Create a person account.

C

Universal containers (UC) has multiple Salesforce orgs and would like to use a single identity provider to access all of their orgs .How should UC'S architect enable this behavior? A . Ensure that users have the same email value in their user records in all of UC's salesforce orgs. B . Ensure the same username is allowed in multiple orgs by contacting salesforce support. C . Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs. D . Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

C

The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials? A. Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session. B. Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission. C. Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports. D. Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.

C

Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials. How can the Architect meet these requirements? A. Use a Salesforce Login Flow to call out to a web service and create the user on the fly. B. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication. C. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly. D. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

C

Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The first time the user authenticating using Facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts .How can the Architect meet these requirements? A . Create a custom application on Heroku that manages the sign-on process from Facebook. B . Use JIT Provisioning to automatically create the account in the accounting system. C . Add an Apex callout in the registration handler of the authorization provider. D . Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.

C

Universal Containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce .What mechanism should an architect put in place to enable a trusted connection between the login services and Salesforce? A . Include client ID and client secret in the login header callout. B . Set up a proxy server for the login service in the DM C . Require the use of Salesforce security Tokens on password. D . Enforce mutual Authentication between systems using SS

C

Universal Containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce? A. Include client ID and client secret in the login header callout. B. Set up a proxy server for the login service in the DMZ. C. Require the use of Salesforce security Tokens on password. D. Enforce mutual Authentication between systems using SSL.

C

Universal Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posting ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API .What is the role of Salesforce in the context of SSO, based on this scenario? A . Service Provider, because Salesforce is the application for managing ideas. B . Connected App, because Salesforce is connected with Employee portal via API C . Identity Provider, because the API calls are authenticated by Salesforce. D . An independent system, because Salesforce is not part of the SSO setup.

C

Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC? A. SP-Initiated with Deep Linking B. SP-Initiated C. IdP-Initiated D. User-Agent

C

Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in Salesforce. After the first time the users log in, they must be able to access Salesforce upon opening the mobile app without being prompted to log in again. What OAuth flows should be considered to support this requirement? A . Web Server flow with a Refresh Token. B . Mobile Agent flow with a Bearer Token. C . User Agent flow with a Refresh Token. D . SAML Assertion flow with a Bearer Token.

C

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and updated back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure .Which are two recommended practices for using OAuth flow in this scenario. Choose 2 answers A . OAuth Refresh Token Flow B . OAuth Username-Password Flow C . OAuth SAML Bearer Assertion Flow D . OAuth JWT Bearer Token Flow

C,D

A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: * 1. The development team has decided to use a Canvas app to expose the pricing application to agents. * 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers A. Select "Enable as a Canvas Personal App" in the connected app settings. B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated

CD

Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers A. Authentication Token B. Session ID C. Refresh Token D. Access Token

CD

Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers A. Authentication Token B. Session ID C. Refresh Token D. Access Token

CD

A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements? A. OpenID Connect B. User Agent Flow C. JWT Bearer Token Flow D. Web Server Flow

D

An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM do to fulfill this requirement? A. Configure both the community and the commerce sites as OAuth 2 RPs (relying party) with an external identity provider. B. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce. C. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case. D. Confirm performance considerations with Salesforce Customer Support due to high peaks.

D

An architect needs to set up a Facebook Authentication provider as login option for a Salesforce Customer Community .What portion of the authentication provider setup associates a Facebook user with a Salesforce user? A . Consumer key and consumer secret B . Federation ID C . User info endpoint URL D . Apex registration handler

D

An architect needs to set up a Facebook Authentication provider as login option for a Salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a Salesforce user? A. Consumer key and consumer secret B. Federation ID C. User info endpoint URL D. Apex registration handler

D

Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs U perform a forensic analysis and identify signals that could Indicate a breach has occurred. What should NTO's first step be in gathering signals that could indicate account compromise? A. Review the User record and evaluate the login and transaction history. B. Download the Setup Audit Trail and review all recent activities performed by the user. C. Download the Identity Provider Event Log and evaluate the details of activities performed by the user. D. Download the Login History and evaluate the details of logins performed by the user.

D

Refer to the exhibit: Authorization Request EXPERIENCE CLOUD SITE<-----------------------------HEROKU APP (NTO) Northern Trail Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts. A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site. NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization. What should an identity architect do to fulfill the above requirements? A . For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex. B . Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens. C . Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value. D . Authorize third-party service by sending authorization requests to the community- url/services/oauth2/authonze/expid_value.

D

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO either Salesforce as the IdP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO .What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria? A . Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system. B . Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed. C . Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system. D . Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

D

Universal Containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider? A. Replace the custom 2fa system with Salesforce 2fa for on-premise application and Salesforce. B. Use the custom 2fa system for on-premise applications and native 2fa for Salesforce. C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and Salesforce. D. Use custom login flows to connect to the existing custom 2fa system for use in Salesforce.

D

Universal Containers (UC) has built a custom token-based Two-factor Authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well .What is the recommended solution as Architect should consider? A . Use the custom 2FA system for on-premise applications and native 2FA for Salesforce. B . Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce. C . Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce. D . Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

D

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape. PingFederate------>Salesforce Org 1----------------->Financial System PingFederate------>Salesforce Org 1----------------->Salesforce Org 2 PingFederate------>Salesforce Org 1----------------->CPQ System What role combination is represented by the systems in this scenario" A . Financial System and CPQ System are the only Service Providers. B . Salesforce Org1 and Salesforce Org2 are the only Service Providers. C . Salesforce Org1 and Salesforce Org2 are acting as Identity Providers. D . Salesforce Org1 and PingFederate are acting as Identity Providers

D

Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario? A. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow. B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request. C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow. D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

D

Universal Containers (UC) uses Salesforce as a CRM and Identity Provider (IdP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to fulfill this requirement? A . External Identity B . Identity Verification C . Identity Connect D . Identity Only

D

Universal Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posting ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario? A. Service Provider, because Salesforce is the application for managing ideas. B. Connected App, because Salesforce is connected with Employee portal via API. C. Identity Provider, because the API calls are authenticated by Salesforce. D. An independent system, because Salesforce is not part of the SSO setup.

D

Universal containers (UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to Username/Password to authenticate to this application .How can an architect support fingerprints as a form of identification for Salesforce Authentication? A . Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application. B . Use Delegated Authentication with callouts to a third-party fingerprint scanning application. C . Use an AppExchange product that does fingerprint scanning with native Salesforce Identity confirmation. D . Use custom login flows with callouts to a third-party fingerprint scanning application.

D