Salesforce Identity and Access Management Architect

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following Requirements: 1) Customer purchases the device. 2) Customer registers the device using their mobile app. 3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking. Which OAuth flow should be used to meet these requirements? A. OAuth 2.0 Asset Token Flow B. OAuth 2.0 Username-Password Flow C. OAuth 2.0 SAML Bearer Assertion Flow D. OAuth 2.0 User-Agent Flow

A

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature? A. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user B. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user C. Password less authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record D. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account

A

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement? A. Create a custom external authentication provider B. Contact Salesforce Support and enable delegate single sign-on. C. Configure OpenID Connect authentication provider D. Use certificate-based authentication.

A

Which item should an Identity architect consider when designing a Delegated Authentication implementation? A. The web server should be secured with TLS using Salesforce trusted certificates B. The web server should be able to accept one to four inout method parameters. C. The web service should use the Salesforce Federation ID to identify the users D. The web service should implement a custom password decryption method

A

Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which Salesforce security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers A. Roles B. Field-Level Security C. Profiles and Permission Sets D. Public Groups E. Sharing Rules

A, C, D

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party Application? Choose 2 answers A. Use a connected app. B. External a Data source with Named Principal identity type. C. Use Delegated Authentication. D. Use the App Launcher with single sign-on (SSO).

A, D

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site? Choose 2 answers A. Embedded Login Page B. Experience Builder Page C. Lightning Experience Page D. Login Discovery Page

A, D

The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to see where Refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers A . Web server B . JWT bearer token C . User-Agent D . Username-password

A,C

Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org. Which three steps should the identity architect use to implement this requirement? Choose 3 answers A. Create a connected app for Concur in Salesforce B. Create an approval process for User object associated with the provisioning flow C. Enable User Provisioning for the connected app D. Create an approval process for User Provisioning Request object associated with the provisioning flow E. Create an approval process for a custom object associated with the provisioning flow

A,C,D

Universal Containers (UC) has decided to use Identity Connect as it's identity provider. UC uses Active Directory (AD) and has a team that is very familiar and comfortable with managing AD groups. UC would like to use AD groups to help configure Salesforce users .Which three actions can AD groups control through Identity Connect? Choose 3 answers A . Public Group Assignment B . Granting report folder access C . Role Assignment D . Custom permission assignment E . Permission sets assignment

A,C,E

The CIO of Universal Containers (UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize OAuth 2.0. UC has listed an architect to analyze all of the applications that use OAuth flows. See where Tokens can be applied. Which OAuth flows should an architect consider in their evaluation. Choose 2 answers A. Web Server B. JWT bearer token C. User Agent D. Username-Password

AC

A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party Identity Provider (IdP) to validate user credentials against its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as few passwords as possible. What should an identity architect recommend? A. Setup Salesforce as an IdP to authenticate against the LDAP directory B. Setup Salesforce as a Service Provider to the existing IdP C. Use Salesforce connect to synchronize LDAP passwords to Salesforce D. Setup Salesforce as an Authentication Provider to the existing IdP

B

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system? A. Call SOAP API upsert() on User object. B. Run registration handler on incoming OAuth responses. C. OpenID Connect (OIDC)-userinfo endpoint with a valid access token. D. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

B

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO). Which feature of Identity Connect is applicable for this scenario? A. Identity Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box B. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately C. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing sso as a default feature D. If the number of provisioned users exceeds Salesforce license allowances, Identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion

B

An architect has successfully configured SAML-based SSO for Universal Containers. SSO has been working for 3 months when Universal Containers manually adds a batch of new users to Salesforce. The new users receive an error from Salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access Salesforce .What is the probable cause of this behavior? A . The administrator forgot to reset the new user's salesforce password. B . The Federation ID field on the new user records is not correctly set C . The my domain capability is not enabled on the new user's profile. D . The new users do not have the SSO permission enabled on their profiles.

B

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials. What should an identity architect recommend to meet these requirements? A. Configure Amazon as a connected app. B. Configure an OpenID Connect Authentication Provider for Amazon C. Configure a predefined authentication provider for Amazon. D. Create a custom external authentication provider for Amazon

B

Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials. The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically. Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login? A. Custom middleware and web services B. Just-in-Time (JIT) provisioning C. Third-party AppExchange solution D. Custom login flow and Apex handler

B

Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as part of the login process. Which two options should the identity architect recommend to support dynamic branding for the site? A. To use dynamic branding, the community must be built with the Customer Account Portal template B. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. C. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites D. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template

B

Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce? Choose 2 answers A. Request Salesforce Support to enable delegated authentication B. Enable My Domain and select "Prevent login from https://login.salesforce.com" C. Assign user "Is Single Sign-On Enabled" permission via profile or permission set D. Once SSO is enabled, users are only able to login using Salesforce credentials

B,C

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Facebook and Twitter credentials. Which two actions should an identity architect recommend to meet these requirements? Choose 2 answers A. Create a custom external authentication provider for Twitter B. Configure a predefined authentication provider for Twitter C. Create a custom external authentication provider for Facebook D. Configure a predefined authentication provider for Facebook

B,D

Universal Containers (UC) has implemented SAML-based Single Sign-On for their Salesforce application and is planning to provide access to Salesforce mobile devices using the Salesforce1 mobile app. UC wants to ensure that SSO is used for accessing the Salesforce1 mobile app. Which 2 recommendations should an Architect make. Choose 2 answers A. Configure the Embedded Web Browser to use My Domain URL B. Configure the Salesforce1 mobile app C. Use the existing SAML-SSO flow along with User-Agent flow D. Use the existing SAML-SSO flow along with Web User flow

BC

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement? A. Use Login Flows to capture device from which users log in and store device and user information in a custom object. B. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information C. Use the Activations feature to meet the compliance requirement to track device information. D. Use the Login History object to track information about devices from which users log in.

C

A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this? A. Enable Single Logout with a secure logout URL B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token C. Use a HTTP POST to make a call to the revoke token endpoint D. Use a HTTP POST to request the refresh token for the current user

C

Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this solution? A. Create a person account B. Create only a contact C. Create a user and a related contact D. Create a contactless user

C

Universal containers uses an Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory .What is the role of Active Directory in this scenario? A . Identity store B . Authentication store C . Identity provider D . Service provider

C

A technology enterprise is planning to implement Single Sign-On login for users. When users log in to the Salesforce User object, custom field data should be populated for new and existing users. Which two steps should an identity architect recommend? Choose 2 answers A. Implement Session Management Class B. Implement RegistrationHandler Interface C. Create and update methods D. Implement Auth.SamlJitHandler Interface

C,D

Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers. A. Use a trusted CA-signed certificate for Salesforce and a trusted CA-signed certificate for the external system B. Use a trusted CA-signed certificate for Salesforce and a self-signed certificate for the external system C. Use a self-signed certificate for Salesforce and a self-signed certificate for the external system D. Use a self-signed certificate for Salesforce and a CA-signed certificate for the external system

CD

An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is recommended to fulfill this requirement with the least amount of customization? A. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts B. Create custom metadata that stores user alerts and use a LWC to display alerts C. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile D. Use Login Flows to add a screen that shows personalized alerts

D

Universal Containers (UC) is building custom Innovation platform Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the data. UC would like all users to be able to access the system without having to log in Salesforce credentials. UC will utilize a third-party IdP using SAML SSO.What is the optimal Salesforce license type for all of the UC employees? A. Identity license B. Salesforce C. External Identity D. Salesforce Platform

D

The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience. What should be used and considered before recommending it as a solution on the Salesforce Platform? A. Salesforce REST APIs. Ensure that Secure Sockets Layer (SSL) connection for the integration is used B. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on C. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and feel D. Embedded Login. Consider whether or not it relies on third party cookies which can cause browser compatibility issues

D

Universal Containers (UC) is building a custom employee hub application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating different solutions for authentication and authorization between AWS and Salesforce. How should an identity architect configure AWS to authenticate and authorize Salesforce users? A. Develop a custom Auth server in AWS. B. Configure the custom employee app as a connected app. C. Create a custom external authentication provider D. Configure AWS as an OpenID Connect Provider.

D

Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signatures as the file attachment and uses OAuth protocol for both authentication and authorization. What is the most recommended and secure OAuth scope setting that an Architect should recommend? A. ID B. Web C. Api D. Custom_permission

D

Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite? A. Identity Provider B. External Identity C. Multi-Factor Authentication D. My Domain

D

Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML. What role does Salesforce Identity play in its relationship with the enterprise SSO system? A. Client Application B. Identity Provider (IDP) C. Resource Server D. Service Provider (SP)

D

A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce. How should an identity architect meet the above requirements with the privately distributed mobile app? A. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps. B. Configure Mobile App settings in connected app and Salesforce as identity provider for non Salesforce internal apps. C. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps D. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps

B

A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours? A. Login History B. Login Report C. Login Inspector D. Login Forensics

A

A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or LinkedIn credentials. Once enabled, what role will Salesforce play? A. Salesforce will be the service provider (SP) B. Salesforce will be the identity provider (Idp) C. Facebook and LinkedIn will be the SPS. D. Facebook and LinkedIn will act as the IdPs and SPs

A

A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice. Which authentication mechanism should an identity architect recommend to meet the requirements? A. Delegated Authentication B. Just-in-Time Provisioning C. OAuth Web-Server Flow D. Identity Connect

A

A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol. What should an identity architect use to fulfill this requirement? A. Connected App and OAuth Scopes B. Canvas App Integration C. OAuth Tokens D. Authentication Providers

A

A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community. Which should be used to satisfy this requirement? A. OAuth Device Flow B. Single Sign-On Settings C. Named Credentials D. Login Flows

A

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party App? A. Use a connected app with user provisioning flow B. Redirect users to the third-party app for registration. C. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users D. Create Canvas app in Salesforce for third-party app to provision users.

A

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party app? A. Use a connected app with user provisioning flow B. Create Canvas app in Salesforce for third-party app to provision users C. Redirect users to the third-party app for registration D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users

A

Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the requirement? Choose 2 answers A. Salesforce Identity Connect B. Configure Cloud Provider Load Balancer C. Active Directory Password Sync Plugin D. Salesforce Trigger & Field on Contact Object

A, C

A web service is developed that allows secure access to customer order status on the Salesforce Platform. The Service connects to Salesforce through a connected app with the web server flow. The following are the required Actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow? A. 4, 5, 2, 3, 1 B. 2, 1, 3, 4, 5 C. 1, 4, 5, 2, 3 D. 4, 1, 5, 2, 3

A

An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO). How can end users change their password? A. Users can request the Salesforce Admin to reset their password. B. Users once logged in, can go to the Change Password screen in Salesforce. C. Users can change it on the enterprise LDAP authentication portal. D. Users can click on the "Forgot your Password" link on the Salesforce.com login page

A

An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM do to fulfill this requirement? A. Confirm performance considerations with Salesforce Customer Support due to high peaks B. Create a default account for capturing all ecommerce contacts registered on the community because person Account is not supported for this case C. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider D. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce

A

Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should NTO's first step be in gathering signals that could indicate account compromise? A. Download the Login History and evaluate the details of logins performed by the user. B. Download the Setup Audit Trail and review all recent activities performed by the user. C. Download the Identity Provider Event Log and evaluate the details of activities performed by the User D. Review the User record and evaluate the login and transaction history.

A

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Access Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this from happening in the future? A. Configure an authentication provider to delegate authentication to the LDAP directory. B. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce As they are disabled in LDAP. C. Use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

A

Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce? A. Configure SSO to use the third party portal as an identity provider. B. Add the third-party portal as a connected app. C. Configure Salesforce for Delegated Authentication. D. Create a custom external authentication provider.

A

Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following: 1. Enter a phone number and/or email address 2. Enter a verification code that is to be sent via email or text. What is the recommended approach to fulfill this requirement? A. Create a Login Discovery page and provide a Login Discovery Handler Apex class B. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service C. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity D. Create an Authentication provider and implement a self-registration handler class

A

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event. Which approach will meet this requirement? A. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information B. Create tasks for users who need to update their data or accept the new community rules. C. Add a banner to the community Home page asking users to update their profile and accept the new community rules. D. Create a custom landing page and email campaign asking all community members to login and verify their data.

A

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement? A. OAuth 2.0 Asset Token Flow for Securing Connected Devices B. Oauth 2.0 Username-Password Flow for Special Scenarios C. 2.0 JWT Bearer Flow for Server-to-Server Integration D. OAuth 2.0 Web Server Flow for Web App Integration

A

Universal Containers (UC) uses Salesforce as a CRM and identity provider (IDP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to fulfill this requirement? A. Identity Only B. Identity Verification C. Identity Connect D. External Identity

A

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week. Which connected app setting should be leveraged to comply with this policy change? A. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days. B. Session Policy - Set timeout value of the connected app to 7 days. C. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date. D. Scope Deny refresh_token scope for this connected app.

A

Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to meet the requirement? A. Set trusted IP ranges for the organization B. Implement multi-factor authentication for the Salesforce org C. Implement 2FA authentication for the Salesforce org D. Implement an single sign-on for Salesforce using an external identity provider

A

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access. The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers A. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community B. Apex coding skills are needed for registration handler to create and update users. C. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0. D. Use declarative registration handler process builder/flow to create, update users and contacts.

A, B

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Chose 2 answers A. SAML Service Provider B. OAuth Client C. OAuth Resource Server D. SAML Identity Provider

A, B

Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow (this flow uses the OAuth 2.0 authorization code grant type). Which three OAuth concepts apply to this flow? Choose 3 answers A. Client Secret B. Scopes C. Access Token D. Authentication Token E. Verification URL

A, B, C

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal should be able to self register, but be unable to automatically be assigned to a contact record, until verified. External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user. Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers A. Enable "Allow customers and partners to self-register". B. Customize the self-registration Apex handler to create only the user record. C. Set up an external login page and call Salesforce APIs for user creation D. Select the "Configurable Self-Reg Page" option under Login & Registration. E. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

A, B, D

A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: 1. The development team has decided to use a Canvas app to expose the pricing application to agents. 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers A. Configure the Canvas app as a connected app and set Admin-approved users as preauthorized B. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated C. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. D. Select "Enable as a Canvas Personal App" in the connected app settings

A,B

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers A. A custom registration handler can be set B. A custom error URL can be set C. The default authentication provider certificate can be set D. The default login user can be set

A,B

Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce. What should be done to fulfill the requirement? Choose 2 answers A. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion B. Setup Salesforce as an identity provider (IDP) for Order Tracking C. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login D. Set up the Corporate Identity store as an identity provider (IDP) for Order Tracking

A,B

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers A. Client ID B. Refresh Token C. Authorization Code D. Verification Code E. Scopes

A,B,D

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers A. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. B. Use SAML Just-in-Time (JIT) Handler class run as current user to update role and permission sets. C. Use Login Flow in System Context to update role and permission sets. D. Use Login Flow in User Context to update role and permission sets.

A,C

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers A. Set each of the Connected App access settings to Admin Pre-Approved B. Assign the connected app to the customer community, and enable the users profile in the Community settings C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps D. Manage which connected apps a user has access to by assigning authentication providers to the users profile

AC

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected' and 'Assertion Invalid' login errors. Which two issues would cause these errors? Choose 2 answers A. The subject element is missing from the assertion sent to Salesforce B. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes C. The certificate loaded into SSO configuration does not match the certificate used by the IdP. D. The assertion sent to Salesforce contains an assertion ID previously used.

AD

A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security? A. Define a permission set that grants access to the app and assign to authorized users B. Create custom scopes and assign to the connected app. C. Leverage external objects and data classification policies. D. Select "Admin approved users are pre-authorized" and assign specific profiles

B

A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 Asset Token Flow B. OAuth 2.0 Device Flow C. OAuth 2.0 User-Agent Flow D. OAuth 2.0 JWT Bearer Flow

B

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements: 1. They plan to implement Partner communities to provide access to their partner network 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs. 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce Communities. 4. They would like to provide a single login for their partners. How should an Identity Architect solution this requirement with limited custom development? A. Consolidate Partner related information in a single org and provide access through Salesforce community. B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs C. Register partners in one org and access information from other orgs using APIS. D. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

B

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated Single Sign On (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP? A. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self signed Certificate B. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP C. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP D. Ensure that there is an HTTPS connection between IDP and SP

B

An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly known as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce. Which solution is recommended to meet this requirement? A. Build a custom REST endpoint in Salesforce that Google Workspace can poll against. B. Configure User Provisioning for Connected Apps. C. Build an Apex trigger on the User Login object to make asynchronous callouts to Google APIs. D. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for User provisioning and de-provisioning

B

Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup. What should an identity architect use to show which part of the login assertion is failing? A. Connected App Manager B. Security Assertion Markup Language Validator C. Identity Provider Metadata download D. SAML Metadata file importer

B

Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third- party party SSO solution is used for all corporate applications, including Salesforce. NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce. What role does identity Connect play in the outlined requirements? A. Identity Provider B. User Management C. Single Sign-On D. Service Provider

B

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature? A. If contactless user is upgraded to Community license, the contact record is automatically created And linked to the user record, but not associated with an Account. B. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user. C. Registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user. D. Password less authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record

B

Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats. NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets. What should an Identity Architect do to provision, deprovision and authenticate users? A. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately B. Salesforce identity can be included but NTO will require Identity Connect C. Salesforce Identity is not needed since NTO uses Microsoft AD. D. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

B

Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM SuperUser and CRM_Reporting SuperUser groups should respectively give the user the Super User and Reporting Super User permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce? A. Use a login flow to query custom SAML attributes and set permission sets B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets. C. Use a login flow to query standard SAML attributes and set permission sets. D. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.

B

Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of the following license types should be used to meet the requirement? A. Partner Community License B. Customer Community plus Login License C. External Apps License. D. Partner Community Login License

B

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement? A. Identity Verification B. Identity Only C. Identity Connect D. External Identity

B

Universal Containers (UC) wants its Closed Won Opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure .What certificate is sent along with the Outbound Message? A . The Self-signed Certificates from the Certificate & Key Management menu. B . The default client Certificate from the Develop-> API menu. C . The default client Certificate or the Certificate and Key Management menu. D . The CA-signed Certificate from the Certificate and Key Management Menu.

B

An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue? A. Session Policy is set as "High Assurance Session required" for this connected app. B. StartURL for the connected app is not set in Connected App settings. C. The connected app is not set in the App menu as "Visible in App Launcher". D. Auth scope does not include "openid".

B, C

Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which two Salesforce features should an identity architect use in order to provide username/password? authentication for the website? Choose 2 answers A. Identity Connect B. Embedded Login C. Delegated Authentication D. Connected Apps

B,C

Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to self register. NTO would like to have customers set their own passwords when provided access to the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers A. Add customers as contacts and add them to Experience Cloud site B. Allow Password reset using the API to update Experience Cloud site membership. C. Use Login Flows to allow users to reset password in Experience Cloud site D. Enable Welcome emails while configuring the Experience Cloud site.

B,C

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers A. Build custom pages for branding requirements in Experience Cloud. B. Use Experience Builder to build branded Reset and Forgot Password pages. C. Login & Registration pages can be branded in the Community Administration settings. D. Build custom site pages for reset and forgot password features.

B,C

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers A. Build custom site pages for reset and forgot password features. B. Login & Registration pages can be branded in the Community Administration settings. C. Use Experience Builder to build branded Reset and Forgot Password pages. D. Build custom pages for branding requirements in Experience Cloud.

B,C

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable. Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers A. Connected Apps B. App Launcher C. Salesforce Canvas D. Identity Connect

B,C

Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)- based Identity Provider (IdP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce. What is recommended to ensure new employees have immediate access to Salesforce using their current IdP? A. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login B. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce D. Build an integration that queries LDAP periodically and creates new active users in Salesforce

C

Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it contributes to successful Customer 360 Truth project. What are two are key benefits of Customer 360 Identity as it relates to Customer 360? Choose 2 answers A. Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data B. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple corporate brands and user experiences C. Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user's login activity across all its digital properties and applications D. Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves

B,C

Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers A. The "eclair_api" OAuth scope in the connected app. B. The "api" OAuth scope in the connected app. C. The Use Digital Signature option in the connected app. D. The "web" OAuth scope in the connected app.

B,C

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or LinkedIn credentials for ease of use. Which three steps should an identity architect take to implement social sign-on? Choose 3 answers A. Enable "Federated Single Sign-On Using SAML". B. Create authentication providers for both Facebook and LinkedIn. C. Update the default registration handlers to create and update users. D. Check "Facebook" and "LinkedIn" under Login Page Setup. E. Register both Facebook and LinkedIn as connected apps.

B,C,D

Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers A. Contact Salesforce Support to enable business accounts B. Enable access to person and business account record types under Public Access Settings. C. Contact Salesforce Support to enable person accounts. D. Set organization-wide default sharing for Contact to Public Read Only E. Under Login and Registration settings, ensure that the default account field is empty.

B,C,E

A large consumer company is planning to create a community and will require login through the customers social identity. The following requirements must be met: 1. The customer should be able to login with any of their social identities, however Salesforce should only have one user per customer. 2. Once the customer has been identified with a social identity, they should not be required to authorize Salesforce. 3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social identity. 4. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce. Which two options allow the Identity Architect to fulfill the requirements? Choose 2 answers A. Redirect the user to a custom page that allows the user to select an existing social identity for login B. Use the custom registration handler to link social identities to Salesforce identities C. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community D. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details

B,D

A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication. Which three functions meet the Salesforce criteria for secure MFA? Choose 3 answers A. Username and password + SMS passcode B. Third-party single sign-on with Mobile Authenticator app C. Certificate-based Authentication D. Lightning Login E. Username and password + security key

B,D,E

A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification. Which feature should an identity architect recommend to meet the requirements? A. Integrate with social websites (Facebook, LinkedIn, Twitter) B. Create a custom Lightning Web Component C. Use Login Discovery D. Use an external Identity Provider

C

A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML? A. They are equivalent protocols and there is no real reason to choose one over the other. B. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP. C. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. D. OpenID Connect (OIDC) is more secure than SAML and therefore is the obvious choice.

C

A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on and Salesforce will be the system of records. Users are getting error messages when logging in. Which Salesforce feature should be used to debug the issue? A. Apex Exception Email B. Debug Logs C. Login History D. View Setup Audit Trail

C

An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands? A. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand. B. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience. C. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience D. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows

C

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements? A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used And then set the connected app access settings to "Admin Pre Approved". Enable the Full Access Scope and then set the connected app access settings to "Admin Pre Approved". B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected C. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize" D. App to access settings to "Admin Pre-Approved"

C

An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers A. Email Verification Credits B. Identity Connect Licenses C. External Identity Licenses D. SMS Verification Credits

C

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to be able to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce minimizes the need for end user interaction and maximizes security. Which OAuth flow should be used to fulfill the requirement? A. User Agent Flow B. Username-Password Flow C. JWT Bearer Flow D. Web Server Flow

C

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system? A. Call SOAP API upsert() on User object B. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions C. Run registration handler on incoming OAuth responses D. Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token

C

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system? A. Call SOAP API upsert() on User object. B. OpenID Connect (OIDC)-userinfo endpoint with a valid access token. C. Run registration handler on incoming OAuth responses. D. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

C

Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect recommend to fulfill this requirement? A. Identity Verification Credits Add-On License B. Identity Connect License C. Identity Only License D. External Identity License

C

Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use password less login, allowing customers to login with a one-time passcode sent to them via email or SMS. How should the quantity of required Identity Verification Credits be estimated? A. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that will incur a verification challenge B. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses C. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users D. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed

C

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account. NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud. What should an Identity architect do to fulfill the requirement? A. Implement a Just-in-Time handler class that has logic to create cases upon first login B. Create an authentication provider for Social Login using Google and leverage standard registration handler C. Implement a login flow with a record create component for Case D. Configure an authentication provider for Social Login using Google and a custom registration handler

C

Northern Trail Outfitters manages functional group permissions in a custom security application supported by a relational database and a REST service layer. Group permissions are mapped as permission sets in Salesforce. Which action should an identity architect use to ensure functional group permissions are reflected as permission set assignments? A. Use the Apex Just-in-Time (JIT) handler to query the Security Assertion Markup Language (SAML) attributes and set permission sets. B. Use a Login Flow to query SAML attributes and set permission sets. C. Use a Login Flow with invocable Apex to callout to the security application and set permission sets D. Use the Apex JIT handler to callout the security application and set permission sets.

C

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement? A. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data B. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data C. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data

C

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection? A. Create a custom OAuth scope B. Query using OpenID Connect discovery endpoint C. Leverage OpenID Connect Token Introspection D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint

C

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 User-Agent Flow B. OAuth 2.0 SAML Bearer Assertion Flow C. OAuth 2.0 JWT Bearer Flow D. SAML Assertion Flow

D

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help. Which two considerations should the architect keep in mind? Choose 2 answers A. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP. B. High-assurance sessions must be configured under Session Security Level Policies. C. AMR field shows the authentication methods used at IdP. D. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be Implemented at IdP.

C,D

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case (2 Answers)? A. Set the Session Timeout value to 3 months B. Set Permitted Users to "Admin approved users are pre-authorized". C. Set Permitted Users to "All users may self-authorize". D. Set the Refresh Token Policy to expire refresh token after 3 months.

C,D

Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that does not support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers A. Authentication Providers B. Connected Apps C. Delegated Authentication D. Embedded Login E. Identity Connect

C,D,E

A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security? A. Define a permission set that grants access to the app and assign to authorized users. B. Select "Admin approved users are pre-authorized" and assign specific profiles. C. Leverage external objects and data classification policies. D. Create custom scopes and assign to the connected app

D

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to generate sensor information in Salesforce. Which OAuth flow should the architect recommend? A. OAuth 2.0 SAML Bearer Assertion Flow B. OAuth 2.0 JWT Bearer Token Flow C. OAuth 2.0 Device Authentication Flow D. OAuth 2.0 Asset Token Flow

D

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement? A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information. B. Use Login Flows to capture device from which users log in and store device and user information in a custom object. C. Use the Login History object to track information about devices from which users log in. D. Use the Activations feature to meet the compliance requirement to track device information.

D

A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements? A. JWT Bearer Token Flow B. OpenID Connect C. User Agent Flow D. Web Server Flow

D

Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users. How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets? A. Have the helpdesk initiate an IdP-initiated Just-in-Time provisioning Security Assertion Markup Language flow. B. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API. C. Use Salesforce Connect to integrate with the helpdesk application D. Use a login flow to query the helpdesk to validate user status

D

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor Authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or Via single sign-on against NTO's corporate Identity Provider, which includes built in MFA. Which configuration will meet this requirement? A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins." B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees. C. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels. D. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.

D

Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend? A. Use Heroku to build the new brand site and embedded login to reuse identities. B. Configure an additional community site on the same org that is dedicated for the new brand. C. Create a full sandbox to replicate the portal site and update the branding accordingly. D. Implement Experience ID in the code and extend the URLs and endpoints, as required

D

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (IDP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recommend to create partners? A. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs. B. Allow partners to register through the IdP and create partner users in Salesforce through an API C. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping D. Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store

D

Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce. How should the combined company's employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP? A. Have generated links be prefixed with the appropriate IdP URL to invoke an Idp-initiated Security Assertion Markup Language flow when clicked. B. Have generated links append a querystring parameter indicating the IdP. The login service will redirect to the appropriate IdP. C. Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL. D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.

D

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department. How should an identity architect implement this requirement? A. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile. B. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-in-Time (JIT) provisioning. C. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. D. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

D

Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers. How should this functionality be enabled for UC, assuming all social sign-on providers support OpenID Connect? A. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider B. Configure a single sign-on setting and a JIT handler for each social sign-on provider C. Configure a single sign-on setting and a registration handler for each social sign-on provider. D. Configure an authentication provider and a registration handler for each social sign-on provider

D

Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs. Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently. What should an identity architect recommend to optimize license usage and reduce maintenance overhead? A. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. B. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer. C. Delete contact/ account records and deactivate user if user moves from a specific region; D. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration

D

Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity. Which Salesforce license should UC utilize to implement this use case? A. Identity Only B. Partner Community C. Salesforce Platform D. External Identity

D

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used? A. OAuth 2.0 User-Agent Flow B. SAML Assertion Flow C. OAuth 2.0 JWT Bearer Flow D. OAuth 2.0 SAML Bearer Assertion Flow

D

When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented? A. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value. B. The Audience ID, which can be set in a shared cookie. C. Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce D. The Experience ID, which can be included in OAuth/Open ID flows and E. Security Assertion Markup Language (SAML) flows as a URL parameter.

D


Set pelajaran terkait

Maternal-newborn Ch. 23 Conditions Occurring after Delivery

View Set

PHI -186 - Chapter 4 - The Nature of Capitalism

View Set

ENG 102 EXAM 2 Poetry Mrs. Towels

View Set

Word 2013 Using Advanced Options 1.14 review

View Set

Accounting 2: Chapter 8 (exam 3)

View Set

Intro to Physical and Space Science Ch. 1-4

View Set

CH 7.2 Extinction & Biodiversity Loss

View Set