idam0

Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate Customer Community user. How can this requirement be met?. Use information in the Signed Request that is received from Facebook. Use SAML Just-In-Time Provisioning between Facebook and Salesforce. Develop a scheduled job that calls out to Facebook on a nightly basis. Use the updateUser() method on the Registration Handler class.

Universal Containers has built a custom token-based Two-Factor Authentication system for their existing on premise applications. They are now implementing Salesforce and would like to enable a Two-Factor login process for it, as well. What is the recommended solution an Architect should consider?. Replace the custom 2FA system with Salesforce 2FA for on premise applications and Salesforce. Use the custom 2FA system for on premise applications and native 2FA for Salesforce. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce. Replace the custom 2FA system with an AppExchange App that supports on premise applications and Salesforce.

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors. Which two issues would cause these errors? Choose 2 answers. The certificate loaded into SSO configuration does not match the certificate used by the IdP. The assertion sent to Salesforce contains an assertion ID previously used. The subject element is missing from the assertion sent to Salesforce. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?. Web Server Authentication Flow. JWT Bearer Token Flow. User Agent Flow. Username and Password Flow.

Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers. The Identity Provider can store credentials for multiple applications. The Identity Provider can centralize enterprise password policy. The Identity Provider can authenticate multiple social media accounts. The Identity Provider can authenticate multiple applications.

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when NOT connected to an internal company network?. Use an Apex Trigger on the UserLogin Object to detect the user's IP address and prompt for 2FA if needed. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed. Apply the "Two-factor Authentication for user Interface Logins" permission and Login IP Ranges for all Profiles. Add the company's list of network IP addresses to the Login Range list under 2FA Setup.

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a Connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two solutions should be recommended? Choose 2 answers. Set Login IP Ranges to the internal network for all of the app users' Profiles. Require High Assurance sessions in order to use the Connected App. Disallow the use of Single Sign-on for any users of the mobile app. Use Google Authenticator as an additional part of the login process.

A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow?. 2, 1, 3, 4, 5. 4, 5, 2, 3, 1. 1, 4, 5, 2, 3. 4, 1, 5, 2, 3.

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature?. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number On the contact record. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.

The security team at Universal Containers has identified exporting reports as high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other uses of Salesforce, users should be allowed to use AD credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?. Use SAML Federated Authentication and Custom SAML JIT provisioning to dynamically add or remove Permission Set that grants the Export Reports permission. Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session. Use SAML Federated Authentication, treat SAML Sessions High Assurance, and raise the session level required for exporting reports. Use SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission.

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC has decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Regional Leads and the GS Capacity Planners? Choose 2 Answers. Identity license for GS Regional Leads and External Identity license for GS Capacity Planners. Customer Community plus license for GS Regional Leads and External Identity license for GS Capacity Planners. Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners. Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

Universal Containers (UC) has implemented SAML-based Single Sign-on for their Salesforce application. UC is using PingFederate as the Identity Provider. To access Salesforce, users usually navigate to a bookmarked link to My Domain URL. What type of Single Sign-on flow is this?. Web Server Flow. IdP-Initiated with Deep Linking. SP-lnitiated. IdP-Initiated.

Universal Containers (UC) hasActive Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and assign the appropriate Profile and Permission Sets based on AD group membership. What would be the recommended way to implement SSO?. Use Active Directory with Reverse Proxy as the Identity Provider. Use Salesforce Identity Connect as the Identity Provider. Use Active Directory Federation Service (ADFS) as the Identity provider. Use Microsoft Access Control Service as the Authentication Provider.

Universal Containers has an existing Salesforce org configured for SP-initiated SAML SSO with their internal IdP. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for the new org. What action should the IT team take while implementing the second org?. Use the same SAML Identity Location as the first org. Use the same request bindings as the first org. Use a different Entity ID than the first org. Use the Salesforce Username as the SAML Identity Type.

Universal Containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional Selesforce orgs and wants its users to be able to access them from their main Salesforce org seamlessly. What action should the Architect recommend?. Configure the regional Salesforce orgs as Identity Providers. Configure the main Salesforce org as the Identity Provider. Configure the main Salesforce Org as a Service provider. Configure the main Salesforce org as an Authentication Provider.

Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values. Which two actions should the Architect recommend to UC? Choose 2 answers. Configure Registration for Communities to use a custom Visualforce Page. Modify the SelfRegistration trigger to assign Profile and Account. Modify the CommunitiesSelfRegController to assign the Profile and Account. Configure Registration for Communities to use a custom Apex Controller.

Universal Containers is setting up their Customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default Account record. What will happen when customers self-register in the Community?. The self-registration process will create a Person Account record. The self-registration page will create a new Account record. The self-registration page will ask users to select an Account. The self-registration process will produce an error to the user.

An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity Provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two recommended actions should the Architect take to troubleshoot the issue? Choose 2 answers. Use the browser's development tools to view the Salesforce page's markup. Use a browser that has an add-on/extension that can inspect SAML. Ensure the Callback URL is correctly set in the Connected Apps settings. Paste the SAML assertion into the SAML Assertion Validator in Salesforce.

An Architect is troubleshooting SAML-based SSO errors during testing, The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings ere most likely contributing to the SSO errors the Architect is encountering? Choose 2 answers. The Issuer Certificate from the Identity Provider expired two weeks ago. The Identity Provider is also used to SSO into five other applications. The default language for the Identity Provider and Salesforce are different. The clock on the Identity Provider server is twenty minutes behind Salesforce.

Universal Containers wants to implement Single Sign-on for a Selesforce org using an external Identity Provider and corporate identity store. What type Of authentication flow is required to support deep linking?. Web Server OAuth SSO flow. Service-Provider-initiated SSO. Identity-Provider-initiated SSO. StartURL on Identity Provider.

A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security?. Create custom scopes and assign to the connected app. Define a permission set that grants access to the app and assign to authorized users. Select "Admin approved users are pre-authorized" and assign specific profiles. Leverage external objects and data classification policies.

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement?. OAuth 2.0 Asset Token Flow for Securing Connected Devices. OAuth 2.0 Web Server Flow for Web App Integration. OAuth 2.0 JWT Bearer Flow for Server-to-server Integration. OAuth 2.0 Usemame-Password Flow for Special Scenarios.

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Access Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this from happening in the future?. Configure an authentication provider to delegate authentication to the LDAP directory. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication. Use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.

Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers. Use Login Flows to allow users to reset password in Experience Cloud site. Enable Welcome emails while configuring the Experience Cloud site. Add customers as contacts and add them to Experience Cloud site. Allow Password reset using the API to update Experience Cloud site membership.

Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow (this flow uses the OAuth 2.0 authorization code grant type). Which three OAuth concepts apply to this flow? Choose 3 answers. Scopes. Authentication Token. Verification URL. Client Secret. Access Token.

Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users. How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?. Have the helpdesk initiate an IdP-initiated Just-in-Time provisioning Security Assertion Markup Language flow. Use a login flow to query the helpdesk to validate user status. Use Salesforce Connect to integrate with the helpdesk application. Build an integration that performs a remote calI-in to the Salesforce SOAP or REST API.

A company with 15,000 employees is using Saiesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?. Login Report. Login Inspector. Login Forensics. Login History.

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement?. Identity Connect. Identity Verification. Identity Only. External Identity.

Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as part of the login process. Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites. To use dynamic branding, the community must be built with the Customer Account Portal template.

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO). Which feature of Identity Connect is applicable for this scenario?. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately. If the number of provisioned users exceeds Salesforce licence allowances, Identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion. Identity Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

Universal Containers (UC) employees have Salesforce Access from restricted IP ranges only, to protect against unauthorized access. wants to roll out the Salesforce mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers. Use Login Flow to bypass IP range restriction for the mobile app. Remove existing restrictions on IP ranges for all types of user access. Relax the IP restriction in the Connect App settings for the Salesforce mobile app. Relax the IP restriction with a second factor in the Connect App settings for Salesforce mobile app.

Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature. What should the logout function perform in this scenario, where user sessions are refreshed automatically?. Invoke the revocation URL and pass the refresh token. Clear out the client Id to stop auto session refresh. Invoke the revocation URL and pass the access token. Clear out all the tokens to stop auto session refresh.

Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats. NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets. What should an Identity Architect do to provision, deprovision and authenticate users?. Salesforce Identity is not needed since NTO uses Microsoft AD. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately. Salesforce Identity can be included but NTO will require Identity Connect.

Universal Containers (UC) is building a custom employee hub application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating different solutions for authentication and authorization between AWS and Salesforce. How should an identity architect configure AWS to authenticate and authorize Salesforce users?. Create a custom external authentication provider. Configure the custom employee app as a connected app. Develop a custom Auth server in AWS. Configure AWS as an OpenID Connect Provider.

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions. Run registration handler on incoming OAuth responses. Call SOAP API upsert() on User object. Call OpenlD Connect (OIDC)-userinfo endpoint with a valid access token.

What information does the 'RelayState' parameter contain in SP-lnitiated Single Sign-on?. Reference to the login address URL of the Identity Provider. Reference to a URL redirect parameter at the Service provider. Reference to a URL redirect parameter the Identity Provider. Reference to the login URL of the Service Provider.

A group of users try to access one of universal Containers' Connected Apps and receive the following error message: "Failed: Not approved for access." What is the probable cause of this issue?. The Salesforce Administrators have revoked the OAuth authorization. The use of High Assurance sessions are required for the Connected App. The users do NOT have the correct permission set assigned to them. The Connected App setting "All users may self-authorize" is enabled.

Universal Containers wants to build a custom mobile app for their field reps to create orders in Salesforee. After the first time the users log in, they must be able to access Salesforce upon opening the mobile app without being prompted to log in again. What OAuth flow should be considered to support this requirement?. Web Server flow with a Refresh Token. Mobile Agent flow with a Bearer Token. SAML Assertion flow with a Bearer Token. User Agent flow with a Refresh Token.

Universal Containers wants to build few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 answers. Session ID. Access Token. Authentication Token. Refresh Token.

Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?. Check the Refresh Token Policy defined in the Salesforce Connected App. Validate that the users are checking the box to remember their passwords. Verify that the Callback URL is correctly pointing to the new URI Scheme. Confirm that the Access Token's Time-To-Live policy has been set appropriately.

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?. Web Application flow. Web Server flow. Use-Agent flow. SAML Bearer Assertion flow.

Universal Containers (UC) would like to enable SSO between their existing Active Directory infrastructure and Salesforce. The IT team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in Selesforce directly, including the correct assignment of profiles, roles, and groups. Which two recommended solutions should UC use to provision users in Salesforce? Choose 2 answers. Use Identity Connect to sync users from Active Directory to Salesforce. Use Active Directory Federation Services to sync users from Active Directory to Salesforce. Use an AppExchange product to sync users from Active Directory to Salesforce. Use the Salesforce REST API to sync users from Active Directory to Salesforce.

IT Security at Universal Containers is concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?. Increase password complexity requirements in Salesforce. Implement Single Sign-on using corporate Identity store. Lock sessions to the IP address from which they originated. Use the Salesforce Authenticator mobile app with two-step verification.

Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials. How can the Architect meet these requirements?. Use a Salesforce Login Flow to call out to a web service and create the user on the fly. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

In an SP-initiated SAML SSO setup where the user tries to access a resource on the Service Provider, what HTTP param should be used when submitting a SAML Request to the IdP to ensure the user is returned to the intended resource after authentication?. RedirectURL. RelayState. StartURL. DisplayState.

Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the Community. Which two actions should an Architect recommend UC to take? Choose 2 answers. Configure SSO settings for Facebook to serve as a SAML Identity Provider. Create a custom Apex Registration Handler to handle new and existing users. Configure an Authentication Provider for Linkedln social media accounts. Use Delegated Authentication to call the Twitter login API to authenticate users.

Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC's middleware authenticate to Salesforce while adhering to this requirement?. Create a Connected App that supports the Refresh Token OAuth Flow. Create a Connected App that supports the Web Server OAuth Flow. Create a Connected App that supports the JWT Bearer Token OAuth Flow. Create a Connected App that supports the User-Agent OAuth Flow.

An Architect needs to set up a Facebook Authentication provider as a login option for a Salesforce Customer Community. What portion Of the authentication provider setup associates a Facebook user with a Salesforce user?. User Info Endpoint URL. Federation ID. Apex Registration Handler. Consumer Key and Consumer Secret.

Universal Containers (UC) uses a legacy Employee portal for employees to collaborate and post ideas, UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to Salesforce through API. UC decides to use an API user using OAuth Username-Password flow for the connection. How can the connection to Salesforce be restricted only to the Employee portal server?. Add the Employee portal's IP address to the Login IP range on the user profile. Use a dedicated profile for the user the Employee portal uses. Use a digital certificate signed by the Employee portal server. Add the Employee portal's IP address to the Trusted IP range for the Connected App.

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape. Pingfederate |-> Salesforce Org 1 |-> Financial System |-> Salesforce Org 2 |-> CPQ System What role combination is represented by the systems in this scenario?. Financial System and CPQ System are the only Service Providers. Salesforce Org1 and Salesforce Org2 are the only Service Providers. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers. Salesforce Org1 and PingFederate are acting as Identity Providers.

Which two considerations should be made when implementing Delegated Authentication? Choose 2 answers. The authentication web service can include custom attributes. It can be used to authenticate API clients and mobile apps. It requires trusted IP ranges at the User Profile level. Salesforce servers receive but do not validate a user's credentials. Just-in-time Provisioning can be configured for new users.

Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licenses across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the complaints? Choose 2 answers. Implement Delegated Authentication from each org to the LDAP provider. Activate My Domain to brand each org to the specific business use case. Implement Idp-lnitiated Single Sign-on flows to allow deep linking. Implement SP-Initiated Single Sign-on flows to allow deep linking.

Universal Containers (UC) uses an internal system for recruiting and would like to have the candidates' info available in Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows should be considered to meet the requirement? Choose 2 answers. SAML Bearer Assertion flow. JWT Bearer Token flow. Refresh Token flow. Web Server flow.

Universal Containers (UC) would like its community users to be able to register and log in with Linkedln or Facebook Credentials. UC wants users to clearly see Facebook and Linkedln icons when they register and log in. Which two recommended actions can UC can take to achieve this functionality? Choose 2 answers. Create custom Registration Handlers to link Linkedln and Facebook accounts to user records. Store the Linkedln or Facebook user IDs in the Federation ID field on the Salesforce user record. Enable Facebook and Linkedln as Login options in the Login section of the Community configuration. Create custom buttons for Facebook and Linkedln using Javascript/CSS on a custom Visualforce page.

Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of the following license types should be used to meet the requirement?. Partner Community License. External Apps License. Partner Community Login License. Customer Community plus Login License.

Universal Containers (IJC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity. Which Salesforce license should UC utilize to implement this use case?. Salesforce Platform. External Identity. Identity Only. Partner Community.

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Choose 2 answers. OAuth Resource Server. OAuth Client. SAML Service Provider. SAML Identity Provider.

A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on and Salesforce will be the system of records. users are getting error messages when logging in. Which Salesforce feature should be used to debug the issue?. View Setup Audit Trail. Login History. Apex Exception Email. Debug Logs.

Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured Extemal Identity and Customer Community licenses in all orgs. Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently. What should an identity architect recommend to optimize license usage and reduce maintenance overhead?. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer. Enable Contactless user in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use. Which three steps should an identity architect take to implement social sign-on? Choose 3 answers. Register both Facebook and Linkedln as connected apps. Enable "Federated Single Sign-On using SAML". Create authentication providers for both Facebook and Linkedln. Check "Facebook" and "Linkedln" under Login Page Setup. Update the default registration handlers to create and update users.

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal should be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user. Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers. Select the "Configurable Self-Reg Page" option under Login & Registration. Set up an external login page and call Salesforce APIs for user creation. Enable "Allow customers and partners to self-register. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record. Customize the self-registration Apex handler to create only the user record.

When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter. The Audience ID, which can be set in a shared cookie. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value. Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce.

Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers. Under Login and Registration settings, ensure that the default account field is empty. Enable access to person and business account record types under Public Access Settings. Contact Salesforce Support to enable person accounts. Contact Salesforce Support to enable business accounts. Set organization-wide default sharing for Contact to Public Read Only.

An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO). How can end users change their password?. Users can request the Salesforce Admin to reset their password. Users once logged in, can go to the Change Password screen in Salesforce. Users can change it on the enterprise LDAP authentication portal. Users can click on the "Forgot your Password" link on the Salesforce.com login page.

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements: 1. They plan to implement Partner communities to provide access to their partner network . 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs. 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities. 4. They would like to provide a single login for their partners. How should an Identity Architect solution this requirement with limited custom development?. Register partners in one org and access information from other orgs using APIs. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access. Consolidate Partner related infomation in a single org and provide access through Salesforce community. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.