idam1

Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the requirement? Choose 2 answers. Active Directory Password Sync Plugin. Configure Cloud Provider Load Balancer. Salesforce Identity Connect. Salesforce Trigger & Field on Contact Object.

Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?. Create a custom external authentication provider. Add the third-party portal as a connected app. Configure SSO to use the third party portal as an identity provider. Configure Salesforce for Delegated Authentication.

IMAGE An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows: 1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications. 2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service). Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site? Choose 2 answers. Login Discovery Page. Experience Builder Page. Embedded Login Page. Lightning Experience Page.

Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO-branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend?. Implement Experience ID in the code and extend the URLs and endpoints, as required. Create a full sandbox to replicate the portal site and update the branding accordingly. Use Heroku to build the new brand site and embedded login to reuse identities. Configure an additional community site on the same org that is dedicated for the new brand.

Northern Trail Outfitters (NTO) believes a speci?c user account may have been compromised. NTO inactivated the user account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should NTO’s first step be in gathering signals that could indicate account compromise?. Download the Setup Audit Trail and review all recent activities performed by the user. Download the Login History and evaluate the details of logins performed by the user. Review the User record and evaluate the login and transaction history. Download the Identity Provider Event Log and evaluate the details of activities performed by the user.

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event. Which approach will meet this requirement?. Create a custom landing page and email campaign asking all community members to login and verify their data. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information. Create tasks for users who need to update their data or accept the new community rules. Add a banner to the community Home page asking users to update their profile and accept the new community rules.

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement?. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing sociaI-media credentials to register and access. The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers. Use declarative registration handler process builder/flow to create, update users and contacts. Apex coding skills are needed for registration handler to create and update users. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community.

An identity architect’s client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate. Ensure that there is an HTTPS connection between IDP and SP.

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement?. Contact Salesforce Support and enable delegate single sign-on. Use certificate-based authentication. Create a custom external authentication provider. Configure OpenID Connect authentication provider.

An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into. Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands?. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience.

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement?. Use Login Flows to capture device from which users log in and store device and user information in a custom object. Use the Login History object to track information about devices from which users log in. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information. Use the Activations feature to meet the compliance requirement to track device information.

Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to fulfill this requirement?. Identity Connect. External Identity. Identity Verification. Identity Only.

Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite?. Multi-Factor Authentication. Identity Provider. External Identity. My Domain.

Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third- party party SSO solution is used for all corporate applications, including Salesforce. NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce. What role does identity Connect play in the outlined requirements?. Service Provider. Single Sign-On. Identity Provider. User Management.

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers. The default login user can be set. A custom registration handler can be set. The default authentication provider certificate can be set. A custom error URL can be set.

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to generate sensor information in Salesforce. Which OAuth flow should the architect recommend?. OAuth 2.0 Device Authentication Flow. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 Asset Token Flow. OAuth 2.0 JWT Bearer Token Flow.

Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect recommend to fulfill this requirement?. Identity Connect License. Identity Only License. Identity Verification Credits Add-On License. External Identity License.

Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org. Which three steps should the identity architect use to implement this requirement? Choose 3 answers. Create an approval process for a custom object associated with the provisioning flow. Enable User Provisioning for the connected app. Create an approval process for UserProvisioning Request object associated with the provisioning flow. Create a connected app for Concur in Salesforce. Create an approval process for User object associated with the provisioning flow.

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type. Which two steps should be done on the platform to satisfy the requirement?. Assign the connected app to the customer community, and enable the users profile in the Community settings. Manage which connected apps a user has access to by assigning authentication providers to the users profile. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Set each of the Connected App access settings to Admin Pre-Approved.

A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users. Which two steps should an identity architect recommend? Choose 2 answers. Implement RegistrationHandler Interface. Implement Auth.SamlJitHandler Interface. Implement SessionManagement Class. Create and update methods.

Which three capabilities does SAML-based Federated authentication provide? Choose 3 answers. Web applications with no passwords are more secure and stronger against hacks. Trust relationships between Identity Provider and Service Provider are required. Access tokens are used to access resources on the server once the user is authenticated. Centralized federation provides single point of access, control and auditing. SAML tokens can be in XML or JSON format and can be used interchangeably.

Universal Containers (UC) has a mobile application that it wants to deploy to all of its Salesforce users, including Customer Community users. UC would like to minimize the administration overhead. Which two items should an Architect recommend? Choose 2 answers. Enable the "All users may self-authorize" setting in the Connected App. Enable the "High Assurance session required" setting in the Connected App. Enable the "Refresh token is valid until revoked" setting in the Connected App. Enable the "Enforce IP restrictions" setting in the Connected App.

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers. Login Forensics. SSO from salesforce Mobile App. Resource deep linking. App Launcher.

Universal Containers has implemented a multi-org strategy and would like to centralize the management of their Salesforce user profiles. What should the Architect recommend to allow Salesforce profiles to be managed from a central system of record?. Implement JIT provisioning on the SAML IdP that will pass the ProfileID in each assertion. Implement an OAuth JWT flow to pass the profile credentials between systems. Implement Delegated Authentication that will update the user profiles as necessary. Create an Apex scheduled job in one org that will synchronize the other org's profiles.

An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly known as (G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce. Which solution is recommended to meet this requirement?. Build a custom REST endpoint in Salesforce that Google Workspace can poll against. Build an Apex trigger on the UserLogin object to make asynchronous callouts to Google APIS. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for user provisioning and de-provisioning. Configure User Provisioning for Connected Apps.

The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers. Web server. Jwt bearer token. User-Agent. Username-password.

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?. The CA-Signed Certificate from the Certificate and Key Management menu. The default Client Certificate from the Develop -> API Menu. The default Client Certificate or a Certificate from Certificate and Key Management menu. The Self-Signed Certificates from the Certificate & Key Management menu.

Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?. Identity Licence. Salesforce Licence. External Identity Licence. Salesforce Platform Licence.

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers. OAuth Refresh Token Flow. OAuth Username-Password Flow. OAuth SAML Bearer Assertion Flow. OAuth JWT Bearer Token Flow.

How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?. Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page. Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration. Remove the Login page from the list of Authentication Services on the My Domain configuration. Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.

Universal Containers wants to build a custom mobile app connecting to Salesforce using OAuth, and would like to restrict the types of resources mobile users can access. What OAuth feature of Salesforce should be used to achieve the goal?. Mobile PINs. Scopes. Access Tokens. Refresh Tokens.

Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers. The "eclair_api" OAuth scope in the connected app. The "api" OAuth scope in the connected app. The "web" OAuth scope in the connected app. The Use Digital Signature option in the connected app.

Which two statements are capabilities of Identity Connect? Choose 2 answers. Supports multiple orgs connecting to multiple Active Directory servers. Synchronization of Salesforce Permission Set License Assignments. Supports both Identity-Provider-Initiated and Service-Provider-lnitiated SSO. Automated user synchronization and de-activation.

Universal Containers wants to set up SSO for a selected group of users to access external applications from Salesforce through App Launcher. Which three steps must be completed in Salesforce to accomplish the goal? Choose 3 answers. Complete Single Sign-on Settings in Security Controls. Associate user profiles with the Connected Apps. Complete My Dornain and Identity Provider setup. Create Connected Apps for the external applications. Create Named Credentials for each external system.

Which three types of attacks would a 2-Factor Authentication solution help guard against? Choose 3 answer. Dictionary attacks. Key logging attacks. Phishing attacks. Man-in-the-middle attacks. Network perimeter attacks.

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case? Choose 2 answers. Set Permitted Users to "Admin approved users are pre-authorized". Set the Refresh Token Policy to expire refresh token after 3 months. Set the Session Timeout value to 3 months. Set Permitted Users to "All users may self-authorize".

An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers. Identity Connect Licenses. External Identity Licenses. Email Verification Credits. SMS Verification Credits.

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable. Which two Salesforce tools should an identity architect recommend to satisfy the requirements?. App Launcher. Salesforce Canvas. Identity Connect. Connected Apps.

A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: 1. The development team has decided to use a Canvas app to expose the pricing application to agents. 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. Select "Enable as a Canvas Personal App" in the connected app settings. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.

Universal Containers (UC) has decided to build a new, highly sensitive application on the Lightning platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/password to authenticate to this application. How can an Architect support fingerprints as a form of identification for Salesforce authentication?. Use Delegated Authentication with callouts to a third-party fingerprint scanning application. Use an AppExchange product that does fingerprint scanning with native Salesforce Identity Confirmation. Use Salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application. Use Custom Login Flows with callouts to a third-party fingerprint scanning application.

Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following: 1. Enter a phone number and/or email address 2. Enter a verification code that is to be sent via email or text. What is the recommended approach to fulfill this requirement?. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity. Create a Login Discovery page and provide a Login Discovery Handler Apex class. Create an Authentication provider and implement a self-registration handler class.

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection?. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint. Leverage OpenID Connect Token Introspection. Create a custom OAuth scope. Query using OpenID Connect discovery endpoint.

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials. What should an identity architect recommend to meet these requirements?. Configure Amazon as a connected app. Configure a predefined authentication provider for Amazon. Configure an OpenID Connect Authentication Provider for Amazon. Create a custom external authentication provider for Amazon.

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department. How should an identity architect implement this requirement?. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-in-Time (JIT) provisioning. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts. A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site. NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization. What should an identity architect do to fulfill the above requirements?. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to con?gure the requirement with limited changes to the third-party app?. Redirect users to the third-party app for registration. Create Canvas app in Salesforce for third-party app to provision users. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users. Use a connected app with user provisioning flow.

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used?. SAML Assertion Flow. OAuth 2.0 User-Agent Flow. OAuth 2.0 JWT Bearer Flow. OAuth 2.0 SAML Bearer Assertion Flow.

Universal Containers (UC) is building a mobile application that will make calls to the Salesforce REST API. Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the Connected App? Choose 2 answers. refresh_token. full. API. web.

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow the employees to post ideas from the Employee portal. When clicking some links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the OAuth token to meet this requirement?. api. Visualforce. web. full.

Which two roles of the systems are involved in an environment where Salesforee users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup? Choose 2 answers. Google is the Service Provider. Google is the Identity Provider. Salesforce is the Service provider. Salesforce is the Identity Provider.

Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC manages. UC wants its users to use the same set of credentials to access each of the applications. What SAML SSO flow should an Architect recommend for UC?. User-Agent. SP-Initiated. SP-lnitiated with Deep Linking. IdP-Initiated.

Which two are valid choices for digital certificates when Setting up two-way SSL between Salesforce and an external system? Choose 2 answers. Use a self-signed certificate for Salesforce and a trusted CA-signed cert for the external system. Use a self-signed certificate for Salesforce and a self-signed cert for the external system. Use a trusted CA-signed certificate for Salesforce and a self-signed cert for the external system. Use a trusted CA-signed certificate for Salesforce and a trusted CA-signed cert for the external system.

Universal Containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration when building the web service to handle the Delegated Authentication request? Choose 3 answers. The web service can be written using either the SOAP or REST protocol. The return type of the web service method should be a Boolean value. The web service needs to include SourceIP as a method parameter. Delegated Authentication is enabled for the System Administrator profile. UC should allowlist all Salesforce IP ranges on their corporate firewall.

Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforce, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs. Which two Salesforce license types does UC need for its employees? Choose 2 answers. Company Community and Identity licenses. Identity and Identity Connect licenses. Chatter Only and Identity licenses. Salesforce and Identity Connect licenses.

In a typical SSL setup involving a trusted party and a trusting party, what consideration should an Architect take into account when using digital certificates?. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Universal Containers (UC) is considering using Delegated Authentication as the sole means of authenticating all Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. Which two risks should the Architect point out? Choose 2 answers. Delegated Authentication is enabled or disabled for the entire Salesforce org. The web service must reside on a public cloud service, such as Heroku. Salesforce users will be locked out Of Salesforce if the web service goes down. UC will be required to develop and support a custom SOAP web service.

Universal Containers plans to develop a custom mobile app for the sales team that will use Salesforce for authentication and access management. The mobile app access needs to be restricted to only the Sales team. What would be the recommended solution to grant mobile app access to sales users?. Use the Permission Set License to assign the mobile app permission to sales users. Use Connected Apps OAuth policies to restrict mobile app access to authorized users. Use a custom attribute on the user object to control access to the mobile app. Add a new identity provider to authenticate and authorize mobile users.

Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple extemal applications. UC wants to use the Salesforce App Launcher to control the apps that are available to individual users. Which three steps are required to make this happen? Choose 3 answers. Add each Connected App to the App Launcher with a Start URL. Set up Identity Connect to synchronize user data. Set up an Auth Provider for each external application. Set up Salesforce as a SAML IdP with My Domain. Create a Connected App for each extemal application.

Universal Containers wants Salesforce inbound OAuth-enabled integration clients to use SAML-based Single Sign-on for authentication. What OAuth flow would be recommended in this scenario?. User-Token OAuth flow. SAML Assertion OAuth flow. Web Server OAuth flow. User-Agent OAuth flow.

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage user permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers. Use SAML Just-in-Time (JIT) Handler class run as current user to update role and permission sets. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. Use Login Flow in System Context to update role and permission sets. Use Login Flow in User Context to update role and permission sets.

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app 2. The app should be able to make calls to the Salesforce REST API 3. End users should NOT see the OAuth approval page How should the identity architect configure the Salesforce connected app to meet the requirements?. Enable the API Scope and Offine Access Scope on the connected app, and then set the connected app to access settings to "Admin Pre-Approved". Enable the API Scope and Offine Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize". Enable the API Scope and Offine Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved". Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

A technology enterprise is setting up an identity solution with an extemal vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements?. Web Server Flow. OpenlD Connect. User Agent Flow. JWT Bearer Token Flow.

A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenlD Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?. They are equivalent protocols and there is no real reason to choose one over the other. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP. OIDC is more secure than SAML and therefore is the obvious choice.