Otro mas 1
|
|
Título del Test:
![]() Otro mas 1 Descripción: tuyo y mio |



| Comentarios |
|---|
NO HAY REGISTROS |
|
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use Its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials. The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically. Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?. Third-party AppExchange solution. Custom middleware and web services. Just-in-Time (OIT) provisioning. Custom login flow and Apex handler. Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?. Add the third-party portal as a connected app. Configure Salesforce for Delegated Authentication. Create a custom external authentication provider. Configure SSO with OpenID Connect and leverage the third party portal as an identity provider. Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML. What role does Salesforce Identity play in its relationship with the enterprise SSO system?. Service Provider (SP). Identity Provider (IdP). Resource Server. Client Application. Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org. Which three steps should the identity architect use to implement this requirement? Choose 3 answers. Create an approval process for a custom object associated with the provisioning flow. Create an approval process for User Provisioning Request object associated with the provisioning flow. Create a connected app for Concur in Salesforce. Enable User Provisioning for the connected app. Create an approval process for User object associated with the provisioning flow. Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials. What should an identity architect recommend to meet these requirements?. Configure Amazon as a connected app. Create a custom external authentication provider for Amazon. Configure an OpenID Connect Authentication Provider for Amazon. Configure a predefined authentication provider for Amazon. Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA. Which configuration will meet this requirement?. Create and assign a permission set to all employees that includes "MFA for User Interface Logins.". Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels. A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement?. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information. Use the Login History object to track information about devices from which users log in. Use Login Flows to capture device from which users log in and store device and user information in a custom object. Use the Activations feature to meet the compliance requirement to track device Information. Universal Containers (UC) is building a custom employee hub application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating different solutions for authentication and authorization between AWS and Salesforce. How should an Identity architect configure AWS to authenticate and authorize Salesforce users?. Create a custom external authentication provider. Develop a custom Auth server in AWS. Configure the custom employee app as a connected app. Configure AWS as an OpenID Connect Provider. Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or LinkedIn credentials for ease of use. Which three steps should an identity architect take to implement social sign-on? Choose 3 answers. Update the default registration handlers to create and update users. Enable "Federated Single Sign-On Using SAML". Enable "Facebook" and "LinkedIn" under Login Page Setup. Create authentication providers for both Facebook and LinkedIn. Register both Facebook and Linkedin as connected apps. A multinational Industrial products manufacturer is planning to Implement Salesforce CRM to manage their business. They have the following requirements: 1. They plan to implement Partner communities to provide access to their partner network. 2. They have operations in multiple countries and are planning to Implement multiple Salesforce orgs. 3. Some of their partners do business in multiple countries and will need Information from multiple Salesforce communities. 4. They would like to provide a single login for their partners. How should an Identity Architect solution this requirement with limited custom development?. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs. Register partners in one org and access information from other orgs using APIs. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access. Consolidate Partner related information in a single org and provide access through Salesforce community. An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into. Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub- brands?. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows. A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for passwordless login. Which feature should an identity architect recommend to meet the requirements?. Integrate with social websites (Facebook, LinkedIn, Twitter). Use Login Discovery. Create a custom Lightning Web Component. Use an external Identity Provider. Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers. Enable Welcome emails while configuring the Experience Cloud site. Use Login Flows to allow users to reset password in Experience Cloud site. Allow Password reset using the API to update Experience Cloud site membership. Add customers as contacts and add them to Experience Cloud site. Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing Identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign- on to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this solution?. Create a user and a related contact. Create only a contact. Create a contactless user. Create a person account. Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers. The default login user can be set. A custom error URL can be set. The default authentication provider certificate can be set. A custom registration handler can be set. Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce. What should be done to fulfill the requirement? Choose 2 answers. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login. Setup Salesforce as an identity provider (IdP) for Order Tracking. Setup Order Tracking as a Canvas app in Salesforce to POST IDP Initiated SAML assertion. A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security?. Select "Admin approved users are pre-authorized" and assign specific profiles. Create custom scopes and assign to the connected app. Leverage external objects and data classification policies. Define a permission set that grants access to the app and assign to authorized users. Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to Its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement?. OAuth 2.0 Asset Token Flow for Securing Connected Devices. OAuth 2.0 Web Server Flow for Web App Integration. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration. OAuth 2.0 Username-Password Flow for Special Scenarios. A multinational company using the Salesforce platform wants to implement robust user activity verification capabilities to detect unauthorized access and unusual login patterns. They need real-time monitoring and alerting functionalities to respond promptly to security Incidents. Which Salesforce tool should be utilized to achieve these requirements?. Salesforce Event Monitoring and Event Log Files. Salesforce Profiles. Salesforce Platform Encryption. Salesforce Data Loader. An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password, Salesforce leverages delegated authentication to integrate with the LDAP. How can end users change their password?. Users can change it on the enterprise LDAP authentication portal. Users can click on the "Forgot your Password" link on the Salesforce.com login page. Users can request the Salesforce Admin to reset their password. Users once logged in, can go to the Change Password screen in Salesforce. Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which Salesforce security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers. Sharing Rules. Public Groups. Permission Set License. Roles. Profiles and Permission Sets. A large consumer company is planning to create a community and will require login through the customers social identity. The following requirements must be met: 1. The customer should be able to login with any of their social identities, however Salesforce should only have one user per customer. 2. Once the customer has been identified with a social identity, they should not be required to authorize Salesforce. 3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social identity. 4. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce. Which two options allow the Identity Architect to fulfill the requirements? Choose 2 answers. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details. Use the custom registration handler to link social identities to Salesforce Identities. Redirect the user to a custom page that allows the user to select an existing social identity for login. Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite?. External Identity. My Domain. Multi-Factor Authentication. Identity Provider. Northern Trail Outfitters wants to enable single sign-on (SSO) for its Salesforce platform by integrating it with an identity provider (IdP). Which step should be performed to establish the trust between Salesforce and the identity provider (IdP)?. Setting up a VPN (Virtual Private Network) tunnel between Salesforce and the identity provider for secure communication. Embedding the identity provider's authentication code directly into Salesforce source code. Configuring a trust relationship by exchanging metadata XML files between Salesforce and the IdP. Creating a custom login page within the Salesforce platform for user authentication. An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?. Ensure that there is an HTTPS connection between IDP and SP. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP. Ensure that on the SSO settings page, the "Request Signing Certificate field has a self-signed certificate. An identity professional working on a project to integrate a third- party application with Salesforce, is tasked with evaluating OAuth options. The project requires fine-grained access control and the ability to obtain long-lived access tokens. Which OAuth flow would best fulfill the project requirements?. Client Credentials flow. Authorization Code flow. Implicit flow. Username-password grant. Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact Information. What is the potential Impact to the architecture if NTO decides to Implement this feature?. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record. A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party application? Choose 2 answers. Use the App Launcher with single sign-on (SSO). Use Delegated Authentication. Use a connected app. External a Data source with Named Principal identity type. Northern Trail Outfitters (NTO) has an existing business-to- consumer (B2C) website that that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers. Connected Apps. Authentication Providers. Delegated Authentication. Embedded Login. Identity Connect. A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) "Replay Detected" and "Assertion Invalid" login errors. Which two issues would cause these errors? Choose 2 answers. The certificate loaded into SSO configuration does not match the certificate used by the IdP. The subject element is missing from the assertion sent to Salesforce. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes. The assertion sent to Salesforce contains an assertion ID previously used. Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions In Salesforce. How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?. Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL. Have generated links append a querystring parameter indicating the IdP. The login service will redirect to the appropriate IdP. Enable each IdP as a login option in the MyDomain Authentication Service settings, Users will then click on the appropriate IdP button. Have generated links be prefixed with the appropriate IdP URL to invoke an IdP- initiated Security Assertion Markup Language flow when clicked. Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week. Which connected app setting should be leveraged to comply with this policy change?. Scope - Deny refresh token scope for this connected app. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date. Session Policy - Set timeout value of the connected app to 7 days. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days. An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM Architect do to fulfill this requirement?. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case. Confirm performance considerations with Salesforce Customer Support due to high peaks. Configure community as a Security Assertion Markup Language (SAML) Identity provider and enable Just-in-Time Provisioning to B2C Commerce. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider. Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used?. OAuth 2.0 JWT Bearer Flow. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 User-Agent Flow. SAML Assertion Flow. Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers. The Use Digital Signature option in the connected app. The "web" OAuth scope in the connected app. The "api" OAuth scope in the connected app. The "eclair api" OAuth scope in the connected app. Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement?. Contact Salesforce Support and enable delegate single sign-on. Configure OpenID Connect authentication provider. Create a custom external authentication provider. Use certificate-based authentication. Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect recommend to fulfill this requirement?. Identity Only License. Identity Verification Credits Add-On License. External Identity License. Identity Connect License. Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to meet the requirement?. Implement an single sign-on for Salesforce using an external identity provider. Set trusted IP ranges for the organization. Implement 2FA authentication for the Salesforce org. Implement multi-factor authentication for the Salesforce org. An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements?. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize". Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved". Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to "Admin Pre-Approved". Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre- Approved. A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an Identity architect recommend to configure the requirement with limited changes to the third-party app?. Use a connected app with user provisioning flow. Redirect users to the third-party app for registration. Create Canvas app in Salesforce for third-party app to provision users. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users. A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access. The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community. Apex coding skills are needed for registration handier to create and update users. Use declarative registration handler process builder/flow to create, update users and contacts. Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers. Scopes. Client ID. Authorization Code. Verification Code. Refresh Token. An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is recommended to fulfill this requirement with the least amount of customization?. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile. Use Login Flows to add a screen that shows personalized alerts. Create custom metadata that stores user alerts and use a LWC to display alerts. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts. A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow?. 4, 1.5, 2, 3. 4, 5, 2, 3, 1. 1, 4, 5, 2, 3. 2, 1, 3, 4, 5. A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to send an alert when something goes wrong. Which OAuth flow should the architect recommend?. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 Device Authentication Flow. OAuth 2.0 Asset Token Flow. OAuth 2.0 JWT Bearer Token Flow. The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience. What should be used and considered before recommending it as a solution on the Salesforce Platform?. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and feel. Salesforce REST APIS. Ensure that Secure Sockets Layer (SSL) connection for the integration is used. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on. Embedded Login, Consider whether or not it relies on third party cookies which can cause browser compatibility issues. Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement?. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. Enable Security Assertion Markup Language (SAML) Sign-On and use a login flow to collect only order details to retrieve customer data. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data. Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Choose 2 answers. OAuth Resource Server. SAML Service Provider. OAuth Client. SAML Identity Provider. A technology enterprise is planning to implement single sign-on login for users. When users log in to Salesforce, data should be populated In User object custom fields. Which two steps should an identity architect recommend? Choose 2 answers. Implement Auth. SamlJitHandler Interface. Implement Session Management Class. Create and update methods. Implement RegistrationHandler Interface. Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect to allow for a seamless single sign-on experience. UC has a requirement to limit users to sign on directly from the Salesforce org to the external Service provider app that accepts OpenID Connect. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers. Manage which connected apps a user has access to by assigning authentication providers to the users profile. Assign the connected app to the customer community, and enable the users profile in the Community settings. Set each of the Connected App access settings to Admin Pre-Approved. Use Profiles and Permission Sets to assign user access to Admin Pre- Approved Connected Apps. Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_SuperUser and CRM_Reporting_SuperUser groups should respectively give the user the SuperUser and Reporting_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an Identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets. Use a login flow to query standard SAML attributes and set permission sets. Use a login flow to query custom SAML attributes and set permission sets. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets. An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers. External Identity Licenses. Email Verification Credits. Identity Connect Licenses. SMS Verification Credits. Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup. What should an identity architect use to show which part of the login assertion is failing?. Security Assertion Markup Language Validator. Connected App Manager. SAML Metadata file importer. Identity Provider Metadata download. Universal Containers (UC) uses Salesforce as a CRM and Identity provider (IdP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to fulfill this requirement?. Identity Verification. Identity Connect. Identity Only. External Identity. An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign- on (SSO). Which feature of Identity Connect is applicable for this scenario?. Identity Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing 550 as a default feature. If the number of provisioned users exceeds Salesforce licence allowances, Identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately. A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: 1. The development team has decided to use a Canvas app to expose the pricing application to agents. 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. Select "Enable as a Canvas Personal App" in the connected app settings. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows: 1- Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications. 2- Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service). Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross- Domain Identity Management) for provisioning and deprovisioning of users. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO. Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect Is deciding which login experience to use for the site. Which two page types are valid login page types for the site? Choose 2 answers. Login Discovery Page. Experience Builder Page. Embedded Login Page. Lightning Experience Page. Northern Trail Outfitters has implemented OAuth 2.0 for its single sign-on (SSO) solution, allowing users to authenticate and access Salesforce resources using external identity providers. However, some users are reporting intermittent logouts when trying to access Salesforce through SSO. What can be a potential point of failure that should be considered during troubleshooting?. Expiration or revocation of the access token issued by the identity provider. Misconfiguration of the user's device, such as an outdated web browser or disabled JavaScript. Delays in the network routing between the user's location and the Salesforce servers. Insufficient user permissions in Salesforce causing access issues. Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (IdP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recommend to create partners?. Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store. On successful creation of Partners using Self Registration page In Experience Cloud, create identity in Ping. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs. Allow partners to register through the IdP and create partner users in Salesforce through an API. When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter. The Audience ID, which can be set in a shared cookie. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value. Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce. Northern Trail Outfitters want to allow its consumer to self- register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The Identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers. Enable business accounts in the Setup page. Enable person accounts in the Setup page. Under Login and Registration settings, ensure that the default account field is empty. Enable access to person and business account record types under Public Access Settings. Set organization-wide default sharing for Contact to Public Read Only. Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before performing any further operation on the portal. Which approach will meet this requirement?. Create a custom landing page and email campaign asking all community members to login and verify their data. Add a banner to the community Home page asking users to update their profile and accept the new community rules. Create tasks for users who need to update their data or accept the new community rules. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information. Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection?. Leverage OpenID Connect Token Introspection. Query using OpenID Connect discovery endpoint. Enable cross-origin resource sharing (CORS) for the/services/cauth2/token endpoint. Create a custom OAuth scope. |




