Otro mas 3
|
|
Título del Test:
![]() Otro mas 3 Descripción: Otro mas Otro mas Otro mas |



| Comentarios |
|---|
NO HAY REGISTROS |
|
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly known as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce. Which solution is recommended to meet this requirement?. Build a custom REST endpoint in Salesforce that Google Workspace can poll against. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for user provisioning and de-provisioning. Build an Apex trigger on the UserLogin object to make asynchronous callouts to Google APIS. Configure User Provisioning for Connected Apps. Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how It contributes to a successful Customer 360 Truth project. What are two are key benefits of Customer 360 Identity as it relates to Customer 360? Choose 2 answers. Customer 360 Identity enables an organization to build a single login for each of its cactomers, giving the organization an understanding of the user's login ivity across all its digital properties and applications. Ider. Customer 360 Identity automatically integrates with Customer 360 Data Manager Customer 360 Audiences to seamlessly populate all user data. Customer 360 Identity not only provides a unified sign up and sign in experience, butionio tracks anonymous user activity prior to signing up so organizathens can understand user activity before and after the users identify tidernselves. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple porate brands and user experiences. Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce? Choose 2 answers. Assign user "Is Single Sign-On Enabled" permission via profile or permission set. Once SSO is enabled, users are only able to login using Salesforce credentials. Enable My Domain and select "Prevent login from https://login.salesforce.com". Request Salesforce Support to enable delegated authentication. A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements: 1) Customer purchases the device. 2) Customer registers the device using their mobile app. 3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking. Which OAuth flow should be used to meet these requirements?. OAuth 2.0 User-Agent Flow. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 Device Flow. OAuth 2.0 Asset Token Flow. Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable. Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers. Salesforce Canvas. Identity Connect. Connected Apps. App Launcher. A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: 1. The development team has decided to use a Canvas app to expose the pricing application to agents. 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. Configure the Canvas app as a connected app and set Admin- approved users as pre-authorized. Select "Enable as a Canvas Personal App" in the connected app settings. A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this?. Use a HTTP POST to make a call to the revoke token endpoint. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, Including the current OAuth token. Use a HTTP POST to request the refresh token for the current user,. Enable Single Logout with a secure logout URL. A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol. What should an identity architect use to fulfill this requirement?. Authentication Providers. Connected App and OAuth Scopes. Canvas App Integration. OAuth Tokens. An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is recommended to fulfill this requirement with the least amount of customization?. Use Login Flows to add a screen that shows personalized alerts. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts. Create custom metadata that stores user alerts and use a LWC to display alerts. Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the Identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site? Choose 2 answers. Lightning Experience Page. Experience Builder Page. Embedded Login Page. Login Discovery Page. Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following: 1. Enter a phone number and/or email address 2. Enter a verification code that is to be sent via email or text. What is the recommended approach to fulfill this requirement?. Create a custom login page with an Apex controller. The controller has logic to send and verify the Identity. Create a Login Discovery page and provide a Login Discovery Handler Apex class. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service. Create an Authentication provider and implement a self-registration handler class. A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as few passwords as possible. What should an identity architect recommend?. Setup Salesforce as a Service Provider to the existing IdP. Use Salesforce connect to synchronize LDAP passwords to Salesforce. Setup Salesforce as an IdP to authenticate against the LDAP directory. Setup Salesforce as an Authentication Provider to the existing IdP. An identity architect is Implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers. SMS Verification Credits. External Identity Licenses. Email Verification Credits. Identity Connect Licenses. Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The Identity architect wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers. A custom registration handler can be set. The default authentication provider certificate can be set. A custom error URL can be set. The default login user can be set. Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to meet the requirement?. Implement multi-factor authentication for the Salesforce org. Implement 2FA authentication for the Salesforce org. Implement an single sign-on for Salesforce using an external identity provider. Set trusted IP ranges for the organization. An identity professional, responsible for ensuring secure access to the Salesforce platform, needs to audit and verify user activity during and after login. They want to monitor login attempts, track user authentication methods, and identify suspicious behavior or unauthorized access. Which tool or feature should they leverage to achieve this objective?. Salesforce Shield. Salesforce Approval Processes. Salesforce Login History. Salesforce Lightning Flow. Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (IdP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce. What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?. Build an integration that queries LDAP periodically and creates new active users in Salesforce. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce. Define a process where administrators manually create new users in Salesforce. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login. A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication. Which three functions meet the Salesforce criteria for secure MFA? Choose 3 answers. Third-party single sign-on with Mobile Authenticator app. Username&password + Email Verification Code. Lightning Login. Username and password + SMS passcode. Username and password + security key. Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow (this flow uses the OAuth 2.0 authorization code grant type). Which three OAuth concepts apply to this flow? Choose 3 answers. Scopes. Access Token. Authentication Token. Client Secret. Verification URL. Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as part of the login process. Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template. To use dynamic branding, the community must be built with the Customer Account Portal template. Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity. Which Salesforce license should UC utilize to implement this use case?. Identity Only. Salesforce Platform. Partner Community. External Identity. A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice. Which authentication mechanism should an identity architect recommend to meet the requirements?. Delegated Authentication. Just-in-Time Provisioning. OAuth Web-Server Flow. Security Assertion Markup Language (SAML) Single Sign On. NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization. What should an identity architect do to fulfill the above requirements?. Authorize third-party service by sending authorization requests to the community_url/services/oauth2/authorize/?expid=value. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookle value. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens. Universal Containers is designing an identity architecture that involves integrating Salesforce with an external directory service. The external directory service will act as the central repository for user authentication and authorization across multiple systems within the organization. Which approach should be evaluated to establish trust between Salesforce and the external directory service?. Implementing a federated identity solution based on SAML (Security Assertion Markup Language). Enforcing IP-based access restrictions for Salesforce and the external directory service. Utilizing email-based verification for user authentication across the systems. Using a shared database table to synchronize user credentials between the two systems. Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers. How should this functionality be enabled for UC, assuming all social sign-on providers support OpenID Connect?. Configure a single sign-on setting and a JIT handler for each social sign-on provider. Configure an authentication provider and a registration handler for each social sign-on provider. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider. Configure a single sign-on setting and a registration handler for each social sign-on provider. Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should NTO's first step be in gathering signals that could indicate account compromise?. Download the Identity Provider Event Log and evaluate the details of activities performed by the user. Download the Login History and evaluate the details of logins performed by the user. Download the Setup Audit Trail and review all recent activities performed by the user. Review the User record and evaluate the login and transaction history. An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. Ensure that there is an HTTPS connection between IDP and SP. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP. Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce. NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce. What role does identity Connect play in the outlined requirements?. Service Provider. User Management. Single Sign-On. Identity Provider. Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests should be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user. Which three steps should an Identity architect follow to Implement the outlined requirements? Choose 3 answers. Set up an external login page and call Salesforce APIs for user creation. Customize the self-registration Apex handler to create only the user record. Enable "Customers and partners to self-register". Customize the self-registration Apex handler to temporarily associate the user to a single shared contact record. Select the "Configurable Self-Reg Page" option under Login & Registration. A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements?. Web Server Flow. OpenID Connect. JWT Bearer Token Flow. User Agent Flow. Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers. Identity Connect. Embedded Login. Connected Apps. Authentication Providers. Delegated Authentication. An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue? Choose 2 answers. StartURL for the connected app is not set in Connected App settings. Session Policy is set as "High Assurance Session required" for this connected app. OAuth scope does not include "openid". The connected app is not set in the App menu as "Visible in App Launcher". An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to be able to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce minimizes the need for end user interaction and maximizes security. Which OAuth flow should be used to fulfill the requirement?. User Agent Flow. JWT Bearer Flow. Web Server Flow. Username Password Flow. Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials. The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically. Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?. Custom login flow and Apex handler. Custom middleware and web services. Just-in-Time (JIT) provisioning. Third-party AppExchange solution. A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities. Which Salesforce OAuth authorization flow should be used?. OAuth 2.0 Asset Token Flow. OAuth 2.0 JWT Bearer Flow. OAuth 2.0 Device Flow. OAuth 2.0 User-Agent Flow. A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to send an alert when something goes wrong. Which OAuth flow should the architect recommend?. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 Asset Token Flow. OAuth 2.0 Device Authentication Flow. OAuth 2.0 JWT Bearer Token Flow. Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the requirement? Choose 2 answers. Active Directory Password Sync Plugin. Salesforce Trigger & Field on Contact Object. Salesforce Identity Connect. Configure Cloud Provider Load Balancer. A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or LinkedIn credentials. Once enabled, what role will Salesforce play?. Facebook and LinkedIn will act as the IdPs and SPs. Salesforce will be the service provider (SP). Salesforce will be the identity provider (IdP). Facebook and LinkedIn will be the SPs. An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows: 1 Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications... [image]... Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO. A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help. Which two considerations should the architect keep in mind? Choose 2 answers. Dependency on what is supported by OpenID Connect (OIDC) Implementation at IdP. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP. AMR field shows the authentication methods used at IdP. High-assurance sessions must be configured under Session Security Level Policies. Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the $port link al dynamically branded so that users will be directed to the brand they clicked on; otherwise, users will view a recognizable NTO-branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend?. Use Heroku to build the new brand site and embedded login to reuse identities. Implement Experience ID in the code and extend the URLs and endpoints, as required. Configure an additional community site on the same org that is dedicated for the new brand. Create a full sandbox to replicate the portal site and update the branding accordingly. A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on and Salesforce will be the system of records. Users are getting error messages when logging in. Which Salesforce feature should be used to debug the issue?. Apex Exception Email. Debug Logs. View Setup Audit Trail. Login History. A Salesforce Administrator is tasked with setting up Just-in-Time (JIT) provisioning for SAML to enable Single Sign-On (SSO) for your organization. They have already configured the SAML settings for SSO in Salesforce. What should be their next steps to enable JIT provisioning?. Create a new Apex class to handle JIT provisioning, implement the required methods, and assign the class to the appropriate user profiles. Create a new permission set with JIT provisioning enabled, configure the necessary permissions, and assign the permission set to relevant users. Modify the organization-wide sharing settings to allow JIT provisioning, update the sharing rules for the user object. Enable Just-in-Time User Provisioning in the SAML Single Sign-On Setting, configure the User Provisioning Type, and provide the SAML JIT Handler. Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS. How should the quantity of required Identity Verification Credits be estimated?. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that will incur a verification challenge. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses. Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce org. Which three steps should the identity architect use to Implement this requirement? Choose 3 answers. Create an approval process for User object associated with the provisioning flow. Create an approval process for UserProvisioning Request object associated with the provisioning flow. Create an approval process for a custom object associated with the provisioning flow. Enable User Provisioning for the connected app. Create a connected app for Concur in Salesforce. A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When Salesforce is acting as Identity Provider for this SP, which use case is the determining factor when choosing OIDC or SAML?. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. OIDC is more secure than SAML and therefore is the obvious choice. They are equivalent protocols and there is no real reason to choose one over the other. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP. An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM Architect do to fulfill this requirement?. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider. Confirm performance considerations with Salesforce Customer Support due to high peaks. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce. A technology enterprise is planning to implement single sign-on login for users. When users log in to Salesforce, data should be populated in User object custom fields. Which two steps should an identity architect recommend? Choose 2 answers. Implement SessionManagement Class. Create and update methods. Implement RegistrationHandler Interface. Implement Auth. SamlJitHandler Interface. The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers. Login & Registration pages can be branded in the Community Administration settings. Build custom pages for branding requirements in Experience Cloud. Use Experience Builder to build branded Reset and Forgot Password pages. Build custom site pages for reset and forgot password features. A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow?. 4, 5, 2, 3, 1. 4, 1, 5, 2, 3. 2, 1, 3, 4, 5. 1, 4, 5, 2, 3. Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature?. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record. Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 Implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers. Scopes. Client ID. Authorization Code. Verification Code. Refresh Token. A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?. Login Inspector. Login History. Login Forensics. Login Report. A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some Intermittent Security Assertion Markup Language (SAML SSO) "Replay Detected" and "Assertion Invalid" login errors. Which two issues would cause these errors? Choose 2 answers. The subject element is missing from the assertion sent to Salesforce. The assertion sent to Salesforce contains an assertion ID previously used. The current time setting of the company's Identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes. The certificate loaded into SSO configuration does not match the certificate used by the IdP. Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement?. Contact Salesforce Support and enable delegate single sign-on. Use certificate-based authentication. Configure OpenID Connect authentication provider. Create a custom external authentication provider. Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Facebook and Twitter credentials. What should an identity architect recommend to meet these requirements?. Create a custom external authentication provider for Facebook. Setup login icon for Facebook and Twitter. Create a custom external authentication provider for Twitter. Configure a predefined authentication provider for Facebook and Twitter. A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community. Which should be used to satisfy this requirement?. Login Flows. Named Credentials. OAuth Asset Token flow. OAuth Device Flow. Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_SuperUse and CRM Reporting SuperUser groups should respectively give the user the SuperUser and Reporting_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets. Use the Apex Just-In-Time handler to query custom SAML attributes and set permission sets. Use a login flow to query custom SAML attributes and set permission sets. Use a login flow to query standard SAML attributes and set permission sets. A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security?. Select "Admin approved users are pre-authorized" and assign specific profiles. Leverage external objects and data classification policies. Create custom scopes and assign to the connected app. Define a permission set that grants access to the app and assign to authorized users. An identity professional is working on the configuration of a connected app for Universal Container's (UC) partner portal. UC wants to allow external users to access certain Salesforce data and perform limited actions. However, they also want to enforce additional security measures, such as IP restrictions and session timeout settings. Which configuration option should be used to enforce IP restrictions and session timeout settings for the connected app?. Custom Permissions. Login IP Ranges. Session Settings. Connected App OAuth policies. Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case? Choose 2 answers. Set the Session Timeout value to 3 months. Set the Refresh Token Policy to expire refresh token after 3 months. Set Permitted Users to "All users may self-authorize". Set Permitted Users to "Admin approved users are pre-authorized". Universal Containers (UC) has built a custom time tracking app for its employees on a third party system. UC wants to leverage Salesforce Identity to control access to the custom app. At a minimum, which Salesforce license is required to support this requirement?. Identity Connect. Identity Only. External Identity. Identity Verification. A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement?. Use the Activations feature to meet the compliance requirement to track device Information. Use the Login History object to track Information about devices from which users log in. Use multi-factor authentication (MFA) to meet the compliance requirement to track device Information. Use Login Flows to capture device from which users log in and store device and user information in a custom object. A multinational company is looking to rollout Salesforce globally The company has standardized on ADFS for user authentication and has different ADFS implementations for Americas, APAC and Europe. Users will access Salesforce using the ADFS. The company would like to limit its ivestments and prefer not to procure additional applications to atisfy the requirements. /hat is recommended to ensure these requirements are met ?. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems. Use connected apps for each ADFS Implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce. Add a central Identity system that federates between the ADFS systems and Integrate with Salesforce for single sign-on. |




