SFDC IAM

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection?. Leverage OpenID Connect Token Introspection. Query using OpenID Connect discovery endpoint. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint. Create a custom OAuth scope.

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before performing any further operation on the portal. Which approach will meet this requirement?. Create a custom landing page and email campaign asking all community members to login and verify their data. Add a banner to the community Home page asking users to update their profile and accept the new community rules. Create tasks for users who need to update their data or accept the new community rules. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.

Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers. Enable business accounts in the Setup page. Enable person accounts in the Setup page. Under Login and Registration settings, ensure that the default account field is empty. Enable access to person and business account record types under Public Access Settings. Set organization-wide default sharing for Contact to Public Read Only.

When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter. The Audience ID, which can be set in a shared cookie. Add a custom parameter to the service provider’s OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value. Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce.

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (IdP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recomend to create partners?. Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping Identity store. On successful creation of Partners using Self Registration page in Experience Cloud, create Identity in Ping. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs. Allow partners to register through the IdP and create partner users in Salesforce through an API.

Northern Trail Outfitters has implemented OAuth 2.0 for its single sign-on (SSO) solution, allowing users to authenticate and access Salesforce resources using external identity providers. However, some users are reporting intermittent logouts when trying to access Salesforce through SSO. What can be a potential point of failure that should be considered during troubleshooting?. Expiration or revocation of the access token issued by the identity provider. Misconfiguration of the user’s device, such as an outdated web browser or disabled JavaScript. Delays in the network routing between the user’s location and the Salesforce servers. Insufficient user permissions in Salesforce causing access issues.

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site?. Login Discovery Page. Experience Builder Page. Embedded Login Page. Lightning Experience Page.

An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows: 1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications. 2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service). Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?. Configure Salesforce as a SAML service provider, and enable Just-In Time (JIT) provisioning and deprovisioning of users. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.

A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements: 1. The development team has decided to use a Canvas app to expose the pricing application to agents. 2. Agents should be able to access the Canvas app without needing to log in to the pricing application. Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users? Choose 2 answers. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. Select "Enable as a Canvas Personal App" in the connected app settings. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO). Which feature of Identity Connect is applicable for this scenario?. Identify Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature. If the number of provisioned users exceeds Salesforce licence allowances, Identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user’s Salesforce session is revoked immediately.

Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce license is required to full fill this requirement?. Identify Verification. Identify Connect. Identify Only. External Identity.

Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup. What should an identity architect use to show which part of the login assertion is failing?. Security Assertion Markup Language Validator. Connected App Manager. SAML Metadata file importer. Identity Provider Metadata download.

An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers. External Identity Licenses. Email Verification Credits. Identity Connect Licenses. SMS Verification Credits.

Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_SuperUser and CRM_Reporting_SuperUser groups should respectively give the user the SuperUser and Reporting_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets. Use a login flow to query standard SAML attributes and set permission sets. Use a login flow to query custom SAML attributes and set permission sets. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect to allow for a seamless single sign-on experience. UC has a requirement to limit users to sign on directly from the Salesforce org to the external Service provider app that accepts OpenID Connect. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers. Manage which connected apps a user has access to by assigning authentication providers to the users profile. Assign the connected app to the customer community, and enable the users profile in the Community settings. Set each of the Connected App access settings to Admin Pre-Approved. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.

A technology enterprise is planning to implement single sign-on login for users. When users log in to Salesforce, data should be populated in User object custom fields. Which two steps should an identity architect recommend? Choose 2 answers. Implement Auth.SamJitHandler Interface. Implement SessionManagement Class. Create and update methods. Implement RegistrationHandler Interface.

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Choose 2 answers. OAuth Resource Server. SAML Service Provider. OAuth Client. SAML Identity Provider.

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement?. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. Enable Security Assertion Markup Language (SAML) Sign-On and use a login flow to collect only order details to retrieve customer data. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data. Use a Connected App Handler.Apex Plugin class to collect only order details to retrieve customer data.

The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience. What should be used and considered before recommending it as a solution on the Salesforce Platform?. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and feel. Salesforce REST APIs. Ensure that Secure Sockets Layer (SSL) connection for the integration is used. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on. Embedded Login. Consider whether or not it relies on third party cookies which can cause browser compatibility issues.

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to send an alert when something goes wrong. Which OAuth flow should the architect recommend?. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 Device Authentication Flow. OAuth 2.0 Asset Token Flow. OAuth 2.0 JWT Bearer Token Flow.

A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow: 1. User Authenticates and Authorizes Access 2. Request an Access Token 3. Salesforce Grants an Access Token 4. Request an Authorization Code 5. Salesforce Grants Authorization Code What is the correct sequence for the authorization flow?. 4, 1, 5, 2, 3. 4, 5, 2, 3, 1. 1, 4, 5, 2, 3. 2, 1, 3, 4, 5.

An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is recommended to fulfill this requirement with the least amount of customization?. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile. Use Login Flows to add a screen that shows personalized alerts. Create custom metadata that stores user alerts and use a LWC to display alerts. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts.

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers. Scopes. Client ID. Authorization Code. Verification Code. Refresh Token.

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access. The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-In-Time provisioning (JIT) and OAuth 2.0. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community. Apex coding skills are needed for registration handler to create and update users. Use declarative registration handler process builder/flow to create, update users and contacts.

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party app?. Use a connected app with user provisioning flow. Redirect users to the third-party app for registration. Create Canvas app in Salesforce for third-party app to provision users. Use Salesforce Identity with Security Assertion Markup Language (SAML) for provisioning users.

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements?. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize". Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved". Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to "Admin Pre-Approved". Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".

Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to meet the requirement?. Implement an single sign-on for Salesforce using an external identity provider. Set trusted IP ranges for the organization. Implement 2FA authentication for the Salesforce org. Implement multi-factor authentication for the Salesforce org.

Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect recommend to fulfill this requirement?. Identify Only License. Identify Verification Credits Add-On License. External Identity License. Identify Connect License.

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement?. Contact Salesforce Support and enable delegate single sign-on. Configure OpenID Connect authentication provider. Create a custom external authentication provider. Use certificate-based authentication.

Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers. The Use Digital Signature option in the connected app. The "web" OAuth scope in the connected app. The "api" OAuth scope in the connected app. The "eclair_api" OAuth scope in the connected app.

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used?. OAuth 2.0 JWT Bearer Flow. OAuth 2.0 SAML Bearer Assertion Flow. OAuth 2.0 User-Agent Flow. SAML Assertion Flow.

An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM Architect do to fulfill this requirement?. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case. Confirm performance considerations with Salesforce Customer Support due to high peaks. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-In-Time Provisioning to B2C Commerce. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider.

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week. Which connected app setting should be leveraged to comply with this policy change?. Scope - Deny refresh_token scope for this connected app. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date. Session Policy - Set timeout value of the connected app to 7 days. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.

Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce. How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?. Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL. Have generated links append a quenystring parameter indicating the IdP. The login service will redirect to the appropriate IdP. Enable each IdP as a login option in the My Domain Authentication Service settings. Users will then click on the appropriate IdP button. Have generated links be prefixed with the appropriate IdP URL to invoke an idP-initiated Security Assertion Markup Language flow when clicked.

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) "Replay Detected" and "Assertion Invalid" login errors. Which two issues would cause these errors? Choose 2 answers. The certificate loaded into SSO configuration does not match the certificate used by the IdP. The subject element is missing from the assertion sent to Salesforce. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes. The assertion sent to Salesforce contains an assertion ID previously used.

Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers. Connected Apps. Authentication Providers. Delegated Authentication. Embedded Login. Identity Connect.

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party application? Choose 2 answers. Use the App Launcher with single sign-on (SSO). Use Delegated Authentication. Use a connected app. External a Data source with Named Principal identity type.

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature?. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user. Passivordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.

An identity professional working on a project to integrate a third-party application with Salesforce, is tasked with evaluating OAuth options. The project requires fine-grained access control and the ability to obtain long-lived access tokens. Which OAuth flow would best full fill the project requirements?. Client Credentials flow. Authorization Code flow. Implicit flow. Username-password grant.

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?. Ensure that there is an HTTPS connection between IDP and SP. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.

Northern Trail Outfitters wants to enable single sign-on (SSO) for its Salesforce platform by integrating it with an identity provider (IdP). Which step should be performed to establish the trust between Salesforce and the identity provider (IdP)?. Setting up a VPN (Virtual Private Network) tunnel between Salesforce and the identity provider for secure communication. Embedding the identity provider’s authentication code directly into Salesforce source code. Configuring a trust relationship by exchanging metadata XML files between Salesforce and the IdP. Creating a custom login page within the Salesforce platform for user authentication.

Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite?. External Identity. My Domain. Multi-Factor Authentication. Identity Provider.

A large consumer company is planning to create a community and will require login through the customers social identity. The following requirements must be met: 1. The customer should be able to login with any of their social identities, however Salesforce should only have one user per customer. 2. Once the customer has been identified with a social identity, they should not be required to authorize Salesforce. 3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social identity. 3. If the customer modifies their personal details in the social site, the changes should beupdated in Salesforce . Which two options allow the Identity Architect to fulfill the requirements? Choose 2 answers. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community. Use the custom registration handler to link social identities to Salesforce identifies. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details. Redirect the user to a custom page that allows the user to select an existing social identity for login.

Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which Salesforce security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers. Sharing Rules. Public Groups. Permission Set License. Roles. Profiles and Permission Sets.

An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce leverages delegated authentication to integrate with the LDAP. How can end users change their password?. Users can change it on the enterprise LDAP authentication portal. Users can click on the "Forgot your Password" link on the Salesforce.com login page. Users can request the Salesforce Admin to reset their password. Users once logged in, can go to the Change Password screen in Salesforce.

A multinational company using the Salesforce platform wants to implement robust user activity verification capabilities to detect unauthorized access and unusual login patterns. They need real-time monitoring and alerting functionalities to respond promptly to security incidents. Which Salesforce tool should be utilized to achieve these requirements?. Salesforce Event Monitoring and Event Log Files. Salesforce Profiles. Salesforce Platform Encryption. Salesforce Data Loader.

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement?. OAuth 2.0 Asset Token Flow for Securing Connected Devices. OAuth 2.0 Web Server Flow for Web App Integration. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration. OAuth 2.0 Username-Password Flow for Special Scenarios.

A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security?. Select "Admin approved users are pre-authorized" and assign specific profiles. Create custom scopes and assign to the connected app. Leverage external objects and data classification policies. Define a permission set that grants access to the app and assign to authorized users.

Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce. What should be done to fulfill the requirement? Choose 2 answers. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login. Setup Salesforce as an identity provider (IdP) for Order Tracking. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.

Universal Container’s (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers. The default login user can be set. A custom error URL can be set. The default authentication provider certificate can be set. A custom registration handler can be set.

Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Experience Cloud site to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this solution?. Create a user and a related contact. Create only a contact. Create a contactless user. Create a person account.