The Secret Of Salesforce Identity-and-Access-Management-Architect Preparation

NEW QUESTION 1
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

• A. Include client ID and client secret in the login header callout.
• B. Set up a proxy server for the login service in the DMZ.
• C. Require the use of Salesforce security Tokens on password.
• D. Enforce mutual Authentication between systems using SSL.

Answer: D

Explanation:
To enable a trusted connection between the login services and Salesforce, UC should enforce mutual authentication between systems using SSL. Mutual authentication is a process in which both parties in a communication verify each other’s identity using certificates7. SSL (Secure Sockets Layer) is a protocol that provides secure communication over the Internet using encryption and certificates8. By using mutual authentication with SSL, UC can ensure that only authorized login services can access Salesforce and vice versa. This can prevent unauthorized access, impersonation, or phishing attacks.
References: Mutual Authentication, SSL (Secure Sockets Layer)

NEW QUESTION 2
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a
Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

• A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
• B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
• C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
• D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Answer: D

Explanation:
The recommended solution for UC to enable a two-factor login process for Salesforce and their existing
on-premise applications is to replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. Salesforce 2FA is a feature that requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. Salesforce 2FA can be enabled for both Salesforce and on-premise applications by using one of the following methods:
Use Salesforce Authenticator, a mobile app that generates verification codes or sends push notifications to users’ devices.
Use a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, that generates verification codes based on a shared secret key.
Use a verification code sent by email or SMS to users’ registered email address or phone number.
Use a U2F security key, such as YubiKey, that plugs into users’ devices and provides a physical token. By replacing the custom 2FA system with Salesforce 2FA, UC can benefit from the following advantages:
Improved security and compliance by using a standard and proven 2FA solution that protects against
phishing, credential theft, and brute force attacks.
Reduced complexity and cost by eliminating the need to maintain a custom 2FA system and integrating it with Salesforce.
Enhanced user experience and convenience by providing multiple options for verifying identity and allowing users to remember trusted devices or browsers.
The other options are not recommended solutions for this scenario. Using the custom 2FA system for
on-premise applications and native 2FA for Salesforce would create inconsistency and confusion for users who have to use different methods of verification for different applications. Replacing the custom 2FA system with an AppExchange app that supports on-premise applications and Salesforce would require UC to find an app that meets their specific needs and pay for its license and maintenance. Using custom login flows to connect to the existing custom 2FA system for use in Salesforce would require UC to write custom code and logic to invoke the custom 2FA system from Salesforce, which could introduce security and performance issues. References: [Two-Factor Authentication], [Salesforce Authenticator], [Third-Party Authenticator Apps], [Verification Code via Email or SMS], [U2F Security Keys], [Custom Login Flows]

NEW QUESTION 3
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?

• A. Identity Licence.
• B. Salesforce Licence.
• C. External Identity Licence.
• D. Salesforce Platform Licence.

Answer: D

Explanation:
The optimal Salesforce license type for all of the UC employees who will access the custom Innovation platform without logging in with Salesforce credentials is the Salesforce Platform license. The Salesforce Platform license allows users to access custom applications built on the Lightning Platform, such as Apex and Visualforce, and use standard objects such as accounts, contacts, reports, dashboards, and custom tabs. It also supports SSO with a third-party identity provider using SAML. Option A is not a good choice because the Identity license is designed for users who need to access Salesforce Identity features, such as identity provider, social sign-on, and user provisioning, but not for users who need to access custom applications. Option B is not a good choice because the Salesforce license is designed for users who need full access to standard CRM and Lightning Platform features, such as leads, opportunities, campaigns, forecasts, and contracts, but it may be unnecessary or expensive for users who only need to access custom applications. Option C is not a good choice because the External Identity license is designed for users who are external to the organization, such as customers or partners, but not for users who are internal employees.
References: Salesforce Help: User License Types, [Salesforce Help: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth]

NEW QUESTION 4
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers

• A. OAuth Refresh Token FLow
• B. OAuth Username-Password Flow
• C. OAuth SAML Bearer Assertion FLow
• D. OAuth JWT Bearer Token FLow

Answer: CD

Explanation:
OAuth is an open-standard protocol that allows a client app to access protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.
OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Verified References: [OAuth 2.0 SAML Bearer Assertion Flow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]

NEW QUESTION 5
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

• A. Identity store
• B. Authentication store
• C. Identity provider
• D. Service provider

Answer: C

Explanation:
The role of Active Directory in this scenario is an identity provider. An identity provider is an application that authenticates users and provides information about them to service providers6. A service provider is an application that provides a service to users and relies on an identity provider for authentication6. In this scenario, the employee portal is a service provider that provides collaboration features to employees and relies on Active Directory for authentication. Active Directory is an identity provider that authenticates employees using their corporate credentials and sends information about them to the employee portal7.
References: Identity Provider Overview, Configure SSO to Salesforce Using Microsoft AD FS as the Identit
Provider

NEW QUESTION 6
Which three types of attacks would a 2-Factor Authentication solution help garden against?

• A. Key logging attacks
• B. Network perimeter attacks
• C. Phishing attacks
• D. Dictionary attacks
• E. Man-in-the-middle attacks

Answer: ACDE

Explanation:
A 2-Factor Authentication (2FA) solution is a type of multi-factor authentication (MFA) that requires users to provide two verification factors to access a system or application. The verification factors can be something the user knows (e.g., password), something the user has (e.g., phone), or something the user is (e.g., fingerprint). A 2FA solution can help prevent common cyberattacks that rely on stealing or guessing passwords, such as:
Key logging attacks: These are attacks where a malicious program records the keystrokes of a user, including their passwords, and sends them to the attacker. A 2FA solution can prevent this attack by requiring an additional factor that is not typed by the user, such as a verification code sent to their phone or a biometric scan.
Phishing attacks: These are attacks where an attacker sends a fake email or website that looks like it came from a trusted source, and tricks the user into providing their credentials or other sensitive information. A 2FA solution can prevent this attack by requiring an additional factor that is not known by the attacker, such as a verification code generated by an authenticator app or a hardware token.
Dictionary attacks: These are attacks where an attacker tries to guess a user’s password by using a list of common or likely passwords, such as “password” or “123456”. A 2FA solution can prevent this attack by requiring an additional factor that is not based on a password, such as a fingerprint scan or a facial recognition.
A man-in-the-middle attack is when an attacker intercepts and alters the communication between two parties, such as a user and a website. A 2-Factor Authentication solution can help prevent this type of attack by requiring a second factor of authentication that the attacker cannot access or spoof, such as a code sent to the user’s phone or a hardware token
References: 1: What Is Two-Factor Authentication (2FA)? | Microsoft Security 2: What type of attacks doe Multi-Factor Authentication prevent?

NEW QUESTION 7
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?

• A. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
• B. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign theappropriate profile.
• C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
• D. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

Answer: B

Explanation:
To automatically create new employee users in Salesforce with an appropriate profile that maps to their Active Directory Department, the identity architect should use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider, such as Active Directory. The updateUser method is a method in the Auth.RegistrationHandler interface that defines how to update an existing user in Salesforce based on the information from the external identity provider. The identity architect can use this method to assign the appropriate profile to the user based on their department attribute. References: Just-in-Time Provisioning for SAML and OpenID Connect, Create a Custom Registration Handler

NEW QUESTION 8
A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
* 1. User Authenticates and Authorizes Access
* 2. Request an Access Token
* 3. Salesforce Grants an Access Token
* 4. Request an Authorization Code
* 5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?

• A. 1, 4, 5, 2, 3
• B. 4, 1, 5, 2, 3
• C. 2, 1, 3, 4, 5
• D. 4,5,2, 3, 1

Answer: B

Explanation:
The web server flow is an OAuth 2.0 authorization code grant type, which follows this sequence of steps:
The client app requests an authorization code from Salesforce by redirecting the user to the authorization endpoint.
The user authenticates and authorizes access to the client app.
Salesforce grants an authorization code and redirects the user back to the client app.
The client app requests an access token from Salesforce by sending the authorization code to the token endpoint.
Salesforce grants an access token and a refresh token to the client app. References: OAuth Authorization Flows, Authorize Apps with OAuth

NEW QUESTION 9
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

• A. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
• B. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
• C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
• D. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Answer: D

Explanation:
Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user’s identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3. References: 1: Customize User Authentication with Login Flows 2: Custom Login Flow Examples 3: Salesforce Multi-Factor Authentic

NEW QUESTION 10
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users?

• A. Use a custom attribute on the user object to control access to the mobile app
• B. Use connected apps Oauth policies to restrict mobile app access to authorized users.
• C. Use the permission set license to assign the mobile app permission to sales users
• D. Add a new identity provider to authenticate and authorize mobile users.

Answer: B

Explanation:
The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.
References: [Connected Apps], [OAuth Authorization Flows], [OAuth Policies]

NEW QUESTION 11
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?

• A. Named Credentials
• B. Login Flows
• C. OAuth Device Flow
• D. Single Sign-On Settings

Answer: C

Explanation:
OAuth Device Flow is a protocol that allows users to authenticate their devices, such as fitness trackers, smart TVs, or printers, with an external identity provider and access Salesforce resources. The device flow involves displaying a verification code and a URL on the device, which the user can use to log in and authorize the device from another device, such as a smartphone or a computer. References: OAuth Device Flow, OAuth 2. Device Flow

NEW QUESTION 12
Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Expenence Cloud site to allow the partners to administer their users' access.
How should a partner identity be provisioned in Salesforce for this solution?

• A. Create only a contact.
• B. Create a contactless user.
• C. Create a user and a related contact.
• D. Create a person account.

Answer: C

Explanation:
To provision a partner identity in Salesforce for a B2B collaboration site using SAML SSO, the identity architect should create a user and a related contact. A user record is required to authenticate and authorize the partner to access Salesforce resources. A contact record is required to associate the partner with an account, which represents the partner’s organization. A contactless user or a person account are not supported for B2B collaboration sites. References: User and Contact Records for Partner Users, Create Partner Users

NEW QUESTION 13
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers

• A. Use Login Flow in User Context to update role and permission sets.
• B. Use Login Flow in System Context to update role and permission sets.
• C. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
• D. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer: BD

Explanation:
To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:
Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a Login Flow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity
architect can update the agent role and permission sets based on the information from Active Directory or other criteria.
Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion. References: Login Flows, SAML Just-in-Time Provisioning, Auth.SamlJitHandler Interface

NEW QUESTION 14
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.
How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?

• A. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.
• B. Use a login flow to query the helpdesk to validate user status.
• C. Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow.
• D. Use Salesforce Connect to integrate with the helpdesk application.

Answer: A

Explanation:
Building an integration that performs a remote call-in to the Salesforce SOAP or REST API is the best way to provision Salesforce users as soon as they are approved in the helpdesk application. The API allows creating and updating user records with the approved profiles and permission sets. The other options are either not suitable or not sufficient for this use case. References: User SOAP API Developer Guide, User REST API Developer Guide

NEW QUESTION 15
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

• A. Identity Connect will not support user provisioning in UC's current environment.
• B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
• C. Identity Connect will only support SP-initiated SAML flows in UC's current environment.
• D. Identity connect is not compatible with UC's current identity environment.

Answer: A

Explanation:
Identity Connect will not support user provisioning in UC’s current environment. Identity Connect is a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.
Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC’s current identity environment. Identity Connect supports both Idp-initiated and SP-initiated SAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.
References: 5: Identity Connect - Salesforce 6: SAML SSO Flows - Salesforce 7: Salesforce Connect: Integration, Benefits, and Limitations

NEW QUESTION 16
......