Quick QuizCompetitive ExamFull Question Deck 58 Identity and Access Manager Quick Quiz 1 / 10 RB Outfitters is setting up an identity solution with an external vendors application for their employees. User attributes need to be returned to this application in an ID token. What mechanism should an architect recommend? "User Agent Flow" "JWT Bearer Token" "OpenID Connect" "Web Server Flow" 2 / 10 One of Nicole's technicians is trying to access one of their connected apps. They are getting: |Failed: Not approved for access|. What is the most likely culprit? "The Connected App setting |All users may self-authorize| is enabled." "The use of High Assurance sessions are required for the Connected App." "The users do NOT have the correct permission set assigned to them." ". The Salesforce Administrators have revoked the OAuth authorization." 3 / 10 Nicole's Nails would like to implement a Two-Factor login for a newly implemented Salesforce org, they have already have a custom token-based Two Factor authentication system for their on-premise application. What is the recommended solution? "Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce." "Use the custom 2FA system for on-premise applications and native 2FA for Salesforce." "Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce." "Replace the custom 2FA system with an AppExchange App that supports on-premise applications and Salesforce." 4 / 10 Rick has contracts with clients that require additional security to access their data. There is a separate system to store their data and Rick wants to ensure employees are only allowed to access the system when they are assigned to the client (this can be found via case ownership). He thinks SAML SSO with Saleforce as the IdP and automatically allowing access based on the ownership of the current case should validate access. How can he configure this? "Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open |Classified| Cases" "Use Custom SAML JIT Provisioning to dynamically query the user's open |Classified| cases when attempting to access the classified information syste" "Use Salesforce reports to identify users that currently owns open |Classified| cases and should be granted access to the Classified information system." "Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open |Classified| case, and remove it when the case is closed." 5 / 10 What HTTP parameter should be used in a service provider initiated SAML SSO setup where the user is trying to access a resource on the service provider and is submitting a SAML request to the identity provider, ensuring they are returned to the intended resource? "StartURL" "RedirectURL" "RelayState" "DisplayState" 6 / 10 RC Toys is trying to identify the business use case for Identity Provider. Which of the following are capabilities of an Identity Provider? (Choose 2) "The Identity Provider can centralize enterprise password policy." "The Identity provider can store credentials for multiple applications." "The Identity Provider can authenticate multiple social media accounts." "The Identity Provider can authenticate multiple applications." 7 / 10 RC Toys wants to boost customer loyalty. They want to create a single customer view that includes buying behaviors, channel preferences and what they have purchased. This information is currently spread across multiple systems and formats. Rick has decided Salesforce should be used to build the 360 view. He already uses Microsoft Active Directory to mange his users, how should he provision, deprovision and authenticate his users in Salesforce? "Salesforce Identity is not needed since RC Toys uses Microsoft AD" "A Salesforce Identity can be included but RC Toys will require Identity Connect." "Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately." "Salesforce Identity can be included but RC Toys will be required to build a custom integration with Microsoft AD." 8 / 10 Rick is using a middleware to integrate systems with Salesforce, for security usernames and passwords cannot be stored in his systems. How can middleware authentication occur? "Require users to supply their email and phone number, which gets validated." "Require users to provide their RSA token along with their credentials." "Require users to use a biometric reader as well as their password" "Require users to enter a second password after the first Authentication" 9 / 10 Nicole's Nails has recently acquired 4 additional locations. Each location has their own Salesforce org (NN1 - her main shop, NN2, NN3, NN4, NN5). She has worked with the technicians from NN2, NN3, NN4, and NN5 before so they are all NN1 and their own org, but not all of the orgs. Nicole wants to simply login so each technician only needs to remember one credential. What is the most efficient way to accomplish this with the least amount of maintenance? "Configure NN1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs." "Configure NN1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs." 10 / 10 TruthRX has SAML SSO enabled for multiple applications. They now want to grant access to their regional Salesforce orgs from their main Salesforce org seamlessly. What should they do? "Configure the main Salesforce org as the Identity provider" "Configure the main Salesforce org as a service provider" "Configure the main Salesforce org as an Authentication provider" "Configure the regional Salesforce orgs as Identity providers" Your score is LinkedIn Facebook Twitter VKontakte Restart quiz 0% 5 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 Identity and Access Manager Competitive Quiz 1 / 60 Rick heard about a contactless user feature that could be used in the customer 360 platform on salesforce experience cloud. What is the impact of the contactless user feature? "Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user." "If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account." "Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user." "Passwordless authentication can not be supported because the mobile phone receiving onetime password (OTP) needs to match the number on the contact record." 2 / 60 Tom's tablets wants to turn on SAML SSO for their Salesforce internal users using a third-party IDP. Tom decides not to set up my domain, how does that impact his SSO implementation? "Neither SP nor IDP initiated SSO will work" "Either s or IDP initiated SSO will work" "SP Initiated SSO will not work" "IDP initiated SSO will not work" 3 / 60 RC Toys uses a third-party reward system to calculate rewards. They want to integrate this in to Salesforce. Customers rewards are calculated in the rewards system and need to be updated in Salesforce on a schedule. If they use an Oauth flow that needs to be secure which two practices are recommended? (Choose 2) ". OAuth SAML Bearer Assertion FLow" "OAuth JWT Bearer Token FLow" "OAuth Refresh Token FLow" "OAuth Username-Password Flow" 4 / 60 RC Toys is onboarding a lot of new employees and would like new employees to automatically be created in Salesforce. Their profile should be mapped to their Active Directory Department. How can Rick implement this request? "Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile." ". Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning." "Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile." "Make a callout during the login flow to query department from Active Directory to assign the appropriate profile." 5 / 60 Rick is using a middleware to integrate systems with Salesforce, for security usernames and passwords cannot be stored in his systems. How can middleware authentication occur? "Require users to provide their RSA token along with their credentials." "Require users to supply their email and phone number, which gets validated." "Require users to use a biometric reader as well as their password" "Require users to enter a second password after the first Authentication" 6 / 60 What should be considered when using digital certificates in an SSL setup involving a trusted party and a trusting party? "Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain." "Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore." "Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA" "Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained." 7 / 60 Rob has configurd a SAML-based SSO integration between Salesforce and an external identity provider. When he tried to log in to Salesforce using SSO he got a SAML error. What two options would help him troubleshoot efficiently? (Choose 2) "Ensure the callback url is set up correctly in the Connected Apps setting" "Use the browsers development tools to view the Salesforce page markup" "Paste the SAML Assertion validator in Salesforce" "Use a browser that has an add-on that can inspect SAML" 8 / 60 RC Toys wants to allow customers to login using Facebook, Google or other social sign on providers to its Access Management Solution built on Salesforce. How do they turn this on assuming social sign-on providers support OpenID Connect? "Configure a single sign-on setting and registration handler for each social sign-on provider" "Configure an authentication provider and registration handler for each social sign-on provider" "Configure an authentication provider and JIT handler for each social sign on provider" "Configure a single sign-on setting and a JIT handler for each social sign-on provider" 9 / 60 Which of the following security risks can Two-Factor Authentication (2FA) mitigate when enabled? (Choose 2) "Users leaving laptops unattended and not logging out of Salesforce." ". Users creating simple-to-guess password reset questions." "Users accessing Salesforce from a public Wi-Fi access point." "Users choosing passwords that are the same as their Facebook password" 10 / 60 RB Outfitters is setting up SSO for their users. On the Salesforce User object a custom field should be populated for new and existing users. What should Tom, the architect, do? (Choose 2) "Implement Auth.SamlJitHandler Interface." "Implement RegistrationHandler Interface." "Create and update methods." "Implement SesslonManagement Class." 11 / 60 JML Bakery is building a Customer Community to better connect with their community. They do not want customer credentials stored in Salesforce and would prefer customers use their social media credentials. Which two actions should they take? (Choose 2) "Configure an AuthenticationProvider for LinkedIn Social Media Accounts" "Create a custom apex registration handler to handle new and existing users" "Use delegated authentication to call the Twitter login API to authenticate users" "Configure SSO Settings for facebook to serve as a SAML Identity provider" 12 / 60 RC toys has a mobile app for its employees that uses Salesforce for both authentication purposes and data from Salesforce. For each of use employees should only have to enter their credentials the first time they run the app. While the app has been running for 6 months, employees are complaining they are having to login again. There was a recent URI scheme update that was associated with the mobile app. Where should Rick check first? "Verify that the Callback URL is correctly pointing to the new URI Scheme." "Validate that the users are checking the box to remember their passwords." "Confirm that the Access Token's Time-To-Live policy has been set appropriately." "Check the Refresh Token Policy defined in the Salesforce Connected App" 13 / 60 RC toys has uses a custom recruiting application, but wants to get candidate information in Salesforce when they have been selected for interview. Rick intends to use Oauth to connect the two systems with authentication using digital certificates. Which two Oauth flow types should be considered? (Choose 2) "SAML Bearer Assertion flow" "Refresh Token flow" "JWT Bearer Token flow" "Web Service flow" 14 / 60 Sales Reps at RC Toys have been exporting large amounts of data via reports and Rick is starting to be concerned. Normally users can login with either Active Directory or Salesforce credentials but Rick would like them to be required to use AD credentials for downloading reports. Which solution allows sales reps to still view reports in Salesforce using Salesforce credentials, but require AD to expore reports? "Use SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission." "Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session" "Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically add or remove a Permission Set that grants the Export Reports permission" "Use SAML Federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports." 15 / 60 Bob is the architect for RC toys and needs to automate provisioning and deprovisioning users into Salesforce from an external system. How should he do that? "Call OpenID Connect (OIDC) userinfo endpoint with a valid access token" "Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions" "Run registration handler on incoming Oauth responses" "Call SOAP API upsertQ on user object" 16 / 60 Rick needs users to use Two-factor authentication(2FA) for Salesforce, but not when they are on the company network. What should he do? "Add the list of company's network IP addresses to the Login Range list under 2FA Setup." "Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed." "Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed." "Apply the |Two-factor Authentication for User Interface Logins| permission and Login IP Ranges for all Profiles." 17 / 60 RC Toys is using delegated authentication for Salesforce users. Their current service is written in Java. RC Toys has a new CIO that would like the company to change the service to be REST-ful and written in .NET. What should Tom the RC Toys architect be sure to advice the new CIO? (Choose 2) "Delegated Authentication will not work with Rest services" "Delegated Authentication will continue to work with REST services" "Delegated Authentication will continue to work with a .net service" "Delegated Authentication will not work with a .net service" 18 / 60 Which of the following are capabilities of SAML-based Federated authentication? Choose 3 answers "SAML tokens can be in XML or JSON format and can be used interchangeably." "Trust relationships between Identity Provider and Service Provider are required" "Web applications with no passwords are more secure and stronger against attacks." "Access tokens are used to access resources on the server once the user is authenticated." "Centralized federation provides single point of access, control and auditing." 19 / 60 How does not setting up My Domain impact an implementation of SAML SSO using a third-party IdP? "SP-initiated SSO will NOT work" "Neither SP- nor IdP-initiated SSO will work." "Either SP- or IdP-initiated SSO will work." "IdP-initiated SSO will NOT work" 20 / 60 Nicole's Nails wants to restrict her employees to only allow access to client data while in the office by restricting login ip ranges. However, some employees will need to access via a mobile device from outside these IP ranges. What options should be recommended? (Choose 2) "Remove existing restrictions on ip ranges for all types of user access." "Relax the ip restriction in the connect app settings for the salesforce1 mobile app" "Use login flow to bypass ip range restriction for the mobile app." "Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app" 21 / 60 Rick has contracts with clients that require additional security to access their data. There is a separate system to store their data and Rick wants to ensure employees are only allowed to access the system when they are assigned to the client (this can be found via case ownership). He thinks SAML SSO with Saleforce as the IdP and automatically allowing access based on the ownership of the current case should validate access. How can he configure this? "Use Custom SAML JIT Provisioning to dynamically query the user's open |Classified| cases when attempting to access the classified information syste" "Use Salesforce reports to identify users that currently owns open |Classified| cases and should be granted access to the Classified information system." "Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open |Classified| Cases" "Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open |Classified| case, and remove it when the case is closed." 22 / 60 RC Toys existing Salesforce org is configured for SP-Initiated SAML SSO with their Idp, they wish to introduce a second Salesforce environment and want to use the same Idp, how can Rick accomplish this? "Use a different Entity ID than the first org." "Use the Salesforce Username as the SAML Identity Type." "Use the same request bindings as the first org." "Use the same SAML Identity location as the first org." 23 / 60 Nicole is making a mobile app that she intends to secure using the Oauth 2.0 user-agent flow and Salesforce Identity. API access only needs to be approved every 3 months. Which of the following needs to be configured? (Choose 2) "Set Permitted Users to |Admin approved users are pre-authorized|." "Set the Refresh Token Policy to expire refresh token after 3 months." "Set the Session Timeout value to 3 months." "Set Permitted Users to |All users may self-authorize|." 24 / 60 A chemical company was to integrate Salesforce with an on-premise application. To ensure all requests to the on-premise application include a trusted certificate what should the architect do? "Configure the company firewall to allow traffic from Salesforce IP Ranges" "Generate a certificate authority-signed certificate in Saelsforce and upload it to the on-premise application trust store" "Use open SSL to generate a self-signed certificate and upload it to the on premise app" "Upload a thid party certificate from Salesforce into the on-premise server" 25 / 60 What Salesforce license is needed to provide single sign-on for a B2C application using Salesforce Identity? "Salesforce Platform" "Partner Community" "External Identity" "Identity Only" 26 / 60 RC Toys wants to use Experience Cloud to replace their homegrown portal. They are currently use a third party SSO that stores the customer and partner credentials. When a user logs in to the Experience Cloud for the first time via SSO their user record needs to be created automatically? How can Rick set this up to automatically provision users for the first time? "query using OpenID Connect discovery endpoint." "Custom login flow and Apex handler" "Just-in-Time (JIT) provisioning" "Third-party AppExchange solution" 27 / 60 SCCS wants to build a customer community where customers who already have access to their E-Commerce site can seamlessly login. They intend to use ansp-initiated SSO using a SAML based compliant IDP. If Salesforce is the service provider what two steps must be completed to make SP-Initiated SSO work? (Choose 2) "Configure Delegated Authentication" "Setup my domain" "Configure SAML SSO settings" "Create a connected app" 28 / 60 Rick from RC Toys wants to allow customers to submit and manage issues with their purchases without having to call in each time. He would like to grant access using Facebook and Twitter credentials, which of the following actions does he need to take? (Choose 2) "Create a custom external authentication provider for Twitter" "Create a custom external authentication provider for Facebook." "Configure a predefined authentication provider for Facebook" "Configure a predefined authentication provider for Twitter" 29 / 60 Nicole's Nails wants to allow technicians to use their mobile devices to access Salesforce using a hybrid mobile app. The app uses SDK (software development kits), refresh tokens to regenerate access tokens and has been distributed as a private app. For security, Nicole wants to roll out a policy that requires technicians to reverify if they haven't logged in for the last week. What connected app setting can be leveraged to make this policy possible? "Session Policy - Set timeout value of the connected app to 7 days" "Permitted User - Ask admins to maintain a list of users who are permitted based on last login date." "Refresh Token Policy - Expire the refresh token if it has not been used for 7 days" "Scope - Deny refresh_token scope for this connected app." 30 / 60 Which of the following does SAML-based federated authentication provide? (Choose 3) "SAML tokens can be in XML or JSON format and can be used interchangeably" "Trust relationships between Identity Provider and Service Provider are required." "Web applications with no passwords are more secure and stronger against hacks." "Centralized federation provides single point of access, control and auditing." "Access tokens are used to access resources on the server once the user is authenticated." 31 / 60 RC Toys wants to ensure customers setting up their customer community self registration are not using a default account record. What will happen if they implement this? "The self-registration page will ask user to select an account." "The self-registration process will produce an error to the user." "The self-registration page will create a new account record." "The self-registration process will create a person Account record" 32 / 60 Rick wants to prevent employees from using mobile vpn to login to the mobile app, but still login to Salesforce mobile app with their Active Directory Password. Which of the following do they need? (Choose 2) "Active Directory Password Sync Plugin" "Salesforce Identity Connect" "Configure Cloud Provider Load Balancer" "Salesforce Trigger & Field on Contact Object" 33 / 60 What HTTP parameter should be used in a service provider initiated SAML SSO setup where the user is trying to access a resource on the service provider and is submitting a SAML request to the identity provider, ensuring they are returned to the intended resource? "RelayState" "DisplayState" "RedirectURL" "StartURL" 34 / 60 SCCS needs to integrate a third party integration with its Experience Cloud Customer port. Salesforce is acting as an Identity Provider. What two features should be utilized to the let users for the third party application login and use identity services? (Choose 2) "Use Delegated Authentication" "External Data Source with a named principal identity type" "Use a Connected App" "Use the app launcher with single sign-on" 35 / 60 Nicole has an existing e-commerce platform and is looking to add a new customer community, she doesn't want clients to have to register on both as it would be a pain. Its looking like about every 1 in 4 customers will want to use the new community as well. Her e-commerce platform can generate SAML responses and has a REST-ful API that can access users. What is the best way to create the e-commerce users in the community? "Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site." "Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO." "Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO." "Use a nightly batch ETL job to sync users between the Customer Community and the ecommerce platform and use SAML to allow SSO." 36 / 60 Nicole's Nails has recently acquired 4 additional locations. Each location has their own Salesforce org (NN1 - her main shop, NN2, NN3, NN4, NN5). She has worked with the technicians from NN2, NN3, NN4, and NN5 before so they are all NN1 and their own org, but not all of the orgs. Nicole wants to simply login so each technician only needs to remember one credential. What is the most efficient way to accomplish this with the least amount of maintenance? "Configure NN1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs." "Configure NN1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs." 37 / 60 RC Toys wuld like to sychronize their Active Directory with Salesforce and sync profiles and permission sets based on their AD group membership. Which of the following is the optimal SSO solution? "Use Active Directory with Reverse Proxy as the Identity Provider." "Use Microsoft Access control Service as the Authentication provider." "Use Salesforce Identity Connect as the Identity Provider." "Use Active Directory Federation Service (ADFS) as the Identity Provider." 38 / 60 Nicole is struggling with multiple orgs and would like to manage users and profiles in a central system of record. How can she configure this? "Implement an OAuth JWT flow to pass the profile credentials between systems." "Implement Delegated Authentication that will update the user profiles as necessary." "Implement JIT provisioning on the SAML IdP that will pass the ProfileID in each assertion." "Create an Apex scheduled job in one org that will synchronize the other org's profiles." 39 / 60 Chris, the Identity Architect at RC Toys, would like to connect Microsoft Active Directory with Salesforce for user provisioning, deprovisioning and single sign-on (SSO) and would like to use Identity Connect. Which feature of Identity Connect is applicable? "When Identity Connect is in place , if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately" "If the number of provisioned users exceeds Salesforce license allowances, Identity Connect will start disabling the existing Salesforce users in a First-in, First-out fashion" "When configured Identity Connect acts as an Identity Provider to both Active Directory and Salesforce, thus providing SSO as a default feature" "Identity connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce platform out-of-the-box" 40 / 60 Nicole is trying to figure out why she is getting SAML-based SSO errors during test, the settings appear to be correct. Which of the following could be the cause? (Choose 2) "The Issuer Certificate from the Identity Provider expired two weeks ago." "The clock on the Identity Provider server is twenty minutes behind Salesforce." "The Identity Provider is also used to SSO into five other applications." "The default language for the Identity Provider and Salesforce are Different." 41 / 60 Rick told Nicole she should consider taking advantage of refresh tokens for her apps that use Oauth 2.0. Which Oauth flows should she consider? (Choose 2) "Web server" "User-Agent" "Username-password" "Jwt bearer token" 42 / 60 RC Toys has a custom application to support helpdesk activities. They use it to request, approve, notify and track access to various applications (on premises and cloud) including Salesforce. Salesforce is used to authenticate users, how should users be provisioned in Salesforce once they are approved in the helpdesk application if they need to have approved profiles and permission sets? "Use a login flow to query the helpdesk to validate user status." "Use Salesforce Connect to integrate with the helpdesk application." "Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow." "Build an integration that performs a remote call-in to the Salesforce SOAP or REST API." 43 / 60 Rick wants to dynamically update the agent role and permission sets, he has Active Directory as the corporate identity provide and uses SAML based single sign-on. Which of the following can help? (Choose 2) "Use Login Flow in User Context to update role and permission sets." "Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets." "Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets." "Use Login Flow in System Context to update role and permission sets" 44 / 60 Nicole has decided its time to integrate her existing web application with Salesforce, she has an Oauth Web-Server Authentication Flow, what two things should she keep in mind? "The flow will NOT provide an OAuth Refresh Token back to the server." "The flow involves passing the user credentials back and forth." "The web application should be hosted on a secure server." "The web server must be able to protect consumer secret" 45 / 60 Rick from RC Toys wants to enable SAML-Based SSO for his partner community. He has an existing Idap identity store and third party portal. He wants to stick primarily with the existing portal but enable seamless access to the partner community. What SSO flow should he use? "Sp-Initiated" "IDP-initiated" "User-Agent" "Web server" 46 / 60 RC Toys wants to start allowing customers to submit their purchase issues and manage them directly. Currently customers have Amazon credentials and Rick would like to have them login with those. What is the recommended approach? "Configure Amazon as a connected app." "Create a custom external authentication provider for Amazon." "Configure an OpenID Connect Authentication Provider for Amazon." "Configure a predefined authentication provider for Amazon." 47 / 60 RC Toys wants to use experience cloud to roll out a partner community. Rick wants to use idP (external Identity Provider) with partners registering for access to the portal. He hate duplicate records and wants to make sure each is only registered once. What should he do? "On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping." "Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs" "Allow partners to register through the IdP and create partner users in Salesforce through an API." "Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store." 48 / 60 Sam finally setup SAML Based SSO for his company. Its been working for 6 months. When they try to add a batch of new users the users receive an error when trying to use SSO. Existing users are not receiving this problem. What is likely the cause? "The new users do not have the SSO permission enabled on their profiles" "The federation ID field is not correctly set" "The my domain capability is not enabled on the new users profile" "The administrator forgot to reset the new user's Salesforce password" 49 / 60 RC Toys is trying to identify the business use case for Identity Provider. Which of the following are capabilities of an Identity Provider? (Choose 2) "The Identity Provider can authenticate multiple applications." "The Identity Provider can centralize enterprise password policy." "The Identity Provider can authenticate multiple social media accounts." "The Identity provider can store credentials for multiple applications." 50 / 60 What are three capabilities of SAML-based Federated authentication? (Choose 3) "Web applications with no passwords are more secure and stronger against attacks" "SAML tokens can be used in XML or JSON format and can be used interchangably" "Centralized federation provides single point of access, control and auditing" "Access tokens are used to access resources on the server once the user is authenticated" "Trust relationships between Identity Provider and Service Provider are required" 51 / 60 RC Toys has implemented ansp-Initiated SAML flow between an external IDP and salesforce. Sam, a new user is, is trying to login to the Salesforce mobile app for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue? "The user has not configured the salesforce1 mobile app to use my domain for login" "The |Redirect to Identity Provider| option has been selected in the my domain configuration." "The user has notbeen granted the |Enable single Sign-on| permission" "The |Redirect to identity provider| option has not been selected the SAML configuration." 52 / 60 Nicole wants to allow customers to use the app launcher to access an off platform app that can generate letters. The letter generator uses Oauth to provide access, what license will users need to use this? "External Identity license" "Identity license" "Customer Community Plus license" "Customer Community license" 53 / 60 Employees at RC Toys are complaining likes to case records are prompting them to login again with SAML SSO. When they do log in they are sent to the home tab instead of the case. Where should Rick begin his investigation? "My domain is configured and active within salesforce." "The salesforce SSO settings are using http post" "The users have the correct Federation ID within salesforce." "The identity provider is correctly preserving the Relay state" 54 / 60 Employees at RC Toys have access to a legacy employee portal for them to collaborate. They can access it from the company's internal website using Single Sign-On. The portals works with SiteMinder and AD and supports posting ideas. Rick wants to use Salesforce Ideas instead as it is more robust. He doesn't want to provision users on Salesforce and instead wants to integrate the portal ideas with Salesforce via the API. What is Salesforce's role in the context of SSO in this scenario? "An independent system, because Salesforce is not part of the SSO setup." "Service Provider, because Salesforce is the application for managing ideas." "Identity Provider, because the API calls are authenticated by Salesforce." "Connected App, because Salesforce is connected with Employee portal via API." 55 / 60 What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML? "Revoke Token" "Consume Token" "Validate token" "Create Token" 56 / 60 Rick is reviewing the Salesforce login history and is seeing some SAML SSO (Security Assertion Markup Language) 'Replay Detected and Assertion Invalid' login errors. Which of the following could be causing these errors? (Choose 2) "The certificate loaded into SSO configuration does not match the certificate used by the IdP." "The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes." "The assertion sent to 5alesforce contains an assertion ID previously used." "The subject element is missing from the assertion sent to salesforce." 57 / 60 RC Toys wants to boost customer loyalty. They want to create a single customer view that includes buying behaviors, channel preferences and what they have purchased. This information is currently spread across multiple systems and formats. Rick has decided Salesforce should be used to build the 360 view. He already uses Microsoft Active Directory to mange his users, how should he provision, deprovision and authenticate his users in Salesforce? "Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately." "Salesforce Identity is not needed since RC Toys uses Microsoft AD" "Salesforce Identity can be included but RC Toys will be required to build a custom integration with Microsoft AD." "A Salesforce Identity can be included but RC Toys will require Identity Connect." 58 / 60 Nicoles employees are complaining they keep having to verify, what can she do to decrease the frequency? "Implement an single sign-on for Salesforce using an external identity provider." "Set trusted IP ranges for the organization." "Implement multi-factor authentication for the Salesforce org." "Implement 2FA authentication for the Salesforce org." 59 / 60 One of Nicole's technicians is trying to access one of their connected apps. They are getting: |Failed: Not approved for access|. What is the most likely culprit? "The use of High Assurance sessions are required for the Connected App." "The Connected App setting |All users may self-authorize| is enabled." ". The Salesforce Administrators have revoked the OAuth authorization." "The users do NOT have the correct permission set assigned to them." 60 / 60 RC Toys has a proprietary system for tracking orders, it supports SAML (Security Assertion Markup Language) based single sign-on. Rick wants to ensure only active Salesforce users can access the tracking system (which is visible in Salesforce only). What should he do? (Choose 2) "Setup Salesforce as an identity provider (IdP) for order Tracking." "Setup Order Tracking as a Canvas app in 5alesforce to POST IdP initiated SAML assertion." "Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking" "Customize Order Tracking to initiate a REST call to validate users in Salesforce after login." Your score is LinkedIn Facebook Twitter 0% Restart quiz /115 7 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115 Identity and Access Manager Full Question Deck 1 / 115 Nicoles employees are complaining they keep having to verify, what can she do to decrease the frequency? "Implement an single sign-on for Salesforce using an external identity provider." "Set trusted IP ranges for the organization." "Implement multi-factor authentication for the Salesforce org." "Implement 2FA authentication for the Salesforce org." 2 / 115 Rick is using a middleware to integrate systems with Salesforce, for security usernames and passwords cannot be stored in his systems. How can middleware authentication occur? "Require users to enter a second password after the first Authentication" "Require users to provide their RSA token along with their credentials." "Require users to supply their email and phone number, which gets validated." "Require users to use a biometric reader as well as their password" 3 / 115 Which of the following does SAML-based federated authentication provide? (Choose 3) "Trust relationships between Identity Provider and Service Provider are required." "Centralized federation provides single point of access, control and auditing." "Access tokens are used to access resources on the server once the user is authenticated." "Web applications with no passwords are more secure and stronger against hacks." "SAML tokens can be in XML or JSON format and can be used interchangeably" 4 / 115 Nicole is trying to figure out why she is getting SAML-based SSO errors during test, the settings appear to be correct. Which of the following could be the cause? (Choose 2) "The Identity Provider is also used to SSO into five other applications." "The Issuer Certificate from the Identity Provider expired two weeks ago." "The default language for the Identity Provider and Salesforce are Different." "The clock on the Identity Provider server is twenty minutes behind Salesforce." 5 / 115 Rick has contracts with clients that require additional security to access their data. There is a separate system to store their data and Rick wants to ensure employees are only allowed to access the system when they are assigned to the client (this can be found via case ownership). He thinks SAML SSO with Saleforce as the IdP and automatically allowing access based on the ownership of the current case should validate access. How can he configure this? "Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open |Classified| Cases" "Use Salesforce reports to identify users that currently owns open |Classified| cases and should be granted access to the Classified information system." "Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open |Classified| case, and remove it when the case is closed." "Use Custom SAML JIT Provisioning to dynamically query the user's open |Classified| cases when attempting to access the classified information syste" 6 / 115 Nicole wants to allow customers to use the app launcher to access an off platform app that can generate letters. The letter generator uses Oauth to provide access, what license will users need to use this? "Customer Community license" "Customer Community Plus license" "External Identity license" "Identity license" 7 / 115 When building a mobile application that makes calls using the Salesforce REST APIS how can we ensure users do not have to enter credentials every time they enter the app? (Choose 2) "Api" "Custom_permissions" "Refresh_token" "Full" 8 / 115 How Nicole make sure employees can only use SSO? (Choose 2) "Enable My Domain and select |Prevent login from https://login.salesforce.com|." "Assign user |is Single Sign-on Enabled| permission via profile or permission set." "Request Salesforce Support to enable delegated authentication." "Once SSO is enabled, users are only able to login using Salesforce credentials." 9 / 115 When building an application that leverages the Salesforce REST API how will the API calls be authenticated to a specific user? (Choose 2) "Session ID" "Access Token" "Refresh Token" "Authentication Token" 10 / 115 What Salesforce license is needed to provide single sign-on for a B2C application using Salesforce Identity? "Identity Only" "Partner Community" "External Identity" "Salesforce Platform" 11 / 115 In a mobile application secured by Salesforce Identity using Oauth 2.0 user-agent flow which of the following concepts apply? (Choose 3) "Client ID" "Authorization Code" "Verification Code" "Scopes" "Refresh Token" 12 / 115 How does not setting up My Domain impact an implementation of SAML SSO using a third-party IdP? "Either SP- or IdP-initiated SSO will work." "Neither SP- nor IdP-initiated SSO will work." "IdP-initiated SSO will NOT work" "SP-initiated SSO will NOT work" 13 / 115 Which of the following are considerations of Delegated Authentication? (Choose 2) "Salesforce servers receive but do not validate a user's credentials." "The authentication web service can include custom attributes." "It requires trusted IP ranges at the User Profile level." "It can be used to authenticate API clients and mobile apps." "Just-in-time Provisioning can be configured for new users." 14 / 115 Nicole has an existing e-commerce platform and is looking to add a new customer community, she doesn't want clients to have to register on both as it would be a pain. Its looking like about every 1 in 4 customers will want to use the new community as well. Her e-commerce platform can generate SAML responses and has a REST-ful API that can access users. What is the best way to create the e-commerce users in the community? "Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO." "Use a nightly batch ETL job to sync users between the Customer Community and the ecommerce platform and use SAML to allow SSO." "Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO." "Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site." 15 / 115 What should be considered when using digital certificates in an SSL setup involving a trusted party and a trusting party? "Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore." "Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain." "Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA" "Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained." 16 / 115 Nicole's Nails has an external app that uses data from Salesforce. They have an Oauth 2.0 auth flow, when they logout the token needs to be invalidated. How do they handle this? "Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token." "Enable Single Logout with a secure logout URL." "Use a HTTP POST to make a call to the revoke token endpoint." "Use a HTTP POST to request the refresh token for the current user." 17 / 115 Which of the following are features of federated Single Sign-on solutions? (Choose 3) "It solves all identity and access management problems." "It enables quick and easy provisioning and deactivating of users." "It establishes trust between Identity store and service provider." "It improves affiliated applications adoption rates." "It federates credentials control to authorized applications." 18 / 115 Rick heard about a contactless user feature that could be used in the customer 360 platform on salesforce experience cloud. What is the impact of the contactless user feature? "Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user." "Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user." "If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account." "Passwordless authentication can not be supported because the mobile phone receiving onetime password (OTP) needs to match the number on the contact record." 19 / 115 Rick wants to dynamically update the agent role and permission sets, he has Active Directory as the corporate identity provide and uses SAML based single sign-on. Which of the following can help? (Choose 2) "Use Login Flow in System Context to update role and permission sets" "Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets." "Use Login Flow in User Context to update role and permission sets." "Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets." 20 / 115 Nicole is making a mobile app that she intends to secure using the Oauth 2.0 user-agent flow and Salesforce Identity. API access only needs to be approved every 3 months. Which of the following needs to be configured? (Choose 2) "Set the Session Timeout value to 3 months." "Set the Refresh Token Policy to expire refresh token after 3 months." "Set Permitted Users to |All users may self-authorize|." "Set Permitted Users to |Admin approved users are pre-authorized|." 21 / 115 All logins must include MFA, currently users can sign in with username and password OR single sign-on against a corporate identity provider that includes MFA. How can they update this to meet the criteria? "Enable |MFA for User Interface Logins| for your organization from Setup -> Identity Verification." "Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees." "Create and assign a permission set to all employees that includes |MFA for User Interface Logins.|" "For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels." 22 / 115 Rick told Nicole she should consider taking advantage of refresh tokens for her apps that use Oauth 2.0. Which Oauth flows should she consider? (Choose 2) "Web server" "Username-password" "User-Agent" "Jwt bearer token" 23 / 115 Florida Financials needs its user administration (including passwords and authentication requests) to be managed by an external system that is accessible via a SOAP web service. Which of the following is recommended? "Just-in-Time Provisioning" "Delegated Authentication" "Identity Connect" "OAuth Web-Server Flow" 24 / 115 Rick wants to allow passwordless login to a new customer service portal, customers should login with a one time passcode sent via SMS or email. How does he know how any Identity Verification Credits he may need? "Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users." "Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that will incur a verification challenge." "Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed." "Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses." 25 / 115 Rick wants to prevent employees from using mobile vpn to login to the mobile app, but still login to Salesforce mobile app with their Active Directory Password. Which of the following do they need? (Choose 2) "Salesforce Trigger & Field on Contact Object" "Active Directory Password Sync Plugin" "Salesforce Identity Connect" "Configure Cloud Provider Load Balancer" 26 / 115 Nicole wants to update the self registration in the partner community to include a bit more custom data and use it to assign Profile and Account data. Which of the following would help? (Choose 2) "Modify the SelfRegistration trigger to assign Profile and Account." "Configure Registration for Communities to use a custom Apex Controller." "Modify the CommunitiesSelfRegController to assign the Profile and Account." "Configure Registration for Communities to use a custom Visualforce Page." 27 / 115 The SSO for Nicole's Nails has been working for the last three months. A new batch of users is receiving an error when they try to use SSO, but this is not impacting existing users. What is a possible cause? "The my domain capability is not enabled on the new user's profile." "The administrator forgot to reset the new user's salesforce password." "The Federation ID field on the new user records is not correctly set" "The new users do not have the SSO permission enabled on their profiles." 28 / 115 RC Toys is trying to identify the business use case for Identity Provider. Which of the following are capabilities of an Identity Provider? (Choose 2) "The Identity provider can store credentials for multiple applications." "The Identity Provider can authenticate multiple social media accounts." "The Identity Provider can authenticate multiple applications." "The Identity Provider can centralize enterprise password policy." 29 / 115 Nicole's Nails would like to implement a Two-Factor login for a newly implemented Salesforce org, they have already have a custom token-based Two Factor authentication system for their on-premise application. What is the recommended solution? "Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce." "Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce." "Replace the custom 2FA system with an AppExchange App that supports on-premise applications and Salesforce." "Use the custom 2FA system for on-premise applications and native 2FA for Salesforce." 30 / 115 Nicole has decided its time to integrate her existing web application with Salesforce, she has an Oauth Web-Server Authentication Flow, what two things should she keep in mind? "The web application should be hosted on a secure server." "The flow will NOT provide an OAuth Refresh Token back to the server." "The web server must be able to protect consumer secret" "The flow involves passing the user credentials back and forth." 31 / 115 RC Toys existing Salesforce org is configured for SP-Initiated SAML SSO with their Idp, they wish to introduce a second Salesforce environment and want to use the same Idp, how can Rick accomplish this? "Use the same request bindings as the first org." "Use the same SAML Identity location as the first org." "Use a different Entity ID than the first org." "Use the Salesforce Username as the SAML Identity Type." 32 / 115 RC Toys wants to use Salesforce for its global businesses, its three regions each have their own Microsoft Active Directory Federation implementation. They would like to have a single org and to use ADFS. How can they accomplish this would procuring additional applications? "Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce" "Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo." "Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems." "Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on." 33 / 115 RC Toys wants to ensure customers setting up their customer community self registration are not using a default account record. What will happen if they implement this? "The self-registration page will create a new account record." "The self-registration process will produce an error to the user." "The self-registration process will create a person Account record" "The self-registration page will ask user to select an account." 34 / 115 Nicole's Nails has started allowing customers to place orders for custom nail polishes. Nail technicians have access to a custom mobile app where they can place the order from where ever they are. For simplicity they should only have to log in the first time they log in. Which OAuth flow can support this? "SAML Assertion flow with a Bearer Token." "Web Server flow with a Refresh Token." "User Agent flow with a Refresh Token." "Mobile Agent flow with a Bearer Token." 35 / 115 RC Toys wants to make sure the third-party Idp provider they use for federated single sign-on can support automated provisioning and deprovisioning with federated single sign-on. What are the underlying mechanisms they will need? "SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning." "Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning." "Just-in-Time (JIT) for both Provisioning and Deprovisioning." "Provisioning API for both Provisioning and Deprovisioning." 36 / 115 Which of the following are features of Federated Single Sign On? (Choose 3) "It improves affiliated applications adoption rates." "It establishes trust between Identity Store and Service Provider." "It federates credentials control to authorized applications." "It solves all identity and access management problems." "It enables quick and easy provisioning and deactivating of users." 37 / 115 RC Toys has an existing LDAP identity store and third party portal. They wish to use the existing portal as the primary site that users access, but also want seamless loging with SAML based SSO for a Salesforce Partner Community. What SSO flow should the architect recommend? "Web Server" "User-Agent" "SP-Initiated" "IdP-Initiated" 38 / 115 Rick has recommended to Nicole to use Identity Connect to integrate her Active Directory with Salesforce for provisioning, deprovisioning and SSO. How can Identity Connect accomplish this? "If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion." "Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box." "When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately." "When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature." 39 / 115 Nicole is struggling with multiple orgs and would like to manage users and profiles in a central system of record. How can she configure this? "Implement JIT provisioning on the SAML IdP that will pass the ProfileID in each assertion." "Implement Delegated Authentication that will update the user profiles as necessary." "Create an Apex scheduled job in one org that will synchronize the other org's profiles." "Implement an OAuth JWT flow to pass the profile credentials between systems." 40 / 115 RB Outfitters is setting up SSO for their users. On the Salesforce User object a custom field should be populated for new and existing users. What should Tom, the architect, do? (Choose 2) "Implement Auth.SamlJitHandler Interface." "Create and update methods." "Implement RegistrationHandler Interface." "Implement SesslonManagement Class." 41 / 115 RC Toys wants to use Experience Cloud to replace their homegrown portal. They are currently use a third party SSO that stores the customer and partner credentials. When a user logs in to the Experience Cloud for the first time via SSO their user record needs to be created automatically? How can Rick set this up to automatically provision users for the first time? "Third-party AppExchange solution" "Custom login flow and Apex handler" "Just-in-Time (JIT) provisioning" "query using OpenID Connect discovery endpoint." 42 / 115 RC Toys has multiple external applications and has decided to use Salesforce as the Identity Provider. Apps should be available via the app launcher and should be available to individual users. How should Rick set this up? (Choose 3) "Set up an Auth provider for each external application." "Set up identity connect to synchronize user data." "Create a connected App for each external application." "Add each connected App to the app launcher with a start URL" "Set up salesforce as a SAML IDP with my domain." 43 / 115 RC Toys has a self-registration option on their portal, however, they are getting concerned about bots creating additional records and causing bad data. What can Rick do to prevent unauhorized submissions? (Choose 2) "Use hidden fields populated via java script events in the self-registration page." "Primarily use lookup and picklist fields on the self registration page." "Require a captcha at the end of the self-registration process." "Use open-ended security questions and complex password requirements" 44 / 115 Nicole's Nails is now offering a mobile service and technicians need access to the mobile billing application. The billing application is in a Connected App in Salesforce. What can Nicole do to ensure the app is secured? (Choose 2) "Set login IP ranges to the internal network for all of the app users profiles." "Require high assurance sessions in order to use the connected App" "Use Google Authenticator as an additional part of the logical processes." "Disallow the use of single Sign-on for any users of the mobile app." 45 / 115 Employees at RC Toys collaborate via an employee portal they can access via the company's internal website with SSO. It works with Active Directory, what is the role of Active Directory? "Identity provider" "Authentication store" "Service provider" "Identity store" 46 / 115 Which of the following attacks would 2FA (2 Factor Authentication) protect against? (Choose 3) "Dictionary attacks" "Network perimeter attacks" "Man-in-the-middle attacks" "Key logging attacks" "Phishing attacks" 47 / 115 RC Toys manages a custom web page, they want users to be able to access Salesforce and other custom web pages from it. The users should be able to access each with the same set of credentials. What SAML SSO flow would allow this? ". User-Agent" "SP-Initiated with Deep Linking" "IdP-Initiated" "SP-Initiated" 48 / 115 Rick from RC Toys wants to enable SAML-Based SSO for his partner community. He has an existing Idap identity store and third party portal. He wants to stick primarily with the existing portal but enable seamless access to the partner community. What SSO flow should he use? "IDP-initiated" "Sp-Initiated" "User-Agent" "Web server" 49 / 115 RC Toys wants to use experience cloud to roll out a partner community. Rick wants to use idP (external Identity Provider) with partners registering for access to the portal. He hate duplicate records and wants to make sure each is only registered once. What should he do? "Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store." "Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs" "On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping." "Allow partners to register through the IdP and create partner users in Salesforce through an API." 50 / 115 Nicole from Nicole's Nails needs to grant some of her technicians access to an external application from the App Launch in Salesforce. What steps must she take? (Choose 3) "Complete single Sign-on settings in security controls." "Associate user profiles with the connected Apps" "Create named credentials for each external system." "Complete my domain and Identity provider setup." "Create connected apps for the external applications." 51 / 115 Rick from RC Toys wants to allow customers to submit and manage issues with their purchases without having to call in each time. He would like to grant access using Facebook and Twitter credentials, which of the following actions does he need to take? (Choose 2) "Create a custom external authentication provider for Facebook." "Create a custom external authentication provider for Twitter" "Configure a predefined authentication provider for Twitter" "Configure a predefined authentication provider for Facebook" 52 / 115 Nicole's Nails connects their new mobile app to their Salesforce org using OpenId Connect. How can they enable the retreival of the access token status for their OpenID Connect connection? "A Leverage OpenID Connect Token Introspection" "Create a custom OAuth scope" "Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint" "Query using OpenID Connect discovery endpoint." 53 / 115 RC Toys has a custom application to support helpdesk activities. They use it to request, approve, notify and track access to various applications (on premises and cloud) including Salesforce. Salesforce is used to authenticate users, how should users be provisioned in Salesforce once they are approved in the helpdesk application if they need to have approved profiles and permission sets? "Use a login flow to query the helpdesk to validate user status." "Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow." "Build an integration that performs a remote call-in to the Salesforce SOAP or REST API." "Use Salesforce Connect to integrate with the helpdesk application." 54 / 115 RC Toys would like to integrate their custom employee portal with Salesforce to allow employees to post ideas from the employee portal. When the user clicks the links in the employee portal they should be redirected to Salesforce, authenticated and presented with the correct page. Which OAuth flow supports this best? "SAML Bearer Assertion flow" "Web Server flow" "Web Application flow" "User-Agent flow" 55 / 115 Which of the following should be considered when designing a Delegated Authentication implementation? "The Web service should be able to accept one to four input method parameters." "The web service should use the Salesforce Federation ID to identify the user." "The Web service should implement a custom password decryption method." "The Web service should be secured with TLS using Salesforce trusted certificates." 56 / 115 Which of the following are capabilities of Delagated Authentication? (Choose 3) "It can be assigned by Profiles." "It can connect to SOAP services" "It can connect to REST services." "It can be assigned by Permission Sets." "It can be assigned by Custom Permissions." 57 / 115 Employees at RC Toys have access to a legacy employee portal for them to collaborate. They can access it from the company's internal website using Single Sign-On. The portals works with SiteMinder and AD and supports posting ideas. Rick wants to use Salesforce Ideas instead as it is more robust. He doesn't want to provision users on Salesforce and instead wants to integrate the portal ideas with Salesforce via the API. What is Salesforce's role in the context of SSO in this scenario? "An independent system, because Salesforce is not part of the SSO setup." "Connected App, because Salesforce is connected with Employee portal via API." "Identity Provider, because the API calls are authenticated by Salesforce." "Service Provider, because Salesforce is the application for managing ideas." 58 / 115 One of Nicole's technicians is trying to access one of their connected apps. They are getting: |Failed: Not approved for access|. What is the most likely culprit? "The users do NOT have the correct permission set assigned to them." ". The Salesforce Administrators have revoked the OAuth authorization." "The Connected App setting |All users may self-authorize| is enabled." "The use of High Assurance sessions are required for the Connected App." 59 / 115 Nicole's Nails has recently acquired 4 additional locations. Each location has their own Salesforce org (NN1 - her main shop, NN2, NN3, NN4, NN5). She has worked with the technicians from NN2, NN3, NN4, and NN5 before so they are all NN1 and their own org, but not all of the orgs. Nicole wants to simply login so each technician only needs to remember one credential. What is the most efficient way to accomplish this with the least amount of maintenance? "Configure NN1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs." "Configure NN1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs." "Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs." 60 / 115 RC Toys wants to expand their customers ability to self-register in their customer community. They should receive a different experience depending on information they provide during registration. What should Rick do? "Modify the existing Communities registration controller to assign different profiles." "Create an After Insert Apex trigger on the user object to assign specific custom permissions." "Modify the Community pages to utilize specific fields on the User and Contact records." "Create separate login flows corresponding to the different community user personas." 61 / 115 RC Toys wuld like to sychronize their Active Directory with Salesforce and sync profiles and permission sets based on their AD group membership. Which of the following is the optimal SSO solution? "Use Microsoft Access control Service as the Authentication provider." "Use Active Directory Federation Service (ADFS) as the Identity Provider." "Use Active Directory with Reverse Proxy as the Identity Provider." "Use Salesforce Identity Connect as the Identity Provider." 62 / 115 Nicole's Nails wants to let employees leverage posts/views/votes in Salesforce, but while they are in an internal company portal. Ideas posted in Salsforce have a link created in the company portal using Oauth. When users are clicking on existing ideas they are being sent to the Ideas page instead of the Idea they clicked on. Which URL parameter can be used so they can go to the original requested page? "Callback_uri" "Redirect_uri" "State" "Scope" 63 / 115 RC Toys wants to start allowing customers to submit their purchase issues and manage them directly. Currently customers have Amazon credentials and Rick would like to have them login with those. What is the recommended approach? "Configure Amazon as a connected app." "Configure a predefined authentication provider for Amazon." "Configure an OpenID Connect Authentication Provider for Amazon." "Create a custom external authentication provider for Amazon." 64 / 115 What HTTP parameter should be used in a service provider initiated SAML SSO setup where the user is trying to access a resource on the service provider and is submitting a SAML request to the identity provider, ensuring they are returned to the intended resource? "RelayState" "RedirectURL" "StartURL" "DisplayState" 65 / 115 Which of the following security risks can Two-Factor Authentication (2FA) mitigate when enabled? (Choose 2) "Users leaving laptops unattended and not logging out of Salesforce." "Users accessing Salesforce from a public Wi-Fi access point." ". Users creating simple-to-guess password reset questions." "Users choosing passwords that are the same as their Facebook password" 66 / 115 Nicole's Nails wants to allow technicians to use their mobile devices to access Salesforce using a hybrid mobile app. The app uses SDK (software development kits), refresh tokens to regenerate access tokens and has been distributed as a private app. For security, Nicole wants to roll out a policy that requires technicians to reverify if they haven't logged in for the last week. What connected app setting can be leveraged to make this policy possible? "Session Policy - Set timeout value of the connected app to 7 days" "Permitted User - Ask admins to maintain a list of users who are permitted based on last login date." "Refresh Token Policy - Expire the refresh token if it has not been used for 7 days" "Scope - Deny refresh_token scope for this connected app." 67 / 115 Sam wants to roll out MFA(multi-factor authentication) to his internal employees. Which of the following meet the criteria for secure MFA? (Choose 3) "username and password + SMS passcode" "Lightning Login" "Certificate-based Authentication" "Third-party single sign-on with Mobile Authenticator app" "Username and password + secunty key" 68 / 115 Rick needs users to use Two-factor authentication(2FA) for Salesforce, but not when they are on the company network. What should he do? "Add the list of company's network IP addresses to the Login Range list under 2FA Setup." "Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed." "Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed." "Apply the |Two-factor Authentication for User Interface Logins| permission and Login IP Ranges for all Profiles." 69 / 115 RC Toys has a proprietary system for tracking orders, it supports SAML (Security Assertion Markup Language) based single sign-on. Rick wants to ensure only active Salesforce users can access the tracking system (which is visible in Salesforce only). What should he do? (Choose 2) "Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking" "Setup Salesforce as an identity provider (IdP) for order Tracking." "Customize Order Tracking to initiate a REST call to validate users in Salesforce after login." "Setup Order Tracking as a Canvas app in 5alesforce to POST IdP initiated SAML assertion." 70 / 115 Nicole's Nails has an on-premise application for supply ordering, and she wants to connect it to Salesforce. Rick advised her to make sure a trusted certificate chain is used to access her on-premise application endpoint. What does she need to do to ensure this is done? "Upload a third-party certificate from Salesforce into the on-premise server." "Generate a certificate authority-signed certificate in Salesforce and uploading it to the onpremise application Truststore." "Configure the company firewall to allow traffic from Salesforce IP ranges." "Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app" 71 / 115 Rick is reviewing the Salesforce login history and is seeing some SAML SSO (Security Assertion Markup Language) 'Replay Detected and Assertion Invalid' login errors. Which of the following could be causing these errors? (Choose 2) "The subject element is missing from the assertion sent to salesforce." "The assertion sent to 5alesforce contains an assertion ID previously used." "The certificate loaded into SSO configuration does not match the certificate used by the IdP." "The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes." 72 / 115 Which of the following are capabilities of SAML-based Federated authentication? Choose 3 answers "Centralized federation provides single point of access, control and auditing." "Trust relationships between Identity Provider and Service Provider are required" "SAML tokens can be in XML or JSON format and can be used interchangeably." "Access tokens are used to access resources on the server once the user is authenticated." "Web applications with no passwords are more secure and stronger against attacks." 73 / 115 RC Toys has implemented ansp-Initiated SAML flow between an external IDP and salesforce. Sam, a new user is, is trying to login to the Salesforce mobile app for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue? "The |Redirect to identity provider| option has not been selected the SAML configuration." "The user has notbeen granted the |Enable single Sign-on| permission" "The |Redirect to Identity Provider| option has been selected in the my domain configuration." "The user has not configured the salesforce1 mobile app to use my domain for login" 74 / 115 Sales Reps at RC Toys have been exporting large amounts of data via reports and Rick is starting to be concerned. Normally users can login with either Active Directory or Salesforce credentials but Rick would like them to be required to use AD credentials for downloading reports. Which solution allows sales reps to still view reports in Salesforce using Salesforce credentials, but require AD to expore reports? "Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session" "Use SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission." "Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically add or remove a Permission Set that grants the Export Reports permission" "Use SAML Federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports." 75 / 115 RC Toys wants to boost customer loyalty. They want to create a single customer view that includes buying behaviors, channel preferences and what they have purchased. This information is currently spread across multiple systems and formats. Rick has decided Salesforce should be used to build the 360 view. He already uses Microsoft Active Directory to mange his users, how should he provision, deprovision and authenticate his users in Salesforce? "Salesforce Identity can be included but RC Toys will be required to build a custom integration with Microsoft AD." "A Salesforce Identity can be included but RC Toys will require Identity Connect." "Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately." "Salesforce Identity is not needed since RC Toys uses Microsoft AD" 76 / 115 RC toys has uses a custom recruiting application, but wants to get candidate information in Salesforce when they have been selected for interview. Rick intends to use Oauth to connect the two systems with authentication using digital certificates. Which two Oauth flow types should be considered? (Choose 2) "JWT Bearer Token flow" "Web Service flow" "Refresh Token flow" "SAML Bearer Assertion flow" 77 / 115 Employees at RC Toys are complaining likes to case records are prompting them to login again with SAML SSO. When they do log in they are sent to the home tab instead of the case. Where should Rick begin his investigation? "My domain is configured and active within salesforce." "The identity provider is correctly preserving the Relay state" "The salesforce SSO settings are using http post" "The users have the correct Federation ID within salesforce." 78 / 115 What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on? "Reference to a URL redirect parameter at the identity provider." "Reference to a URL redirect parameter at the service provider." "Reference to the login address URL of the identity Provider" "Reference to the login address URL of the service provider." 79 / 115 RC Toys wants to use SAML-Based single sign-on for authentication for Salesforce inbound Oauth-enabled integration clients. Which Oauth flow supports this scenario? "SAML assertion Oauth flow" "Web server Oauth flow" "User-Token Oauth flow" "User-Agent Oauth flow" 80 / 115 RC toys has implemented a multi-org architecture in their company where users have licenses across multiple orgs. Users are complaining they can't remember which login goes with which org and business process. What can Rick do to address the complaints? (Choose 2) "Implement Delegated Authentication from each org to the LDAP provider." "Implement IdP-Initiated Single Sign-on flows to allow deep linking." "Implement SP-Initiated Single Sign-on flows to allow deep linking." "Activate My Domain to Brand each org to the specific business use case." 81 / 115 Which of the following are capabilities of Identity Connect? (Choose 2) "Support multiple orgs connecting to multiple Active Directory servers." "Automated user synchronization and de-activation." "Synchronization of Salesforce Permission Set Licence Assignments" "Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO." 82 / 115 RC toys has a legacy web application using the canvas framework. They wish to integrate this with Salesforce but do not feel a signed request is adequate authentication. What two considerations should be made for authenticating the third-party app using the canvas framework? (Choose 2) "Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp." "Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP." "Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp." "Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp." 83 / 115 RC Toys uses a third-party reward system to calculate rewards. They want to integrate this in to Salesforce. Customers rewards are calculated in the rewards system and need to be updated in Salesforce on a schedule. If they use an Oauth flow that needs to be secure which two practices are recommended? (Choose 2) "OAuth Username-Password Flow" ". OAuth SAML Bearer Assertion FLow" "OAuth JWT Bearer Token FLow" "OAuth Refresh Token FLow" 84 / 115 RC Toys is onboarding a lot of new employees and would like new employees to automatically be created in Salesforce. Their profile should be mapped to their Active Directory Department. How can Rick implement this request? "Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile." "Make a callout during the login flow to query department from Active Directory to assign the appropriate profile." ". Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning." "Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile." 85 / 115 Cam's Cars has a B2C website that doesn't support single sign-on like SAML or Oauth. Cam wants to use Salesforce Identity to register and authenticate new customers on the website. What can their architect do to provide username/password authentication for the website? (Choose 2) "Identity Connect" "Embedded Login" "Delegated Authentication" "Connected Apps" 86 / 115 RC toys has a mobile app for its employees that uses Salesforce for both authentication purposes and data from Salesforce. For each of use employees should only have to enter their credentials the first time they run the app. While the app has been running for 6 months, employees are complaining they are having to login again. There was a recent URI scheme update that was associated with the mobile app. Where should Rick check first? "Check the Refresh Token Policy defined in the Salesforce Connected App" "Confirm that the Access Token's Time-To-Live policy has been set appropriately." "Verify that the Callback URL is correctly pointing to the new URI Scheme." "Validate that the users are checking the box to remember their passwords." 87 / 115 Nicole's Nails wants to restrict her employees to only allow access to client data while in the office by restricting login ip ranges. However, some employees will need to access via a mobile device from outside these IP ranges. What options should be recommended? (Choose 2) "Use login flow to bypass ip range restriction for the mobile app." "Relax the ip restriction in the connect app settings for the salesforce1 mobile app" "Remove existing restrictions on ip ranges for all types of user access." "Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app" 88 / 115 Nicole's Nails is considering Customer 360 to help get a better understanding of her clients now that she is partnering with Holly's Hiar. They want to understand how Customer 360 can help. What are two key benefits of Customer 360 Identity? (Choose 2) ". Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data." "Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple corporate brands and user experiences." "Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves." "Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user's login activity across all its digital properties and applications." 89 / 115 What does RC toys need to do to enable SAML SSO configuration? (Choose 2) "SSO from salesforce1 mobile app." "Login forensics" "Resource deep linking" "App launcher" 90 / 115 RC Toys wants to let their Salesforce Partner Community Users to self-register. They would like to capture some custom data elements to help assign the correct Profile and Account to the user. Which two actions would help? (Choose 2) "Configure registration for Communities to use a custom visualforce page" "Modify the SelfRegistration trigger to assign Profile and Account" "Modify the CommunitiesSelfRegController to assign the Profile and Account" "Configure Registration for Communities to use a custom apex controller" 91 / 115 Chris, the Identity Architect at RC Toys, would like to connect Microsoft Active Directory with Salesforce for user provisioning, deprovisioning and single sign-on (SSO) and would like to use Identity Connect. Which feature of Identity Connect is applicable? "When Identity Connect is in place , if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked immediately" "If the number of provisioned users exceeds Salesforce license allowances, Identity Connect will start disabling the existing Salesforce users in a First-in, First-out fashion" "Identity connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce platform out-of-the-box" "When configured Identity Connect acts as an Identity Provider to both Active Directory and Salesforce, thus providing SSO as a default feature" 92 / 115 RC Toys wants to give some of their users access to a mobile app connected to Salesforce via Oauth. What Oauth feature can be used to restrict the types of users who can access the app? "Access Tokens" "Mobile Pins" "Refresh Tokens" "Scopes" 93 / 115 Sam finally setup SAML Based SSO for his company. Its been working for 6 months. When they try to add a batch of new users the users receive an error when trying to use SSO. Existing users are not receiving this problem. What is likely the cause? "The administrator forgot to reset the new user's Salesforce password" "The federation ID field is not correctly set" "The my domain capability is not enabled on the new users profile" "The new users do not have the SSO permission enabled on their profiles" 94 / 115 SCCS wants to set up delegated authentication to allow login with corporate credentials. What mechanism can be used to make sure the connection between Salesforce and the login service can be trusted? "Require the use of Salesforce security tokens on passwords" "Enforce mutual authentication between systems using SSL" "Include client id and client secret in the login header callout" "Set up a proxy service for the login service in the DMZ" 95 / 115 SCCS wants their sales team to have a custom mobile app that uses Salesforce for authentication and access management. This app is only for the sales team. How can SCCS grant mobile access to the sales users only? "Use a custom attribute on the user object to control access to the mobile app" "Use connected apps Oauth policies to restrict mobile app access to authorized users" "Use a permission set license to assign the mbile app permission to sales users" "Add a new identity provider to authenticate and authorize mobile users" 96 / 115 SCCS needs to integrate a third party integration with its Experience Cloud Customer port. Salesforce is acting as an Identity Provider. What two features should be utilized to the let users for the third party application login and use identity services? (Choose 2) "Use the app launcher with single sign-on" "External Data Source with a named principal identity type" "Use a Connected App" "Use Delegated Authentication" 97 / 115 SCCS wants to build a customer community where customers who already have access to their E-Commerce site can seamlessly login. They intend to use ansp-initiated SSO using a SAML based compliant IDP. If Salesforce is the service provider what two steps must be completed to make SP-Initiated SSO work? (Choose 2) "Configure SAML SSO settings" "Configure Delegated Authentication" "Create a connected app" "Setup my domain" 98 / 115 Bob is the architect for RC toys and needs to automate provisioning and deprovisioning users into Salesforce from an external system. How should he do that? "Call SOAP API upsertQ on user object" "Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions" "Run registration handler on incoming Oauth responses" "Call OpenID Connect (OIDC) userinfo endpoint with a valid access token" 99 / 115 TruthRX has SAML SSO enabled for multiple applications. They now want to grant access to their regional Salesforce orgs from their main Salesforce org seamlessly. What should they do? "Configure the main Salesforce org as an Authentication provider" "Configure the main Salesforce org as the Identity provider" "Configure the regional Salesforce orgs as Identity providers" "Configure the main Salesforce org as a service provider" 100 / 115 A chemical company was to integrate Salesforce with an on-premise application. To ensure all requests to the on-premise application include a trusted certificate what should the architect do? "Use open SSL to generate a self-signed certificate and upload it to the on premise app" "Configure the company firewall to allow traffic from Salesforce IP Ranges" "Generate a certificate authority-signed certificate in Saelsforce and upload it to the on-premise application trust store" "Upload a thid party certificate from Salesforce into the on-premise server" 101 / 115 SCCS restricts access to Salesforce for it's employees using restricted IP ranges. They want to roll out a mobile experience for Salesforce that is accessible from anywhere. What two things are recommended? (Choose 2) "Relax the IP restriction with a 2nd factor in the Connect App settings for mobile" "Remove existing IP ranges for all types of user access" "Relaxt he IP restrictions in the Connected app for the Salesforce Mobile App" "Use Login Flow to bypass IP range restriction for the Mobile App" 102 / 115 RC Toys wants to allow customers to login using Facebook, Google or other social sign on providers to its Access Management Solution built on Salesforce. How do they turn this on assuming social sign-on providers support OpenID Connect? "Configure an authentication provider and registration handler for each social sign-on provider" "Configure a single sign-on setting and registration handler for each social sign-on provider" "Configure an authentication provider and JIT handler for each social sign on provider" "Configure a single sign-on setting and a JIT handler for each social sign-on provider" 103 / 115 What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML? "Validate token" "Create Token" "Consume Token" "Revoke Token" 104 / 115 Tim's Tiles wants to allow customers to access a community using Facebook credentials. The first time the customer logs in they should be automatically created in the accounting system. The accounting system has a web service accesible to Salesforce. How should the architect construct this? "Create a custom application on Heroku that manages the sign-on process from Facebook"