Free and Premium Salesforce Identity-and-Access-Management-Architect Dumps Questions Answers

To provision a partner identity in Salesforce for a B2B collaboration site using SAML SSO, the identity architect should create a user and a related contact. A user record is required to authenticate and authorizethe partner to access Salesforce resources. A contact record is required to associate the partner with an account, which represents the partner’s organization. A contactless user or a person account are not supported for B2B collaboration sites. References: User and Contact Records for Partner Users, Create Partner Users

 Configuring SSO to use the third-party portal as an identity provider is the best option to enable SSO between the portal and Salesforce. The portal can use OAuth as the protocol to authenticate users and redirect them to Salesforce. The other options are either not feasible or not relevant for this use case. References: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, Single Sign-On with SAML on Force.com

 To integrate the order fulfillment app with the Salesforce API using OAuth 2.0 protocol, the identity architect should use aConnected App and OAuth scopes. A Connected App is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as OAuth 2.0. OAuth scopes are permissions that define the specific data that an external application can access or modify in Salesforce. To use OAuth 2.0 protocol, the identity architect needs to configure a Connected App in Salesforce and assign the appropriate OAuth scopes to it, such as “api” or “full”. References: Connected Apps, OAuth Scopes

  These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokensto the service providers (SPs). The SPs are the websites that hostapps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ Systemare the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.

Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.

Activating My Domain allows each org to have a unique domain name that can be branded to the specific business use case2. This can help users identify which org they are logging into and avoid confusion. Implementing SP-Initiated Single Sign-on flows enables users to start from a service provider (such as Salesforce) and be redirected to an identity provider (such as Active Directory) for authentication3. This can also allow deep linking, which means users can access specific resources withinthe service provider after logging in4. These two recommendations can address the complaints of the users who have licenses across multiple orgs.

A is correct because requiring users to provide their RSA token along with their credentials is a form of two-factor authentication. An RSA token is a hardware device thatgenerates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.

D is correct because requiring users to use a biometric reader as well as their password is another form oftwo-factor authentication. A biometric reader is a device that scans a user’s fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.

B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.

C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.

To allow employees to sign in to a custom Benefits web app using their Salesforce credentials, the identity architect should recommend the Identity Only License. The Identity Only License is a license type that enables users to access external applications that are integrated with Salesforce using single sign-on (SSO) or delegated authentication, but not access Salesforce objects or data. The other license types are not relevant for this scenario. References: Identity Only License, User Licenses

 To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre-Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

 Enabling “MFA for User Interface Logins” for the organization is the simplest way to ensure that all user logins include a single MFA prompt. This setting applies to both direct logins and SSO logins, and overrides any other MFA settings at the profile or permission set level. References: Enable MFA for Direct User Logins, Everything You Need to Know About MFA Auto-Enablement and Enforcement

To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario. References: Revoke OAuth Tokens, OAuth 2.0 Token Revocation

 To populate data for new and existing users in the Salesforce User object custom field when they log in using SSO, the identity architect should implement the Auth.SamlJitHandler interface and create and update methods. The Auth.SamlJitHandler interface is an interface that defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. The create and update methods are methods in the Auth.SamlJitHandler interface that define how to create or update users in Salesforce based on the information from the SAML assertion. References: Auth.SamlJitHandler Interface, Just-in-Time Provisioning for SAML and OpenID Connect

Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or CA-signed. A self-signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two-way SSL between Salesforce and an external system, two valid choices fordigital certificates are:

Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other’s self-signed certificates explicitly.

Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system. This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system’s certificate implicitly.

 To create partners using an external identity provider (IdP) and avoid duplicate accounts with Salesforce, the identity architect should recommend creating a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store. Ping is an IdP that supports OpenID Connect protocol, which allows users to sign in with an external identity provider and access Salesforce resources. By creating a custom page in Experience Cloud, the identity architect can use a custom registration handler to link the partner’s Ping identity with their Salesforce identity and prevent duplicate accounts. The custom page can also provide a seamless user experience for the partners. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler

 The identity provider must correctly preserve the Relay state in order to redirect the user to the specific case record after login with SAML SSO. According to the Salesforce documentation3, “The RelayState parameter is used by SAML to indicate where the user should be redirected after they’ve been authenticated by the identity provider.” Therefore, option C is the correct answer. References: Salesforce Documentation

According to the Salesforce documentation1, OpenID Connect Token Introspection allows all OAuth connected apps to check the current state of an OAuth 2.0 access or refresh token. Theresource server or connected apps send the client app’s client ID and secret to the authorization server, initiating an OAuth authorization flow. As part of this flow, the authorization server validates, or introspects, the client app’s access token. If the access token is current and valid, the client app is granted access.

Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community. This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can control howuser records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions can meetthe requirement of UC to use social media credentials for its customer community. 

The two OAuth flows that support refresh tokens are Web server and User-Agent. According to the Salesforce documentation2, “The webserver authentication flow and user-agent flow both provide a refresh token that can be used to get a new access token.” Therefore, option A and C are the correct answers.

 D is correct because using aself-signed certificate leads to higher maintenance for the trusting party, which is the client or browser that connects to the server. The trusting party needs to add the self-signed certificate to their truststore, which is a repository of trusted certificates, in order to establish a secure connection with the server. Otherwise, the trusting party will see a warning message or an error when accessing the server.

A is incorrect because using a self-signed certificate leads to higher maintenance for the trusted party, not lower. The trusted party needs to maintain multiple self-signed certificates from different servers in their truststore.

B is incorrect because using a self-signed certificate does not make the trusted party act as the trusted CA (Certificate Authority). The trusted CA is the entity that issues and validates certificates for servers. The trusted party only needs to trust the CA’s root certificate, which is usually pre-installed in their truststore.

C is incorrect because using a self-signed certificate leads to higher maintenance for the trusting party, not lower. The trusting party still needs to maintain a trusted CA cert in their truststore, which is the self-signed certificate itself.

The best option for UC to ensure that changes in the Facebook profile are reflected onthe appropriate customer community user is to use the updateUser method on the registration handler class. A registration handler class is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating auser account when a user logs in with an external authentication provider, such as Facebook. The updateUser method is a method in the registration handler class that takes a user ID and a JSON string as parameters and updates the user record with the information from the JSON string. This method can be used to update the user’s profile, email, name, or other attributes based on the changes in the Facebook profile. The other options are not optimal for this scenario. Developing a scheduled job that calls out to Facebook on a nightly basis would introduce a delay in updating the user information and require custom code and API integration. Using information in the signed request that is received from Facebook would only provide limited information about the user, such as name, email, and locale, and not reflect any changes made after the initial login. Using SAML Just-in-Time provisioning between Facebook and Salesforce would require UC to configure Facebook as a SAML identity provider, which is not supportedby Facebook. References: [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Facebook Signed Request], [Facebook as SAML Identity Provider]

In a SAML-based SSO scenario, the identity provider (IdP) is the system that performs authentication and passes the user’s identity and authorization level to the service provider (SP), which trusts the IdP and authorizes the user to access the requested resource1. In this case, PingFederate is the IdP that authenticates users for UC and sends SAML assertions to the SPs. The SPs are the systems that rely on PingFederate for authentication and provide access to their services based on the SAML assertions. The SPs in this scenario are Salesforce Org1, Salesforce Org2, Financial System, and CPQ System2. Therefore, the correct answer is B.

The recommended approach for UC to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process is to modify the community pages to utilize specific fields on the user and contact records. This approach allows UC to customize the community pages based on the user’s profile, preferences, interests, or other attributes that are stored in the user or contact fields. For example, UC can use conditional visibility rules or audience criteria to display different components or content based on the user’s field values. This approach does not require any code or complex configuration, and it provides a flexible and personalized community experience for different customer segments. The other options are not recommended for this scenario. Creating an after-insert Apex trigger on the user object to assign specific custom permissionswould require UC to write code and manage custom permissions, which could increase maintenance and testing efforts. Creating separate login flows corresponding to the different community user personas would require UC to create multiple login pages and logic, which could increase complexity and confusion. Modifying the existing communities’ registration controller to assign different profiles would require UC to write code and manage multiple profiles, which could increase security and governance risks. References: [Customize Your Community Pages], [Set Component Visibility], [Create Custom Login Flows], [Customize Self-Registration]

OpenID Connect is an authentication protocol that allows a service provider to obtain user attributes in an ID token from an IdP. The other flows areOAuth 2.0 flows that are used for authorization, not authentication. References: Configure an Authentication Provider Using OpenID Connect, Integrate Service Providers as Connected Apps with OpenID Connect

JWTBearer Flow allows the third-party system to authenticate to Salesforce using a digital certificate and a JSON Web Token (JWT) without any user interaction. It also provides a high level of security as it does not require sharing credentials or storing tokens. References: OAuth 2.0 JWT Bearer Token Flow

To allow employees to collaborate in a single Salesforce org, yet authenticate to the appropriate IdP, the identity architect should enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button. MyDomain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. Authentication Service is a setting that allows administrators to enable different authentication options for users, such as social sign-on or single sign-on with an external IdP. By enabling each IdP as a login option in the MyDomain Authentication Service settings, the identity architect can provide a user-friendly and secure way for employees to log in to Salesforce using their preferred IdP. References: MyDomain, Authentication Service

 The most appropriate license types for GS regional leads and the GS capacity planners are:

Customer Community Plus license for GS regional leads. This license type allows external users, such as customers or partners, to access standard Salesforce objects, such as cases and dashboards, and custom objects in a community. This license type also supports role hierarchy, sharing rules, and reports. This license type is suitable for GS regional leads who need to report damage of goods using cases and access dashboards to track regional shipping KPIs.

External Identity license for GS capacity planners. This license type allows external users to access a limited set of standard Salesforce objects, such as contacts and documents, and custom objects in a community. This license type also supports identity features, such as single sign-on (SSO) and social sign-on. This license type is suitable for GS capacity planners who need to access the third-party cloud analytics tool using Salesforce as the identity provider.

The other options are not appropriate license types for this scenario. Customer Community license for GS capacity planners would not allow them to access the third-party cloud analytics tool using SSO, as this license type does not support identity features. Identity license for GS regionalleads would not allow them to access cases and dashboards in the community, as this license type does not support standard Salesforce objects. References: [Customer Community Plus Licenses], [External Identity Licenses], [Customer Community Licenses], [Identity Licenses]

An authentication provider is a configuration that allows users to log in to Salesforce using an external identity provider,such as Facebook, Google, or a custom one. When creating an authentication provider, two options that can be utilized are:

A custom registration handler, which is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider.

A custom error URL, which is a URL that users are redirected to when an error occurs during the authentication process. References: Authentication Providers, Create an Authentication Provider

To meet the requirements of using a central cloud-basedIAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate andauthorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based onthe changes made in the central IAM service. References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps

D is correct because Salesforce is an independent system that is not part of the SSO setup between the Employee portal and Active Directory. Salesforce does not act as an IdP or an SP for the SSO, nor does it use a connected app to integrate withthe Employee portal. Salesforce only exposes its API to allow the Employee portal to access its ideas feature.

A is incorrect because Salesforce is not a service provider for the SSO. The SSO is between the Employee portal and Active Directory, not between the Employee portal and Salesforce.

B is incorrect because Salesforce is not a connected app for the SSO. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect1. The Employee portal does not use any of these protocols to integrate with Salesforce, but only uses its API.

C is incorrect because Salesforce is not an identity provider for the SSO. The IdP is the system that authenticates users and issues tokens or assertions to allow access to other systems. In this scenario, theIdP is Active Directory, not Salesforce.

 To authenticate and authorize Salesforce users with AWS, the identity architect should configure AWS as an OpenID Connect Provider. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as AWS, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. The other options are not relevant for this scenario. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider

The StartURL for the connected app is required to specify the landing page for the app. The connected app must also be set as visible in the App Launcher to appear as a tile for users. References: Connected App Basics, Manage Connected Apps

Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on anduse Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connected Apps

The web scope should be requested when using the OAuth token to meet this requirement. The web scope allows the user to log in to Salesforce and access the web UI.This is suitable for scenarios where the user is redirected from an external portal to Salesforce and needs to see the relevant pages. Option B is not a good choice because the full scope allows access to all data accessible by the user, including the webUI and the API. This may be unnecessary or insecure for this requirement. Option C is not a good choice because the API scope allows access to the Salesforce API only, not the web UI. This may not meet the requirement of presenting the user with relevantpages. Option D is not a good choice because the visualforce scope allows access to Visualforce pages only, not the entire web UI. This may limit the user’s experience and functionality.

The OAuth 2.0Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:

The device displays or reads out a verification code and a verification URL to the user.

The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.

The user logs in to Salesforce and approves the device.

The device polls Salesforce for an access token using the verification code.

Salesforce returns an access token to the device, which can then access Salesforce APIs.

Enabling Two-Factor Authentication (2FA) in Salesforce can mitigate the security risks of users accessing Salesforce froma public Wi-Fi access point or choosing passwords that are the same as their Facebook password. 2FA is an additional layer of protection beyond your password that requires users to verify their identity with another factor, such as a mobile app, a securitykey, or a verification code. This can prevent unauthorized access even if the user’s password is compromised or guessed by a malicious actor. The other options are not directly related to 2FA, but rather to user behavior or password policies.

Identity Connect will not support user provisioning inUC’s current environment. Identity Connectis a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.

Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC’s current identity environment. Identity Connect supports both Idp-initiated and SP-initiatedSAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.

 To allow agents to access the Canvas appwithout needing to log in to the pricing application, the identity architect should consider two options:

Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. A connected app is a framework that enables an externalapplication to integrate with Salesforce using APIs and standard protocols. A Canvas app is a type of connected app that allows an external application to be embedded within Salesforce. By setting Admin-approved users as pre-authorized, the identity architect can control which users can access the Canvas app by assigning profiles or permission sets to the connected app.

Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. SAML is aprotocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By enabling SAML in the connected app, the identity architect can use Salesforce as a service provider (SP) and the pricing application as an identity provider (IdP) for single sign-on (SSO). By setting SAML Initiation Method as Service Provider Initiated, the identity architect can initiate the SSO process from Salesforce and send a SAML request to the pricing application. References: Connected Apps, Canvas Apps, SAML Single Sign-On Settings

OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of auser. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:

Create a connected app for the third-party service in Salesforce. A connected app is an applicationthat integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need toenable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.

Authorize the third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render thelogin page images based on the user’s brand preference selected in the third-party service before authorization.

The best approach to simplify the authentication process and reduce cost and maintenance is to configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs. This way, users can log in to any of thefive orgs using their UC1 credentials, and their user accounts will be automatically created or updated in the other orgs based on the information from UC11. This eliminates the need to purchase a third-party Identity Provider or manually provision users in advance. The other options are not optimal forthis requirement because:

Purchasing a third-party Identity Provider for all five Salesforce orgs would incur additional cost and maintenance, and would not leverage the existing user base in UC1.

Not setting up JIT user provisioning for other orgs would require manually creating or updating user accounts in each org, which would be time-consuming and error-prone. References: Salesforce as an Identity Provider, Identity Providers and Service Providers, Just-in-Time Provisioning for SAML

The best OAuth flow for this scenario is the web server flow. The web server flow is an OAuth authorization flow that allows a web application, such as UC’s employee portal, to obtain an access token and a refresh token from Salesforce after the user grants permission. The web application can then use the access token to access Salesforce data and features, such as posting ideas, and use the refresh token to obtain a newaccess token when the previous one expires or becomes invalid. This flow is suitable for UC’s scenario because it allows users to be redirected to Salesforce, authenticated, and presented with the relevant pages when they click on some of the links in theemployee portal. This flow also provides a secure and seamless user experience by using a confidential client secret that is stored on the web server and not exposed to the browser.

The other options are not valid OAuth flows for this scenario. The web application flow is not a standard term for OAuth, but it could refer to the user-agent flow, which is an OAuth authorization flow that allows a browser or web-view, such as a mobile app or a desktop app, to obtain an access token from Salesforce by using a script or a pop-up window. This flow is not suitable for UC’s scenario, as it does not use a web server or a client secret, and it does not provide a refresh token. The SAML bearer assertion flow is an OAuth authorization flow that allows an external application to obtain an access token from Salesforce by using a SAML assertion from an identity provider (IdP) that verifies the user’s identity. This flow is not suitable for UC’s scenario, as it does not involve user interaction or redirection to Salesforce.The user-agent flow is an OAuth authorization flow that allows a browser or web-view, such as a mobile app or a desktop app, to obtain an access token from Salesforce by using a script or a pop-up window. This flow is not suitable for UC’s scenario, as itdoes not use a web server or a client secret, and it does not provide a refresh token. References: [OAuth Authorization Flows], [OAuth 2.0 Web Server Flow for Web App Integration], [OAuth 2.0 User-Agent Flow for Desktop Apps], [OAuth 2.0 SAML Bearer Assertion Flow for Server-to-Server Integration]

Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are notrelevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites

To support scalability and reduce maintenance costs for a multinational, multi-brand organization, the architect should recommend assigning each sub-brand a unique Experience ID and using the Experience ID to dynamically brand the login experience. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community). Dynamic branding is afeature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the Experience ID or other criteria. This solution can provide a consistent and personalized brand experience for each sub-brandwithout creating multiple subdomains or orgs. References: Experience ID, Dynamic Branding for Experience Cloud Sites

B is correct because the user has not configured the Salesforce1 mobile app to use My Domain for login, which is the likely cause of the issue. The My Domain URL is used to redirect theuser to the identity provider’s login page and initiate the SP-Initiated SAML flow. If the user does not configure the Salesforce1 mobile app to use My Domain for login, they will be prompted for Salesforce credentials instead of being shown the IDP loginpage. A is incorrect because the “Redirect to Identity Provider” option has been selected in the My Domain configuration, which is not the cause of the issue. The “Redirect to Identity Provider” option determines whether users are redirected to the identity provider’s login page automatically or after clicking a button. C is incorrect because the “Redirect to Identity Provider” option has not been selected in the SAML configuration, which is not the cause of the issue. The “Redirect to Identity Provider” option determines whether users are redirected to the identity provider’s login page automatically or after clicking a button. D is incorrect because the user has been granted the “Enable Single Sign-On” permission, which is not the cause of the issue. The “Enable Single Sign-On” permission allows users to use SSO with connected apps or external systems. Verified References: [My Domain URL], [SP-Initiated SAML Flow], [Redirect to Identity Provider Option], [Enable Single Sign-On Permission]

 The two issues outside of the Salesforce SSO settings that are most likely contributing to the SSO errors are the clock on the identity provider server being twenty minutes behind Salesforce and the issuer certificate from the identity provider expiring two weeks ago. These issues can cause SAML assertionerrors, which prevent the user from logging in with SSO. A SAML assertion is an XML document that contains information about the user’s identity and attributes, and it is signed by the identity provider and sent to Salesforce as part of the SSO process4. If the clock on the identity provider server is not synchronized with Salesforce, the SAML assertion may be rejected as invalid or expired, as it has a timelimit for validity5. If the issuer certificate from the identityprovider isexpired, the SAML assertion may not be verified by Salesforce, as it relies on the certificate to validate the signature6. The other options are not likelyissues that cause SSO errors. The identity provider being used to SSO into five otherapplications does not affect itsability to SSO into Salesforce, as long as it supports multiple service providers and has a separate configuration for each one7. The default language for the identity provider and Salesforce being different does not affect the SSO process, as it does not impact the SAML assertion or its validation.

The Entity ID is a unique identifier for a service provider or an identity provider in SAML SSO. It is used to differentiate between different service providers or identity providersthat may share the same issuer orlogin URL. In Salesforce, the Entity ID is automatically generated based on the organization ID and can be viewed in the Single Sign-On Settings page1. If youhave a custom domain set up, you can use [customDomain].my.salesforce.comas the Entity ID2. If you want to use the same IdP for two Salesforce orgs, you need to use different Entity IDs for each org, otherwise the IdP will not be able to distinguish them and may send incorrect assertions. You can also use different certificates, issuers, or login URLs for each org, but usingdifferent Entity IDs is the simplest and recommended way3.

 To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:

Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a LoginFlow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity architect can update the agent role and permission sets based on the information from Active Directory or other criteria.

Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT)provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion. References: Login Flows, SAML Just-in-Time Provisioning, Auth.SamlJitHandler Interface

The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.

Identity Verification Credits are units that are consumed when Salesforce sends verification messages to users via email or SMS. To use passwordless login, customers need to receive a one-time passcode via email or SMS that they can use to log in to the customer service portal. Therefore, Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users. Email verification does not consume Identity Verification Credits. References: Identity Verification Credits, Passwordless Login

To limit the level of access to the data of the protected resource in a flexible way, the identity architect should create custom scopes and assign them to the connected app. Custom scopes are permissions that define the specific data that an external application can access or modify in Salesforce. Custom scopes can be created using Apex or Metadata API and assigned to a connected app using OAuth 2.0 or SAML protocols. Custom scopes can provide more granular control over data access than standard scopes, which are predefined by Salesforce. References: Custom Scopes, Create and Assign Custom Scopes

Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.

Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a secondfactor, such as a verification code or biometric scan, before they can access the connected app.

Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can begenerated by the Google Authenticator app on the user’s mobile device.

Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.

Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.

The AMR field in the Login History shows the authentication methods usedat the IdP level, such as password, MFA, or SSO. Both OIDC and SAML are supported protocols for SSO, but the IdP must implement the AMRattribute and pass it to Salesforce. References: Secure YourUsers’ Identity, Salesforce Multi-Factor Authentication (MFA) and Single Sign-on (SSO)

The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioningis a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning ordeprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning.

 SAML federation allows partners to log in tomultiple Salesforce orgs with a single identity provider. The partner login can be created for the country of their operation and then federated to other orgs using SAML assertions. References: SAML Single Sign-On Overview, Federated Authentication UsingSAML

The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018. Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile andpermission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.

Toenable SP-initiated SSO with Salesforce as the Service Provider, two steps are required in Salesforce:

Option A is correct because configuring SAML SSO settings involves specifying the identity provider details, such as theentity ID, login URL, logout URL, and certificate2. 

Option D is correct because setting up My Domain enables you to use a custom domain name for your Salesforce org and allows you to use SAML as an authentication method3.

Option B is incorrect because creating a connected app is not necessary for SP-initiated SSO using a SAML-compliant IdP. A connected app is used for OAuth-based authentication or OpenID Connect-based authentication4.

Option C is incorrect because configuring delegated authentication is not related to SP-initiated SSO using a SAML-compliant IdP. Delegated authentication is a feature that allows Salesforce todelegate user authentication to an external service, such as LDAP or Active Directory5. References: SAML-based single sign-on: Configuration and Limitations, Configure SAML single sign-on with an identity provider, My Domain, Create a Connected App, Configure Salesforce for Delegated Authentication

 Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues. References: Login History

 OAuth refresh token flow and OAuth JWT bearer token flow are the recommended best practices for using OAuth flows inthis scenario. These flows are suitable for server-to-server integration scenarios where the client application needs to access Salesforce resources on behalf of a user. The OAuth refresh token flow allows the client application to obtain a long-lived refresh token that can be used to request new access tokens without requiring user interaction. The OAuth JWT bearer token flow allows the client application to use a JSON Web Token (JWT) to assert its identity and request an access token. Both flows providea secure and efficient way to integrate with Salesforce and the reward calculation system. OAuth SAML bearer assertion flow is not a recommended best practice for using OAuth flows in this scenario because it requires the client application to obtain a SAML assertion from an identity provider, which adds an extra layer of complexity and dependency. OAuth username-password flow is not a recommended best practice for using OAuth flows in this scenario because it requires the client application to store the user’s credentials, which poses a security risk and does not support two-factor authentication. References: : [Which OAuth Flow to Use] : [Digging Deeper into OAuth 2.0 on Force.com] : [OAuth 2.0 JWT Bearer Token Flow] : [OAuth 2.0 SAML Bearer Assertion Flow] : [OAuth 2.0 Username-Password Flow]

Customer 360 Identity is a cloud-based identity service that provides a single, trusted identity for customers across all yourdigital properties and applications2. Customer 360 Identity has several benefits that relate to Customer 360, such as3:

Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user’s login activity across all its digital properties and applications. This helps to create a unified customer profile and deliver personalized experiences based on user preferences and behaviors3.

Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple corporate brands and user experiences. This helps to maintain brand consistency and loyalty while providing seamless access to your products and services3.

Amazon supports OpenID Connect as an authentication protocol, which allows usersto sign in with their Amazon credentials and access Salesforce resources. To enable this, an identity architect needs to configure an OpenID Connect Authentication Provider for Amazon and link it to a connected app. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

Custom SAML JIT Provisioning allows Salesforce to dynamically create or update user records in the classified information system based on the SAML assertion sent by Salesforce as the IdP. This way, the staff can access the system only when they have an open “Classified” case, and their access is revoked when they don’t. Option A is incorrect because Salesforce reports are not a reliable way to grant or revoke access to the system, as they are not updated in real time and may not reflect the current status of the cases. Option B is incorrect because Apex triggers can only assign or remove permission sets within Salesforce, not in an external system. Option D is incorrect becausea Common Connected App Handler using Apex is used to customize the behavior of a connected app, not to control access to an external system based on user attributes. References: Custom SAML JIT Provisioning, Create a Custom Connected App Handler

 these are the optimal actions to troubleshoot a SAML error. According to the Salesforce documentation1, you can use the following methods to debug a SAML error:

Use a browser that has an add-on/extension that can inspect SAML. This will allow you to see the SAML request and response messages and identify any issues with the SAML assertion or the SAML response2.

Paste the SAML Assertion Validator in Salesforce. This is a tool that helps you validate the last SAML operation on your organization and shows you any errors or warnings with the SAML assertion or the SAML response1.

Option A is incorrect because the Callback URL is not related to SAML SSO. The Callback URL is used for OAuth SSO, which is a different protocol3. Option D is incorrect because using the browser’s Development tools to view the Salesforce page’s markup will not help you debug a SAML error. The page’s markup doesnot contain any information about the SAML request or response4.

To enable a trusted connection between the login services and Salesforce, UC should enforce mutual authentication between systems using SSL. Mutual authentication is a process in which both parties in a communication verify each other’s identity using certificates7. SSL (Secure Sockets Layer) is a protocol that provides secure communication over the Internet using encryption and certificates8. By using mutual authentication with SSL, UC can ensure that only authorized login services can access Salesforce and vice versa. This can prevent unauthorized access, impersonation, or phishing attacks.

To give customers the ability to login with their Facebook and Twitter credentials, the identity architect should configure a predefined authentication provider for Facebook and a predefined authentication provider for Twitter. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for somecommon identity providers, such as Facebook and Twitter, which can be easily configured with minimal customization. Creating a custom external authentication provider is not necessary for this scenario. References: Authentication Providers, Social Sign-Onwith Authentication Providers

User provisioning is a feature that allows Salesforce to create, update, or deactivate user accounts on a third-party system, such as Concur, based on user assignments in Salesforce1. To implementuser provisioning for Concur with an approval process, the identity architect should use the following steps2:

Create a connected app for Concur in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To create a connected app for Concur, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type4.

Enable User Provisioning for the connected app. This step allows you to configure the user provisioning settings for the connected app, such as theprovisioning API endpoint URL, the client ID and client secret, the mapping of user attributes, and the linkage rules5. You can also choose to require an approval process for user provisioning requests by selecting the Approval Required option6.

Create an approval process for UserProvisioningRequest object associated with the provisioning flow. A UserProvisioningRequest object represents a user provisioning request that is sent to or received from a third-party system7. An approval process specifies the steps necessary for a record to beapproved and whomust approve it at each step8. To create an approval process for UserProvisioningRequest object, you need to define theapproval steps, assignees, actions, criteria, and email alerts9.

The twostatements that are capabilities of Identity Connect are:

It supports both identity-provider-initiated and service-provider-initiated SSO. Identity Connect is a desktop application that integrates Salesforce with Microsoft Active Directory (AD) and enablessingle sign-on (SSO) between the two systems. Identity Connect supports both identity-provider-initiated SSO, which is when the user starts at the AD site and then is redirected to Salesforce with a SAML assertion, and service-provider-initiated SSO, which is when the user starts at the Salesforce site and then is redirected to AD for authentication.

It enables automated user synchronization and deactivation. Identity Connect allows administrators to synchronize user accounts and attributes between AD andSalesforce, either manually or on a scheduled basis. Identity Connect also allows administrators to deactivate user accounts in Salesforce when they are disabled or deleted in AD, which helps maintain security and compliance.

The other options are not capabilities of Identity Connect. Identity Connect does not support synchronization of Salesforce permission set license assignments, as these are not related to AD attributes. Identity Connect does not support multiple orgs connecting to multiple AD servers,as it can only connect one Salesforce org to one AD domain at a time. References: [Identity Connect], [Identity Connect Features], [Identity Connect User Synchronization], [Identity Connect Single Sign-On]

The two role combinations thatare represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies onGoogleor Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.

OAuth Device Flow is a protocol that allows users to authenticate their devices, such asfitness trackers, smart TVs, or printers, with an external identity provider and access Salesforce resources. The device flow involves displaying a verification code and a URL on the device, which the user can use to log in and authorize the device from another device, such as a smartphone or a computer. References: OAuth Device Flow, OAuth 2.0 Device Flow

The recommended solution for UC to enable a two-factor login process for Salesforce and their existing on-premise applications is to replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. Salesforce 2FA is a feature that requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. Salesforce 2FA can be enabled for both Salesforce and on-premise applications by using one of the following methods:

Use Salesforce Authenticator, a mobile app that generates verification codes or sends push notifications to users’ devices.

Use a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, that generates verification codes based on a shared secret key.

Use a verification code sent by email or SMS to users’ registered email address or phone number.

Use a U2F security key, such as YubiKey, that plugs into users’ devices and provides a physical token.

By replacing the custom 2FA system with Salesforce 2FA, UC can benefit from the following advantages:

Improved security and compliance by using a standard and proven 2FA solution that protects against phishing, credential theft, and brute force attacks.

Reduced complexity and cost by eliminating theneed to maintain a custom 2FA system and integrating it with Salesforce.

Enhanced user experience and convenience by providing multiple options for verifying identity and allowing users to remember trusted devices or browsers.

The other options are not recommended solutions for this scenario. Using the custom 2FA system for on-premise applications and native 2FA for Salesforce would create inconsistency and confusion for users who have to use different methods of verification for different applications. Replacing the custom 2FA system with an AppExchange app that supports on-premise applicationsand Salesforce would require UC to find an app that meets their specific needs and pay for its license and maintenance. Using custom login flows to connect to the existing custom 2FA system for use in Salesforce would require UC to write custom code and logic to invoke the custom 2FA system from Salesforce, which could introduce security and performance issues. References: [Two-Factor Authentication], [Salesforce Authenticator], [Third-Party Authenticator Apps], [Verification Code via Email or SMS], [U2F Security Keys], [Custom Login Flows]

Delegated Authentication will continue to work with a .NET service as long as it is wrapped in a web service that Salesforce canconsume1. Delegated Authentication will not work with REST services because it requires a SOAP-based web service23. Therefore, option C and D are the correct answers.

These are the steps required to enable Salesforce as a SAML Identity Provider and use the App Launcher to access external applications. According to the Salesforce documentation1, you need to:

Enable Salesforce as a SAML Identity Provider with My Domain2.

Create aConnected App for each external application that you want to integrate with Salesforce3.

Add each Connected App to the App Launcher with a Start URL that points to the external application1.

Option B is incorrect because setting up an Auth Provider is not necessary for SAML SSO. Auth Providers are used for OAuth SSO, which isa different protocol4. Option D is incorrect because Identity Connect is a tool for synchronizing user data between Active Directory and Salesforce, which is not related to SSO or App Launcher5.

Adding the employee portal’s IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal’s IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0 Username-Password Flow]

 To enable a trusted connection between the login service and Salesforce, an architect should enforce mutual authentication between systems using SSL. Mutual authentication, also known as two-way SSL or client certificate authentication, is a process in whichboth parties in a communication exchange certificates to verify their identities7. This mechanism ensures that only authorized systems can access each other’s resources and prevents unauthorized access or spoofing attacks8. To use mutual authentication with delegated authentication, you need to do the following steps9:

Generate a self-signed certificate in Salesforce and download it.

Import the certificate into your login service’s truststore.

Configure your login service to require client certificates for incoming requests.

Generate a certificate for your login service and export it.

Import the certificate into Salesforce’s certificate and key management tool.

Enable mutual authentication for your login service’s endpoint URL in Salesforce.