IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Online Practice Questions and Answers

How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?

A. Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.

B. Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.

C. Remove the Login page from the list of Authentication Services on the My Domain configuration.

D. Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.

Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

A. Custom_permissions

B. Api

C. Refresh_token

D. Full

A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this?

A. Use a HTTP POST to request the refresh token for the current user.

B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.

C. Use a HTTP POST to make a call to the revoke token endpoint.

D. Enable Single Logout with a secure logout URL.

Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce

Identity to register and authenticate new customers on the website.

Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?

Choose 2 answers

A. Identity Connect

B. Delegated Authentication

C. Connected Apps

D. Embedded Login

Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

A. Add each connected App to the App Launcher with a Start URL.

B. Set up an Auth Provider for each External Application.

C. Set up Salesforce as a SAML Idp with My Domain.

D. Set up Identity Connect to Synchronize user data.

E. Create a Connected App for each external application.

Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record?

A. Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.

B. Create an apex scheduled job in one org that will synchronize the other orgs profile.

C. Implement Delegated Authentication that will update the user profiles as necessary.

D. Implement an Oauthjwt flow to pass the profile credentials between systems.

An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?

A. Ensure the Callback URL is correctly set in the Connected Apps settings.

B. Use a browser that has an add-on/extension that can inspect SAML.

C. Paste the SAML Assertion Validator in Salesforce.

D. Use the browser's Development tools to view the Salesforce page's markup.

Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.

NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.

Which three Salesforce permissions are available to map to AD permissions?

Choose 3 answers

A. Public Groups

B. Field-Level Security

C. Roles

D. Sharing Rules

E. Profiles and Permission Sets

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.

NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.

What should an Identity architect do to fulfill the requirement?

A. Configure an authentication provider for Social Login using Google and a custom registration handler.

B. Implement a Just-in-Time handler class that has logic to create cases upon first login.

C. Create an authentication provider for Social Login using Google and leverage standard registration handler.

D. Implement a login flow with a record create component for Case.

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.

One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.

Which OAuth flow should be used to fulfill the requirement?

A. JWT Bearer Flow

B. Web Server Flow

C. User Agent Flow

D. Username-Password Flow