NEW QUESTION 1
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
* 1. The development team has decided to use a Canvas app to expose the pricing application to agents.
* 2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers

• A. Select "Enable as a Canvas Personal App" in the connected app settings.
• B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
• C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
• D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

Answer: CD

NEW QUESTION 2
Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?

• A. SP-Initiated with Deep Linking
• B. SP-Initiated
• C. IdP-Initiated
• D. User-Agent

Answer: C

NEW QUESTION 3
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?

• A. Use the updateUser method on the registration Handler Class.
• B. Develop a scheduled job that calls out to Facebook on a nightly basis.
• C. Use information in the signed Request that is received from facebook.
• D. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Answer: A

NEW QUESTION 4
Ttie executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience.
What should be used and considered before recommending it as a solution on the Salesforce Platform?

• A. OpenID Connect Web Server Flo
• B. Determine if the service provider is secure enough to store the client secret on.
• C. Embedded Logi
• D. Identify what level of UI customization will be required to make it match the service providers look and feel.
• E. Salesforce REST api
• F. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
• G. Embedded Logi
• H. Consider whether or not it relies on third party cookies which can cause browser compatibility issues.

Answer: C

NEW QUESTION 5
Which three are capabilities of SAML-based Federated authentication? Choose 3 answers

• A. Trust relationships between Identity Provider and Service Provider are required.
• B. SAML tokens can be in XML or JSON format and can be used interchangeably.
• C. Web applications with no passwords are more secure and stronger against attacks.
• D. Access tokens are used to access resources on the server once the user is authenticated.
• E. Centralized federation provides single point of access, control and auditing.

Answer: ADE

NEW QUESTION 6
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors? Choose 2 answers

• A. The subject element is missing from the assertion sent to salesforce.
• B. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
• C. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
• D. The assertion sent to 5alesforce contains an assertion ID previously used.

Answer: AD

NEW QUESTION 7
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers

• A. OAuth Refresh Token FLow
• B. OAuth Username-Password Flow
• C. OAuth SAML Bearer Assertion FLow
• D. OAuth JWT Bearer Token FLow

Answer: CD

NEW QUESTION 8
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?

• A. Select "Admin approved users are pre-authonzed" and assign specific profiles.
• B. Create custom scopes and assign to the connected app.
• C. Define a permission set that grants access to the app and assign to authorized users.
• D. Leverage external objects and data classification policies.

Answer: B

NEW QUESTION 9
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

• A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
• B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
• C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
• D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Answer: AC

NEW QUESTION 10
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

• A. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
• B. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
• C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases whenattempting to access the classified information system
• D. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Answer: A

NEW QUESTION 11
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

• A. Identity store
• B. Authentication store
• C. Identity provider
• D. Service provider

Answer: C

NEW QUESTION 12
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?

• A. Use the Salesforce Authenticator mobile app with two-step verification
• B. Lock sessions to the IP address from which they originated.
• C. Increase Password complexity requirements in Salesforce.
• D. Implement Single Sign-on using a corporate Identity store.

Answer: A

NEW QUESTION 13
Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in . NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers

• A. Delegated Authentication will not work with a.net service.
• B. Delegated Authentication will continue to work with rest services.
• C. Delegated Authentication will continue to work with a.net service.
• D. Delegated Authentication will not work with rest services.

Answer: CD

NEW QUESTION 14
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

• A. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
• B. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
• C. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
• D. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Answer: B

NEW QUESTION 15
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

• A. Configure SAML SSO settings.
• B. Configure Delegated Authentication
• C. Create a connected App
• D. Set up my domain

Answer: AD

NEW QUESTION 16
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

• A. My domain is configured and active within salesforce.
• B. The salesforce SSO settings are using http post
• C. The identity provider is correctly preserving the Relay state
• D. The users have the correct Federation ID within salesforce.

Answer: C

NEW QUESTION 17
How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

• A. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.
• B. Add the list of company's network IP addresses to the Login Range list under 2FA Setup.
• C. Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.
• D. Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

Answer: A

NEW QUESTION 18
......