What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

. Reference to a URL redirect parameter at the service provider

Reference to a URL redirect parameter at the identity provider.

Reference to the login address URL of the service provider

Reference to the login address URL of the identity Provider.

An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue? Choose 2 answers

StartURL for the connected app is not set in Connected App settings.

Session Policy is set as “High Assurance Session required” for this connected app.

The connected app is not set in the App menu as “Visible in App Launcher”

OAuth scope does not include “openid”.

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Access Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO’s Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this from happening in the future?

Configure an authentication provider to delegate authentication to the LDAP directory.

Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce As they are disabled in LDAP

Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication

Use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce

Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to selfregister. NTO would like to have customers set their own passwords when provided access to the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers

Use Login Flows to allow users to reset password in Experience Cloud site.

Allow Password reset using the API to update Experience Cloud site membership.

Enable Welcome emails while configuring the Experience Cloud site.

Add customers as contacts and add them to Experience Cloud site.

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers

Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Use Login Flow in System Context to update role and permission sets

Use SAML Just-in-Time (JIT) Handler class run as current user to update role and permission sets.

Use Login Flow in User Context to update role and permission sets.

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor Authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or Via single sign-on against NTO’s corporate Identity Provider, which includes builtin MFA. Which configuration will meet this requirement?

AB Enable “MFA for User Interface Logins” for your organization from Setup -> Identity Verification.

Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees

Create and assign a permission set to all employees that includes “MFA for User Interface Logins.”

For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org’s Session Security Levels

Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs. Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently. What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.

Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.

Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.

Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or LinkedIn credentials for ease of use. Which three steps should an identity architect take to implement social sign-on? Choose 3 answers

Create authentication providers for both Facebook and LinkedIn.

Check “Facebook” and “LinkedIn” under Login Page Setup.

Update the default registration handlers to create and update users.

Register both Facebook and LinkedIn as connected apps.

Enable “Federated Single Sign-On Using SAML”.

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal should be able to selfregister, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user. Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers

Select the “Configurable Self-Reg Page” option under Login & Registration.

Enable “Allow customers and partners to self-register”.

Customize the self-registration Apex handler to create only the user record.

Set up an external login page and call Salesforce APIs for user creation.

Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements?

Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used And then set the connected app access settings to “Admin PreApproved”. Enable the Full Access Scope and then set the connected app access settings to “Admin Pre D. Approved”.

Enable the API Scope and Offline Access Scope on the connected app, and then set the connected

App to access settings to “Admin Pre-Approved”

Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to “User may self authorize”.

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the requirement?

OAuth 2.0 Asset Token Flow for Securing Connected Devices

OAuth 2.0 Web Server Flow for Web App Integration

2.0 JWT Bearer Flow for Server-to-Server Integration

Oauth 2.0 Username-Password Flow for Special Scenarios

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement?

Use the Activations feature to meet the compliance requirement to track device information.

Use the Login History object to track information about devices from which users log in.

Use multi-factor authentication (MFA) to meet the compliance requirement to track device informations

Use Login Flows to capture device from which users log in and store device and user information in a custom object.

When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?

The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.

The Audience ID, which can be set in a shared cookie.

Add a custom parameter to the service provider’s OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value

Provide a brand picker that the end user can use to select its sub-brand when they arrive on Salesforce

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

Run registration handler on incoming OAuth responses.

Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

Call SOAP API upsert() on User object.

OpenID Connect (OIDC)-userinfo endpoint with a valid access token.

Northern Trail Outfitters manages functional group permissions in a custom security application supported by a relational database and a REST service layer. Group permissions are mapped as permission sets in Salesforce. Which action should an identity architect use to ensure functional group permissions are reflected as permission set assignments?

Use a Login Flow with invocable Apex to callout to the security application and set permission sets.

Use a Login Flow to query SAML attributes and set permission sets.

Use the Apex JIT handler to callout to the security application and set permission sets.

Use the Apex Just-in-Time (JIT) handler to query the Security Assertion Markup Language (SAML) attributes and set permission sets.

Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM SuperUser and CRM_Reporting SuperUser groups should respectively give the user the Super User and Reporting Super User permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?

Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.

Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets

Use a login flow to query standard SAML attributes and set permission sets.

Use a login flow to query custom SAML attributes and set permission sets

Northern Trail Outfitters want to allow its consumer to self-register on it business-toconsumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers

Under Login and Registration settings, ensure that the default account field is empty.

Enable access to person and business account record types under Public Access Settings.

Contact Salesforce Support to enable person accounts.

Contact Salesforce Support to enable business accounts

Set organization-wide default sharing for Contact to Public Read Only.

Universal Container’s (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of the following license types should be used to meet the requirement?

Customer Community plus Login License

Partner Community Login License

An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO). How can end users change their password?

Users can request the Salesforce Admin to reset their password.

Users once logged in, can go to the Change Password screen in Salesforce.

Users can change it on the enterprise LDAP authentication portal.

Users can click on the “Forgot your Password” link on the Salesforce.com login page

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration that supports the company’s single sign-on process to Salesforce. Which Salesforce OAuth authorization flow should be used?

OAuth 2.0 SAML Bearer Assertion Flow

Indentity & Access Managment Set 1

Authored by Joaquín Carmona

Other

1st Grade

Used 9+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

30 questions

Show all answers

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to provide social sign-in capabilities for the website? Choose 3 answers

Delegated Authentication

Connected Apps

Authentication Providers

Embedded Login

Identity Connect

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token. Which authentication mechanism should an identity architect recommend to meet the requirements?

Web Server Flow

OpenID Connect

User Agent Flow

JWT Bearer Token Flow

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case? Choose 2 answers

Set Permitted Users to “Admin approved users are pre-authorized”

Set the Refresh Token Policy to expire refresh token after 3 months

Set the Session Timeout value to 3 months

Set Permitted Users to “All users may self-authorize”

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A company’s external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way. What should be done to improve security?

Create custom scopes and assign to the connected app.

Define a permission set that grants access to the app and assign to authorized users.

Select “Admin approved users are pre-authorized” and assign specific profiles.

Leverage external objects and data classification policies.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use OKta to authorize a Forecasting web application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Choose 2 answers

OAuth Resource Server

OAuth Client

SAML Service Provider

SAML Identity Provider

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to be able to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce minimizes the need for end user interaction and maximizes security. Which OAuth flow should be used to fulfill the requirement?

JWT Bearer Flow

Username-Password Flow

Web Server Flow

User Agent Flow

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification. Which feature should an identity architect recommend to meet the requirements?

Use an external Identity Provider

Create a custom Lightning Web Component

Integrate with social websites (Facebook, LinkedIn, Twitter)

Use Login Discovery

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

25 questions

Yle starter Animals

Quiz

•

1st Grade

25 questions

FFA

Quiz

•

KG - University

25 questions

Religia-Chrzescijanstwo

Quiz

•

KG - University

25 questions

Ice Cream!

Quiz

•

KG - 12th Grade

27 questions

Spoken Sanskrit Quiz

Quiz

•

KG - Professional Dev...

30 questions

Disney Pixar Trivia Game

Quiz

•

KG - 5th Grade

33 questions

Roblox piggy

Quiz

•

KG - Professional Dev...

27 questions

christmas movies

Quiz

•

KG - University

Popular Resources on Wayground

7 questions

History of Valentine's Day

Interactive video

•

4th Grade

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

15 questions

Valentine's Day Trivia

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

Discover more resources for Other

12 questions

Presidents' Day

Quiz

•

KG - 5th Grade

20 questions

Telling Time to the Hour and Half hour

Quiz

•

1st Grade

10 questions

Exploring Rosa Parks and Black History Month

Interactive video

•

1st - 5th Grade

6 questions

President's Day

Lesson

•

1st Grade

10 questions

Identifying Physical and Chemical Changes

Interactive video

•

1st - 5th Grade

7 questions

Lunar and Chinese New Year for Kids | Bedtime History

Interactive video

•

1st - 12th Grade

10 questions

Presidents Day

Interactive video

•

1st - 5th Grade

15 questions

Making Inferences

Quiz

•

1st - 3rd Grade