Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various onpremises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users. How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?

Use a login flow to query the helpdesk to validate user status.

Have the helpdesk initiate an IdP-initiated Just-in-Time provisioning Security Assertion Markup Language flow.

Use Salesforce Connect to integrate with the helpdesk application

Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.

Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce. How should the combined companys’ employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.

Have generated links append a querystring parameter indicating the IdP. The login service will redirect to the appropriate IdP.

Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL.

Have generated links be prefixed with the appropriate IdP URL to invoke an Idp-initiated Security Assertion Markup Language flow when clicked.

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party App?

Use a connected app with user provisioning flow.

Redirect users to the third-party app for registration.

Create Canvas app in Salesforce for third-party app to provision users.

Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party Application? Choose 2 answers

Use the App Launcher with single sign-on (SSO).

External a Data source with Named Principal identity type.

A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to The service provider.

They are equivalent protocols and there is no real reason to choose one over the other.

If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.

OIDC is more secure than SAML and therefore is the obvious choice.

Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal. Which approach should the identity architect recommend?

Implement Experience ID in the code and extend the URLs and endpoints, as required.

Create a full sandbox to replicate the portal site and update the branding accordingly.

Use Heroku to build the new brand site and embedded login to reuse identities.

Configure an additional community site on the same org that is dedicated for the new brand.

Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should NTO’s first step be in gathering signals that could indicate account compromise?

Download the Login History and evaluate the details of logins performed by the user.

Download the Setup Audit Trail and review all recent activities performed by the user.

Review the User record and evaluate the login and transaction history

Download the Identity Provider Event Log and evaluate the details of activities performed by the User.

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event. Which approach will meet this requirement?

Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.

Create a custom landing page and email campaign asking all community members to login and verify their data.

Create tasks for users who need to update their data or accept the new community rules.

Add a banner to the community Home page asking users to update their profile and accept the new community rules.

An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly known as G Suite). An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce. Which solution is recommended to meet this requirement?

Configure User Provisioning for Connected Apps.

Build a custom REST endpoint in Salesforce that Google Workspace can poll against.

Build an Apex trigger on the UserLogin object to make asynchronous callouts to Google APIs.

Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for User provisioning and de-provisioning.

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company’s login and registration experience on Salesforce Experience Cloud. The CMO is looking to brand the login page with the company’s logo, background color, login button color, and dynamic right-frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers

Use Experience Builder to build branded Reset and Forgot Password pages.

Login & Registration pages can be branded in the Community Administration settings.

Build custom site pages for reset and forgot password features.

Build custom pages for branding requirements in Experience Cloud.

A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or LinkedIn credentials. Once enabled, what role will Salesforce play?

Salesforce will be the service provider (SP).

Facebook and LinkedIn will be the SPS.

Salesforce will be the identity provider (Idp)

Facebook and LinkedIn will act as the IdPs and SPs.

A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following Requirements: 1) Customer purchases the device. 2) Customer registers the device using their mobile app. 3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking. Which OAuth flow should be used to meet these requirements?

OAuth 2.0 SAML Bearer Assertion Flow

OAuth 2.0 Username-Password Flow

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected during order placement?

Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.

Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.

Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.

Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.

A global company’s Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) ‘Replay Detected and Assertion Invalid login errors. Which two issues would cause these errors? Choose 2 answers

The assertion sent to Salesforce contains an assertion ID previously used.

The subject element is missing from the assertion sent to Salesforce.

The certificate loaded into SSO configuration does not match the certificate used by the IdP.

The current time setting of the company’s identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce. How should an identity architect meet the above requirements with the privately distributed mobile app?

Configure Mobile App settings in connected app and Salesforce as identity provider for non Salesforce internal apps.

Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.

Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.

Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access. The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers

Apex coding skills are needed for registration handler to create and update users.

Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community

Use declarative registration handler process builder/flow to create, update users and contacts.

For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.

An identity architect’s client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single signon (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP.

Ensure that on the SSO settings page, the “Request Signing Certificate” field has a selfsigned Certificate.

Ensure that there is an HTTPS connection between IDP and SP.

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.

Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.

Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.

Identity & Access Managment Set 2

Authored by Joaquín Carmona

Other

1st Grade

Used 8+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

30 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to implement this feature?

Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.

If contactless user is upgraded to Community license, the contact record is automatically created And linked to the user record, but not associated with an Account.

Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user.

registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements: 1. They plan to implement Partner communities to provide access to their partner network. 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs. 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce Communities. 4. They would like to provide a single login for their partners. How should an Identity Architect solution this requirement with limited custom development?

Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

Consolidate Partner related information in a single org and provide access through Salesforce community.

Create a partner login for the country of their operation and use SAML federation to provide access To other orgs.

MULTIPLE SELECT QUESTION

45 sec • 1 pt

Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the requirement? Choose 2 answers

Active Directory Password Sync Plugin

Configure Cloud Provider Load Balancer

Salesforce Identity Connect

Salesforce Trigger & Field on Contact Object

MULTIPLE SELECT QUESTION

45 sec • 1 pt

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the “Authentication Method Reference” field (AMR) in the Login History can help. Which two considerations should the architect keep in mind? Choose 2 answers

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be Implemented at IdP.

High-assurance sessions must be configured under Session Security Level Policies.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

AMR field shows the authentication methods used at IdP.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?

Create a custom external authentication provider.

Add the third-party portal as a connected app.

Configure SSO to use the third party portal as an identity provider.

Configure Salesforce for Delegated Authentication.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week. Which connected app setting should be leveraged to comply with this policy change?

Session Policy – Set timeout value of the connected app to 7 days.

Permitted User – Ask admins to maintain a list of users who are permitted based on last login date.

Refresh Token Policy – Expire the refresh token if it has not been used for 7 days.

Scope Deny refresh_token scope for this connected app

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats. NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets. What should an Identity Architect do to provision, deprovision and authenticate users?

Salesforce Identity is not needed since NTO uses Microsoft AD.

Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.

Salesforce dentity can be included but NTO will require Identity Connect

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

25 questions

Yakuniy nazorat (Moliya)

Quiz

•

1st Grade

25 questions

Trivia For Kids!

Quiz

•

1st - 6th Grade

25 questions

części zdania

Quiz

•

1st - 6th Grade

25 questions

CHAPTERS 6-13 - CHARACTERS, SETTING, AND PLOT

Quiz

•

KG - University

25 questions

General Knowledge

Quiz

•

KG - Professional Dev...

25 questions

Adivina el anime

Quiz

•

1st - 11th Grade

26 questions

T.O. - techniki nawijania włosów na wałki

Quiz

•

1st - 6th Grade

25 questions

ÔN TẬP ANHK-KTMĐPVCB

Quiz

•

1st - 5th Grade

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

29 questions

Alg. 1 Section 5.1 Coordinate Plane

Quiz

•

9th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

11 questions

FOREST Effective communication

Lesson

•

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

Discover more resources for Other

20 questions

Telling Time to the Hour and Half hour

Quiz

•

1st Grade

10 questions

Heating / Cooling Matter

Quiz

•

1st Grade

10 questions

Exploring Rosa Parks and Black History Month

Interactive video

•

1st - 5th Grade

20 questions

Place Value

Quiz

•

KG - 3rd Grade

10 questions

Counting Coins

Quiz

•

1st Grade

10 questions

Identifying Points, Lines, Rays, and Angles

Interactive video

•

1st - 5th Grade

5 questions

Heating and Cooling Pre-Assessment

Quiz

•

1st Grade

20 questions

VOWEL TEAMS: AI and AY

Quiz

•

1st Grade