Universal Containers (UC) has decided to build a new, highly sensitive application on the Lightning platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/password to authenticate to this application.
How can an Architect support fingerprints as a form of identification for Salesforce authentication?
AUse Custom Login Flows with callouts to a third-party fingerprint scanning application.
BUse Salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
CUse Delegated Authentication with callouts to a third-party fingerprint scanning application.
DUse an AppExchange product that does fingerprint scanning with native Salesforce Identity Confirmation.
0
Question 2
Salesforce as an Identity Provider
0
Question 3
Accepting 3rd Party Identity in Salesforce
0
Question 4
Access Management Best Practices
0
Question 5
Accepting 3rd Party Identity in Salesforce
0
That's the end of the Preview
This exam has 60 community-verified practice questions. Create a free account to access all questions, comments, and explanations.
Topics covered:
Identity Management ConceptsAccepting 3rd Party Identity in SalesforceSalesforce as an Identity ProviderAccess Management Best PracticesSalesforce IdentityCommunity (Partner and Customer)
Which three capabilities does SAML-based Federated authentication provide? (Choose three.)
ACentralized federation provides single point of access, control and auditing.
BAccess tokens are used to access resources on the server once the user is authenticated.
CWeb applications with no passwords are more secure and stronger against hacks.
DTrust relationships between Identity Provider and Service Provider are required.
ESAML tokens can be in XML or JSON format and can be used interchangeably.
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system.
How can UC's middleware authenticate to Salesforce while adhering to this requirement?
ACreate a Connected App that supports the Refresh Token OAuth Flow.
BCreate a Connected App that supports the JWT Bearer Token OAuth Flow.
CCreate a Connected App that supports the User-Agent OAuth Flow.
DCreate a Connected App that supports the Web Server OAuth Flow.
A group of users try to access one of Universal Containers’ Connected Apps and receive the following error message: “Failed: Not approved for access.”
What is the probable cause of this issue?
AThe Salesforce Administrators have revoked the OAuth authorization.
BThe Connected App setting “All users may self-authorize” is enabled.
CThe use of High Assurance sessions are required for the Connected App.
DThe users do NOT have the correct permission set assigned to them.
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party IdP using SAML SSO.
What is the recommended Salesforce license type for all of the UC employees?
ASalesforce Platform license
BExternal Identity license
CIdentity license
DSalesforce license
Question 6
Access Management Best Practices
0
Question 7
Salesforce as an Identity Provider
Question 8
Accepting 3rd Party Identity in Salesforce
Question 9
Community (Partner and Customer)
Question 10
Accepting 3rd Party Identity in Salesforce
Question 11
Accepting 3rd Party Identity in Salesforce
Question 12
Salesforce Identity
Question 13
Access Management Best Practices
Question 14
Accepting 3rd Party Identity in Salesforce
Question 15
Accepting 3rd Party Identity in Salesforce
Question 16
Access Management Best Practices
Question 17
Access Management Best Practices
Question 18
Salesforce as an Identity Provider
Question 19
Accepting 3rd Party Identity in Salesforce
Question 20
Accepting 3rd Party Identity in Salesforce
Question 21
Access Management Best Practices
Question 22
Salesforce as an Identity Provider
Question 23
Accepting 3rd Party Identity in Salesforce
Question 24
Accepting 3rd Party Identity in Salesforce
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Universal Containers wants to build a custom mobile app connecting to Salesforce using OAuth, and would like to restrict the types of resources mobile users can access.
What OAuth feature of Salesforce should be used to achieve the goal?
ARefresh Tokens
BScopes
CAccess Tokens
DMobile PINs
Universal Containers (UC) is building an integration between Salesforce and a legacy web application using the Canvas framework. The security team for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the third-party app.
Which two options should the Architect consider for authenticating the third-party app using the Canvas framework? (Choose two.)
AUtilize Authorization Providers to allow the third-party application to authenticate itself against Salesforce as the IdP.
BUtilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
CCreate a registration handler Apex class to allow the third-party application to authenticate itself against Salesforce as the IdP.
DUtilize the Canvas OAuth flow to allow the third-party application to authenticate itself against Salesforce as the IdP.
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled "User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system.
What is the probable reason for this behavior?
AThe Approval queue for User Provisioning Requests is unmonitored.
BUser Provisioning for Connected Apps does NOT support role sync.
CRequired operation(s) was NOT mapped in User Provisioning Settings.
DSalesforce roles have more than three levels in the role hierarchy.
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC? (Choose two.)
AConfigure Registration for Communities to use a custom Visualforce Page.
BConfigure Registration for Communities to use a custom Apex Controller.
CModify the CommunitiesSelfRegController to assign the Profile and Account.
DModify the SelfRegistration trigger to assign Profile and Account.
An Architect needs to set up a Facebook Authentication provider as a login option for a Salesforce Customer Community.
What portion of the authentication provider setup associates a Facebook user with a Salesforce user?
AApex Registration Handler
BFederation ID
CConsumer Key and Consumer Secret
DUser Info Endpoint URL
Universal Containers (UC) has a Customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate Customer Community user.
How can this requirement be met?
ADevelop a scheduled job that calls out to Facebook on a nightly basis.
BUse the updateUser() method on the Registration Handler class.
CUse SAML Just-In-Time Provisioning between Facebook and Salesforce.
DUse information in the Signed Request that is received from Facebook.
Universal Containers has implemented a multi-org strategy and would like to centralize the management of their Salesforce user profiles.
What should the Architect recommend to allow Salesforce profiles to be managed from a central system of record?
AImplement JIT provisioning on the SAML IdP that will pass the ProfileID in each assertion.
BImplement Delegated Authentication that will update the user profiles as necessary.
CCreate an Apex scheduled job in one org that will synchronize the other org's profiles.
DImplement an OAuth JWT flow to pass the profile credentials between systems.
Which two security risks can be mitigated by enabling Two-Factor Authentication in Salesforce? (Choose two.)
AUsers accessing Salesforce from a public Wi-Fi access point.
CUsers leaving laptops unattended and NOT logging out of Salesforce.
DUsers choosing passwords that are the same as their Facebook password.
Universal Containers (UC) has implemented an SP-initiated SAML flow between an external IdP and Salesforce. A user at UC is attempting to log in to Salesforce mobile app for the first time and is being prompted for Salesforce credentials instead of being shown the IdP login page.
What is the likely cause of the issue?
AThe "Redirect to Identity Provider” option has NOT been selected in the My Domain configuration.
BThe "Redirect to Identity Provider" option has NOT been selected on the SAML configuration.
CThe user has NOT been granted the “Enable Single Sign-on” permission.
DThe user has NOT configured the Salesforce mobile app to use My Domain for login.
Universal Containers (UC) has decided to use Identity Connect as its Identity Provider. UC uses Active Directory (AD) and has a team that is very familiar and comfortable with managing AD groups. UC would like to use AD Groups to help configure Salesforce users.
Which three actions can AD Groups control through Identity Connect? (Choose three.)
APublic Group Assignment
BRole Assignment
CCustom Permissions Assignment
DGranting Report Folder Access
EPermission Sets Assignment
How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when NOT connected to an internal company network?
AApply the “Two-factor Authentication for User Interface Logins” permission and Login IP Ranges for all Profiles.
BAdd the company's list of network IP addresses to the Login Range list under 2FA Setup.
CUse Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.
DUse an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.
The security team at Universal Containers has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other uses of Salesforce, users should be allowed to use AD credentials or Salesforce credentials.
What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?
AUse SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically add or remove a Permission Set that grants the Export Reports permission.
BUse SAML Federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
CUse SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission.
DUse SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.
What is a role of an Identity Provider in a Single Sign-on setup using SAML?
AConsume assertion
BRevoke assertion
CValidate assertion
DCreate assertion
Universal Containers (UC) has implemented SAML-based Single Sign-on for their Salesforce application. UC is using PingFederate as the Identity Provider. To access Salesforce, users usually navigate to a bookmarked link to My Domain URL.
What type of Single Sign-on flow is this?
AIdP-Initiated
BIdP-Initiated with Deep Linking
CSP-Initiated
DWeb Server Flow
What item should an Architect consider when designing a Delegated Authentication implementation?
AThe web service should be secured with TLS using Salesforce trusted certificates.
BThe web service should be able to accept one to four input method parameters.
CThe web service should use the Salesforce Federation ID to identify the user.
DThe web service should implement a custom password decryption method.
Universal Containers has built a custom token-based Two-Factor Authentication system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-Factor login process for it, as well.
What is the recommended solution an Architect should consider?
AReplace the custom 2FA system with an AppExchange App that supports on-premise applications and Salesforce.
BUse the custom 2FA system for on-premise applications and native 2FA for Salesforce.
CReplace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.
DUse Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
Which two roles of the systems are involved in an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup? (Choose two.)
ASalesforce is the Service Provider.
BSalesforce is the Identity Provider.
CGoogle is the Identity Provider.
DGoogle is the Service Provider.
An Architect has successfully configured SAML-based SSO for Universal Containers. SSO has been working for 3 months when Universal Containers manually adds a batch of new users to Salesforce. The new users receive an error from Salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access Salesforce.
What is the likely cause of this behavior?
AThe new users do NOT have the SSO permission enabled on their profiles.
BThe Federation ID field on the new User records is NOT correctly set.
CThe administrator forgot to reset the new user's Salesforce password.
DThe My Domain capability is NOT enabled on the new user's profile.
How should an Architect automatically redirect users to the login page of the external Identity Provider when using an SP-initiated SAML flow with Salesforce as a Service Provider?
ARemove the Login Page from the list of Authentication Services on the My Domain configuration.
BSet the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.
CUse Visualforce as the landing page for My Domain to redirect users to the Identity Provider login page.
DEnable the Redirect to the Identity Provider setting under Authentication Services on the My Domain Configuration.
