Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?
A. Create a Login Discovery page and provide a Login Discovery Handler Apex class.
B. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
C. Create an authentication provider and implement a self-registration handler class.
D. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service.
Explanation: To allow customers to use phone numbers to log in to their new digital portal, the identity architect should create a Login Discovery page and provide a Login Discovery Handler Apex class. A Login Discovery page is a custom page that allows users to enter their phone number or email address and receive a verification code via email or text. A Login Discovery Handler is a class that implements the Auth.LoginDiscoveryHandler interface and defines how to handle the user input and verification code. This approach can provide a passwordless login experience for the customers. References: Login Discovery, Create a Login Discovery Page
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?
A. Select "Admin approved users are pre-authorized" and assign specific profiles.
B. Create custom scopes and assign to the connected app.
C. Define a permission set that grants access to the app and assign to authorized users.
D. Leverage external objects and data classification policies.
Explanation: To limit the level of access to the data of the protected resource in a flexible way, the identity architect should create custom scopes and assign them to the connected app. Custom scopes are permissions that define the specific data that an external application can access or modify in Salesforce. Custom scopes can be created using Apex or Metadata API and assigned to a connected app using OAuth 2.0 or SAML protocols.
Custom scopes can provide more granular control over data access than standard scopes, which are predefined by Salesforce. References: Custom Scopes, Create and Assign Custom Scopes
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?
A. Create tasks for users who need to update their data or accept the new community rules.
B. Create a custom landing page and email campaign asking all community members to login and verify their data.
C. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.
D. Add a banner to the community Home page asking users to update their profile and accept the new community rules.
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used?
A. OAuth 2-0 SAML Bearer Assertion Flow
B. OAuth 2.0 JWT Bearer Flow
C. SAML Assertion Flow
D. OAuth 2.0 User-Agent Flow
Explanation: OAuth 2.0 SAML Bearer Assertion Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a SAML assertion instead of an authorization code. The SAML assertion contains information about the client app and the user who wants to access Salesforce APIs. To use this flow, the client app needs to have a connected app configured in Salesforce with the Use Digital Signature option enabled and the “api” OAuth scope assigned. The administrators can authorize the applications that will be consuming the APIs by setting the Permitted Users policy of the connected app to Admin approved users are pre-authorized and assigning profiles or permission sets to the connected app. References: OAuth 2.0 SAML Bearer Assertion Flow, Connected Apps, OAuth Scopes
Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.
What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?
A. Require the use of Salesforce security tokens on passwords.
B. Enforce mutual authentication between systems using SSL.
C. Include Client Id and Client Secret in the login header callout.
D. Set up a proxy service for the login service in the DMZ.
Explanation: To enable a trusted connection between the login service and Salesforce, an architect should enforce mutual authentication between systems using SSL. Mutual authentication, also known as two-way SSL or client certificate authentication, is a process in which both parties in a communication exchange certificates to verify their
identities7. This mechanism ensures that only authorized systems can access each other’s resources and prevents unauthorized access or spoofing attacks8. To use mutual authentication with delegated authentication, you need to do the following steps9:
Generate a self-signed certificate in Salesforce and download it.
Import the certificate into your login service’s truststore.
Configure your login service to require client certificates for incoming requests. Generate a certificate for your login service and export it.
Import the certificate into Salesforce’s certificate and key management tool. Enable mutual authentication for your login service’s endpoint URL in Salesforce.
Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?
A. Web Server flow with a Refresh Token.
B. Mobile Agent flow with a Bearer Token.
C. User Agent flow with a Refresh Token.
D. SAML Assertion flow with a Bearer Token.
Explanation: The OAuth 2.0 user-agent flow and the OAuth 2.0 web server flow are both suitable for building a custom mobile app that can access Salesforce data without prompting the user to log in again1. Both of these flows use a refresh token that can be used to obtain a new access token when the previous one expires2. The user-agent flow uses the Canvas JavaScript SDK to obtain an OAuth token by using the login function in the SDK2. The web server flow redirects the user to the Salesforce OAuth authorization endpoint and then obtains an OAuth access token by making a POST request to the Salesforce OAuth token endpoint2. The mobile agent flow and the SAML assertion flow are not valid OAuth flows for Salesforce3.
Users logging into Salesforce are frequently prompted to verify their identity.
The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced.
What should the identity architect recommend to meet the requirement?
A. Implement 2FA authentication for the Salesforce org.
B. Set trusted IP ranges for the organization.
C. Implement a single sign-on for Salesforce using an external identity provider.
D. Implement multi-factor authentication for the Salesforce org.
Explanation: To reduce the frequency of prompt verification for users logging into Salesforce, the identity architect should recommend setting trusted IP ranges for the organization. Trusted IP ranges are IP addresses that are considered safe for logging in without any additional verification. Users who log in from trusted IP ranges do not need to activate their computer or use a verification code. Trusted IP ranges can improve user convenience and security. References: Trusted IP Ranges, Set Trusted IP Ranges for Your Organization
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?
A. OpenID Connect
B. User Agent Flow
C. JWT Bearer Token Flow
D. Web Server Flow
Explanation: OpenID Connect is an authentication protocol that allows a service provider to obtain user attributes in an ID token from an IdP. The other flows are OAuth 2.0 flows that are used for authorization, not authentication. References: Configure an Authentication Provider Using OpenID Connect, Integrate Service Providers as Connected Apps with OpenID Connect
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers
A. Disallow the use of Single Sign-on for any users of the mobile app.
B. Require High Assurance sessions in order to use the Connected App.
C. Set Login IP Ranges to the internal network for all of the app users Profiles.
D. Use Google Authenticator as an additional part of the login process
Explanation:
Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.
Option B is correct because requiring High Assurance sessions means that the
users must verify their identity using a second factor, such as a verification code or biometric scan, before they can access the connected app.
Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can be generated by the Google Authenticator app on the user’s mobile device.
Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.
Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers
A. The Federation ID must be a valid Salesforce Username
B. The Federation ID must is case sensitive
C. The Federation ID must be in the form of an email address.
D. The Federation ID must be populated on the user record.
Explanation: The Federation ID is a field on the user object that is used to link a Salesforce user with an external identity provider. When using SAML SSO, Salesforce matches the Federation ID value with the NameID element in the SAML assertion to identify the user. To troubleshoot the issue of getting a generic SAML error message when accessing the other orgs, the architect should review the following considerations:
The Federation ID must be case sensitive, which means that the value in the user
record must match exactly with the value in the SAML assertion. For example, if the Federation ID is “John.Doe”, then “john.doe” or “JOHN.DOE” will not work. The Federation ID must be populated on the user record, which means that the user must have a value for this field in each org that they want to access via SSO. If the Federation ID is blank or missing, then Salesforce will not be able to match the user with the SAML assertion.
| Page 10 out of 26 Pages |
| Identity-and-Access-Management-Architect Practice Test Home | Previous |
Copyright © - All Rights Reserved