Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?
A. Use the same SAML Identity location as the first org.
B. Use a different Entity ID than the first org.
C. Use the same request bindings as the firstorg.
D. Use the Salesforce Username as the SAML Identity Type.
Explanation:
The Entity ID is a unique identifier for a service provider or an identity provider in SAML SSO. It is used to differentiate between different service providers or identity providersthat may share the same issuer orlogin URL. In Salesforce, the Entity ID is automatically generated based on the organization ID and can be viewed in the Single Sign-On Settings page1. If youhave a custom domain set up, you can use https:// [customDomain].my.salesforce.com as the Entity ID2. If you want to use the same IdP for two Salesforce orgs, you need to use different Entity IDs for each org, otherwise the IdP will not be able to distinguish them and may send incorrect assertions. You can also use different certificates, issuers, or login URLs for each org, but usingdifferent Entity IDs is the simplest and recommended way3.
Containers (UC) uses an internal system for recruiting and would like to have thecandidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows shouldbe considered to meet the requirement? Choose 2 answers
A. JWT Bearer Token flow
B. Refresh Token flow
C. SAML Bearer Assertion flow
D. Web Service flow
Explanation:
JWT Bearer Token flow and SAML Bearer Assertion flow are two OAuth flows that can be usedto authenticate to Salesforce using digital certificates. JWT Bearer Token flow allows a connected app to request an access token from Salesforce by using a JSON Web Token (JWT) that is signed with a digital certificate. SAML Bearer Assertion flow allowsa connected app to request an access token from Salesforce by using a SAML assertion that is signed with a digital certificate. These two flows can meet therequirement of UC to use OAuth and digital certificates to connect to Salesforce from the recruiting system.
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?
A. The CA-SignedCertificate from the Certificate and Key Management menu.
B. The default Client Certificate from the Develop--> API Menu.
C. The default Client Certificate or a Certificate from Certificate and Key Management menu.
D. The Self-Signed Certificates from theCertificate & Key Management menu.
Explanation:
The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose.
The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague anddoes not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.
References: [Outbound Messages], [Sign Outbound Messages with a Certificate], [CA-Signed Certificates], [Default Client Certificate], [Self-Signed Certificates]
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforcere-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?
A. Scope - Deny refresh_token scope for this connected app.
B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
C. Session Policy - Set timeout value of the connected app to 7 days.
D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.
Explanation:
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not loggedin from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate andplace orders, view the status of orders, etc. UC allows guest checkout. Mow can a guest register using data previously collected during order placement?
A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order detailsto retrieve customer data.
B. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
C. Use a Connected App Handler Apex Plugin class to collect only order details to retrievecustomer data.
D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
Explanation:
Self-registration allows guests to create their own user accounts and access the community. The self-registration page can be customized to collect order details and use them to retrieve customer data from the org.
References: Customize Self-Registration
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?
A. Set up the corporate portal as a ConnectedApp in Salesforce and use the Web server OAuth flow.
B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.
D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
Explanation:
The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource accessrequest. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user’s identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3.
References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? – OneLogin
An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows:
1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications.
2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated atidentity provider (Central IAM Service).
Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?
A. A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.
B. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.
C. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users.
D. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.
Explanation:
To meet the requirements of using a central cloud-basedIAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate andauthorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based onthe changes made in the central IAM service.
References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers
A. The Use Digital Signature option in the connected app.
B. The "web" OAuth scope in theconnected app,
C. The "api" OAuth scope in the connected app.
D. The "edair_api" OAuth scope m the connected app.
Explanation:
JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT)instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework thatenables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:
The Use Digital Signature option, which enables the connected app to verifythe signature of the JWT using a certificate.
The “api” OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user. References: JWT OAuth Flow, Connected Apps, OAuth Scopes
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of the following license types should be used to meet the requirement?
A. External Apps License
B. Partner CommunityLicense
C. Partner Community Login License
D. Customer Community plus Login License
Explanation:
Partner Community Login License is the best option for UC’s use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users.
References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers
A. OAuth Refresh Token FLow
B. OAuth Username-Password Flow
C. OAuth SAML Bearer Assertion FLow
D. OAuth JWT Bearer Token FLow
Explanation:
OAuth is an open-standard protocol that allows a client app toaccess protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.
OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Verified References: [OAuth 2.0 SAML Bearer AssertionFlow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]
| Page 2 out of 26 Pages |
| Previous |
Copyright © - All Rights Reserved