Identity-and-Access-Management-Architect Exam Questions

Explanation

The OAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopes can be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuth token and protect against unauthorized or excessive access.

References: [OAuth Scopes], [Connected Apps], [OAuth Authorization Flows]

Explanation

This is an OAuth authorization flow that allows a webserver application to obtain an access token to access Salesforce resources on behalf of the user1. This flow is suitable for integrating a desktop application with Salesforce, as it does not require the user to enter their credentials in the application, but rather redirects them to the Salesforce login page to authenticate and authorize theapplication2. This way, the integration between the desktop application and Salesforce is seamless and secure. The other options are not optimal for this requirement because:

JWT Bearer Token Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending a signed JSON Web Token (JWT) to Salesforce3. This flow does not involve user interaction, and requires the client application to have a certificate and a private key to sign the JWT. This flow is more suitable for server-to-server integration, not for desktop application integration.

User Agent Flow is an OAuth authorization flow that allows a user-agent-based application (such as a browser or a mobile app) to obtain an access token by redirecting the user to Salesforce and receiving the token in the URL fragment4. This flow is not suitable for desktop application integration, as it requires the application to parse the URL fragment and store the token securely.

Username and Password Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending the user’s username and password to Salesforce5. This flow is not recommended for desktop application integration, as it requires the user to enter their credentials in the application, which is not secure or seamless.

References:

OAuth Authorization Flows, Implement the OAuth 2.0 Web Server Flow, JWT-Based Access Tokens (Beta), User-Agent Flow, Username-Password Flow

Explanation

A 2-Factor Authentication (2FA) solution is a type of multi-factor authentication (MFA) that requires users to provide two verification factors to access a system or application. The verification factors can be something the user knows (e.g., password), something the user has (e.g., phone), or something the user is (e.g., fingerprint). A 2FA solution can help prevent common cyberattacks that rely on stealing or guessing passwords, such as:

Key logging attacks: These are attacks where a malicious program records the keystrokes of a user, including their passwords, and sends them to the attacker. A 2FA solution can prevent this attack by requiring an additional factor that is not typed by the user, such as a verification code sent to their phone or a biometric scan.

Phishing attacks: These are attacks where an attacker sends a fake email or website that looks like it came from a trusted source,and tricks the user into providing their credentials or other sensitive information. A 2FA solution can prevent this attack by requiring an additional factor that is not known by the attacker, such as a verification code generated by an authenticator appor a hardware token.

Dictionary attacks: These are attacks where an attacker tries to guess a user’s password by using a list of common or likely passwords, such as “password” or “123456”. A 2FA solution can prevent this attack by requiring an additional factor that is not based on a password, such as a fingerprint scan or a facial recognition.

A man-in-the-middle attack is when an attacker intercepts and alters the communication between two parties, such as a user and a website. A 2-Factor Authentication solution can help prevent this type of attack by requiring a second factor of authentication thatthe attacker cannot access or spoof, such as a code sent to the user’s phone or a hardware token.

References: 1: What Is Two-Factor Authentication (2FA)? | Microsoft Security 2: What type of attacks does Multi-Factor Authentication prevent?

Explanation

To provision users in Salesforce from Active Directory without doing any initial setup of users in Salesforce, UC can use an app exchange product or Identity Connect. An app exchange product is a third-party application that can synchronize users and groups from Active Directory to Salesforce using a web-based interface1. Identity Connect is a desktop application that can synchronize users and groups from Active Directory to Salesforce using a graphical user interface2. Both solutions can also map Active Directory attributes to Salesforce fields and assign profiles, roles, and permission sets to users12.

References: Active Directory Integration with Salesforce, Identity Connect

Explanation

To allow Salesforce profiles to be managed from a central system of record, the architect should recommend to implement JIT provisioning on the SAML IDP that will pass the profile ID in each assertion. JIT provisioning is a process that creates or updates user accounts on Salesforce based on information sent by an external identity provider (IDP) during SAML authentication. By passing the profile ID in each assertion, the IDP can control which profile is assigned to each user.

Option B is not a good choice because creating an Apex scheduled job in one org that will synchronize the other orgs profile may not be scalable, reliable, or secure.

Option C is not a good choice because implementing Delegated Authentication that will update the user profiles as necessary may not be feasible, as Delegated Authentication only verifies the user’s credentials against an external service, but does not pass any other information to Salesforce.

Option D is not a good choice because implementing an OAuth JWT flow to pass the profile credentials between systems may not be suitable, as OAuth JWTflow is used for server-to-server integration, not for user authentication.

References: Authorize Apps with OAuth, [Identity Management Concepts], [User Authentication]

Explanation

The update User() methodonthe Registration Handler class is used to update the Salesforce user record with information from the Facebook profile, such as name, email, and photo1. This method is invoked every time a user logs in to Salesforce using Facebook credentials2. The other options are not suitable for this requirement because:

SAML Just-In-Time Provisioning is used to create or update users in Salesforce based on SAML assertions from an identity provider3. Facebook does not support SAML as an identity provider. The Signed Request is a parameter that contains information about the user who is logging in to Salesforce via Facebook. It does not contain the user’s profile information, such as name, email, or photo.

A scheduled job that calls out to Facebook on a nightly basis would not reflect the changes in the Facebook profile in real time, as the requirement states. It would also require storing the user’s Facebook access token and making API calls to Facebook,which could be inefficient and insecure. References: Set Up Social Sign-On, Configure a Facebook Authentication Provider, SAML Just-in￾Time Provisioning, [Facebookas a SAML Identity Provider], [Facebook Login for Apps - Signed Request], [Facebook Login for Apps - Access Tokens], [Facebook Graph API - User]

Explanation

The web scope should be requested when using the OAuth token to meet this requirement. The web scope allows the user to log in to Salesforce and access the web UI. This is suitable for scenarios where the user is redirected from an external portal to Salesforce and needs to see the relevant pages. Option B is not a good choice because the full scope allows access to all data accessible by the user, including the web UI and the API.

This may be unnecessary or insecure for this requirement. Option C is not a good choice because the API scope allows access to the Salesforce API only, not the web UI. This may not meet the requirement of presenting the user with relevant pages. Option D is not a good choice because the visual force scope allows access to Visualforce pages only, not the entire web UI. This may limit the user’s experience and functionality.

References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com

Explanation

When integrating a SP that supports both SAML and OIDC with Salesforce, the use case that is the determining factor when choosing OIDC or SAML is whether the SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. OIDC is a protocol that allows users to authorize an external application to access Salesforce resources on their behalf.

OIDC provides an access token that can be used to call Salesforce APIs. SAML is a protocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. SAML does not provide an access token, but only a session ID that can be used for web-based access. Therefore, if the SP needs to perform API calls back to Salesforce, OIDC is the preferred choice over SAML. References: OpenID Connect, SAML, Authorize Apps with OAuth

Explanation

A is correct because requiring users to provide their RSA token along with their credentials is a form of two￾factor authentication. An RSA token is a hardware device that generates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.

D is correct because requiring users to use a biometric reader as well as their password is another form oftwo￾factor authentication. A biometric reader is a device that scans a user’s fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.

B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.

C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.

References: 4: Multi-Factor Authentication - Salesforce 5: Salesforce Multi-Factor Authentication 6: Two Factor Authentication - Salesforce India 7: Customer 360 | Increase Productivity - Salesforce UK 8: Secure Salesforce Login Using Two-Factor Authentication and Salesforce …

The two Salesforce license types that UC needs for its employees are Identity and Identity Connect licenses. According to the Salesforce documentation, “Identity licenses let your employees access any app that supports standards-based single sign-on (SSO). Identity Connect licenses let you integrate your Active Directory with Salesforce.” Therefore, option B and D are the correct answers. References: [Identity Licenses]