Top Tips Of Far Out Identity-and-Access-Management-Architect Real Exam

NEW QUESTION 1
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?

• A. Configure SSO to use the third-party portal as an identity provider.
• B. Create a custom external authentication provider.
• C. Add the third-party portal as a connected app.
• D. Configure Salesforce for Delegated Authentication.

Answer: A

Explanation:
Configuring SSO to use the third-party portal as an identity provider is the best option to enable SSO between the portal and Salesforce. The portal can use OAuth as the protocol to authenticate users and redirect them to Salesforce. The other options are either not feasible or not relevant for this use case. References: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, Single Sign-On with SAML on Force.com

NEW QUESTION 2
Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

• A. Use the salesforce REST API to sync users from active directory to salesforce
• B. Use an app exchange product to sync users from Active Directory to salesforce.
• C. Use Active Directory Federation Services to sync users from active directory to salesforce.
• D. Use Identity connect to sync users from Active Directory to salesforce

Answer: BD

Explanation:
To provision users in Salesforce from Active Directory without doing any initial setup of users in Salesforce, UC can use an app exchange product or Identity Connect. An app exchange product is a third-party application that can synchronize users and groups from Active Directory to Salesforce using a web-based
interface1. Identity Connect is a desktop application that can synchronize users and groups from Active Directory to Salesforce using a graphical user interface2. Both solutions can also map Active Directory attributes to Salesforce fields and assign profiles, roles, and permission sets to users12.
References: Active Directory Integration with Salesforce, Identity Connect

NEW QUESTION 3
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customer’s account in cases where the device registers issues with tracking.
Which OAuth flow should be used to meet these requirements?

• A. OAuth 2.0 Asset Token Flow
• B. OAuth 2.0 Username-Password Flow
• C. OAuth 2.0 User-Agent Flow
• D. OAuth 2.0 SAML Bearer Assertion Flow

Answer: A

Explanation:
OAuth 2.0 Asset Token Flow is the flow that allows customers to register their devices with Salesforce and get an access token that can be used to create cases. The other flows are not suitable for this use case.
References: OAuth Authorization Flows Trailblazer Community Documentation

NEW QUESTION 4
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as passwords as possible.
What should an identity architect recommend?

• A. Setup Salesforce as a Service Provider to the existing IdP.
• B. Setup Salesforce as an IdP to authenticate against the LDAP directory.
• C. Use Salesforce connect to synchronize LDAP passwords to Salesforce.
• D. Setup Salesforce as an Authentication Provider to the existing IdP.

Answer: A

Explanation:
To help employees remember fewer passwords, an identity architect should recommend setting up Salesforce as a service provider (SP) to the existing IdP. A SP is the system that relies on the IdP for authentication and provides access to its services based on the SAML assertions from the IdP. To set up Salesforce as a SP, you need to create a connected app for Salesforce in the IdP, enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type. You also need to enable SSO for your Salesforce org, upload the IdP certificate, and configure the SSO settings, such as the issuer, identity type, and service provider initiated request binding.
References:
[SAML Single Sign-On]
[Set Up Salesforce as a Service Provider]
[Enable Single Sign-On for Your Org]

NEW QUESTION 5
Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC? Choose 2 answers

• A. Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience.
• B. Build a custom visualforce page for both the change password and Forgot password experiences.
• C. Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.
• D. Build a community builder page for both the change password and Forgot password experiences.

Answer: BC

Explanation:
The two actions that an architect should recommend to UC are to build a custom Visualforce page for both the change password and forgot password experiences and to build a custom Visualforce page for the change password experience and a community builder page for the forgot password experience. A custom Visualforce page is a page that uses Visualforce markup and Apex code to create a custom user interface. A community builder page is a page that uses the Community Builder tool to create a custom user interface with drag-and-drop components. Both types of pages can be used to modify the look and feel of the password management features for partner community users. However, using a custom Visualforce page for both features requires more coding and customization, while using a community builder page for the forgot password feature allows more flexibility and configuration options.
References: [Visualforce Pages], [Community Builder Pages], [Customize Password Management Features]

NEW QUESTION 6
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers. What SAML SSO setting in Salesforce provides this capability?

• A. Identity Provider Login URL.
• B. Issuer.
• C. Entity Id
• D. SAML Identity Location.

Answer: C

Explanation:
The Entity Id is the SAML SSO setting in Salesforce that provides the capability to differentiate Salesforce from other service providers. The Entity Id is a unique identifier for the service provider that is sent to the identity provider as part of the SSO request4. The identity provider uses the Entity Id to determine which service provider configuration to use and which SAML assertion to send back5. The other options are not valid SAML SSO settings for this purpose. The Identity Provider Login URL is the URL of the identity provider’s SSO service that Salesforce redirects the user to for authentication4. The Issuer is the unique identifier for the identity provider that is sent by the identity provider as part of the SAML response4. The SAML Identity Location is the location of the user’s identity in the SAML assertion, either in the Subject element or in an Attribute element4.
References: Configure SSO with Salesforce as a SAML Service Provider, Set Up Single Sign-On for Your Internal Users

NEW QUESTION 7
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers

• A. Public Groups
• B. Field-Level Security
• C. Roles
• D. Sharing Rules
• E. Profiles and Permission Sets

Answer: ACE

Explanation:
Salesforce Identity Connect can map AD groups to Salesforce public groups, roles, profiles, and permission sets. These permissions control the access and visibility of data and features in Salesforce. References:
Salesforce Identity Connect Implementation Guide

NEW QUESTION 8
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?

• A. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
• B. Use information in the Signed Request that is received from Facebook.
• C. Develop a scheduled job that calls out to Facebook on a nightly basis.
• D. Use the update User () method on the Registration Handler class.

Answer: D

Explanation:
The update User() method on the Registration Handler class is used to update the Salesforce user record with information from the Facebook profile, such as name, email, and photo1. This method is invoked every time a user logs in to Salesforce using Facebook credentials2. The other options are not suitable for this requirement because:
SAML Just-In-Time Provisioning is used to create or update users in Salesforce based on SAML assertions from an identity provider3. Facebook does not support SAML as an identity provider.
The Signed Request is a parameter that contains information about the user who is logging in to Salesforce via Facebook. It does not contain the user’s profile information, such as name, email, or photo.
A scheduled job that calls out to Facebook on a nightly basis would not reflect the changes in the Facebook profile in real time, as the requirement states. It would also require storing the user’s Facebook access token and making API calls to Facebook, which could be inefficient and insecure. References: Set Up Social Sign-On, Configure a Facebook Authentication Provider, SAML Just-in-Time Provisioning, [Facebook as a SAML Identity Provider], [Facebook Login for Apps - Signed Request], [Facebook Login for Apps - Access Tokens], [Facebook Graph API - User]

NEW QUESTION 9
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?

• A. The CA-Signed Certificate from the Certificate and Key Management menu.
• B. The default Client Certificate from the Develop--> API Menu.
• C. The default Client Certificate or a Certificate from Certificate and Key Management menu.
• D. The Self-Signed Certificates from the Certificate & Key Management menu.

Answer: A

Explanation:
The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose. The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague and does not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.
References: [Outbound Messages], [Sign Outbound Messages with a Certificate], [CA-Signed Certificates], [Default Client Certificate], [Self-Signed Certificates]

NEW QUESTION 10
Which three are features of federated Single sign-on solutions? Choose 3 Answers

• A. It establishes trust between Identity Store and Service Provider.
• B. It federates credentials control to authorized applications.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: ADE

Explanation:
The three features of federated single sign-on (SSO) solutions are:
It establishes trust between identity store and service provider. Federated SSO is a process that allows users to access multiple applications or systems with one set of credentials by using a common identity provider (IdP) that authenticates the user and issues a security token to the service provider (SP) that grants access. This process requires a trust relationship between the IdP and the SP, which is established by exchanging metadata and certificates.
It improves affiliated applications adoption rates. Federated SSO improves the user experience and satisfaction by reducing the number of login prompts, passwords, and authentication failures that users have to deal with when accessing multiple applications or systems. This can increase the usage and adoption rates of the affiliated applications or systems, as users can access them more easily and conveniently.
It enables quick and easy provisioning and deprovisioning of users. Federated SSO enables centralized management of user accounts and access rights by using the IdP as the source of truth for user identity and attributes. This can simplify and automate the provisioning and deprovisioning of users across multiple applications or systems, as changes made in the IdP can be reflected in the SPs without requiring manual intervention or synchronization.
The other option is not a feature of federated SSO solutions. Federated SSO does not solve all identity and access management problems, as it still faces challenges such as security risks, compatibility issues, governance policies, and user education. References: [Federated Single Sign-On], [Set Up Federated Authentication Using SAML], [Benefits of Single Sign-On], [How Single Sign-On Improves Application Adoption Rates], [User Provisioning for Federated Single Sign-On], [Just-in-Time Provisioning for SAML], [Challenges of Single Sign-On]

NEW QUESTION 11
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

• A. Enable My Domain and select "Prevent login from https://login.salesforce.com".
• B. Request Salesforce Support to enable delegated authentication.
• C. Once SSO is enabled, users are only able to login using Salesforce credentials.
• D. Assign user "is Single Sign-on Enabled" permission via profile or permission set.

Answer: AD

Explanation:
To ensure end users can only use single sign-on (SSO) to log in to Salesforce, two things should be done:
Enable My Domain and select “Prevent login from https://login.salesforce.com”. My Domain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. By preventing login from the standard login URL, administrators can enforce SSO and restrict users from logging in with their Salesforce credentials.
Assign user “is Single Sign-on Enabled” permission via profile or permission set. This permission allows users to log in to Salesforce using SSO. Users who do not have this permission will not be able to access Salesforce even if they have valid Salesforce credentials. References: My Domain, User Permissions for Single Sign-On

NEW QUESTION 12
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

• A. Merge three orgs into one instance of Salesforc
• B. This will no longer require maintaining three separate copies of the same customer.
• C. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.
• D. Contacts are required since Community access needs to be enable
• E. Maintenance is a necessary overhead that must be handled via data integration.
• F. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.

Answer: D

Explanation:
To optimize license usage and reduce maintenance overhead for customers who use Community to track orders and create inquiries and tend to move across regions frequently, the identity architect should recommend enabling Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. Contactless User is a feature that allows users to access Experience Cloud sites without having a contact record associated with them. External Identity is a license type that enables users to access Experience Cloud sites using social sign-on or single sign-on, but not access Salesforce objects or data. By enabling Contactless User and downgrading users from Experience Cloud license to External Identity license, the identity architect can reduce the number of contacts and licenses needed for each region and avoid data duplication and synchronization issues. References: Contactless User, External Identity License, User Licenses

NEW QUESTION 13
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

• A. As part of the body of a Salesforce Knowledge article.
• B. In the mobile navigation menu on Salesforce for Android.
• C. The sidebar of a Salesforce Console as a console component.
• D. Included in the Call Control Tool that's part of Open CTI.

Answer: CD

Explanation:
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that’s part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that’s part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]

NEW QUESTION 14
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

• A. User-Agent Oauth flow
• B. SAML assertion Oauth flow
• C. User-Token Oauth flow
• D. Web server Oauth flow

Answer: B

Explanation:
The SAML assertion OAuth flow allows a connected app to use a SAML assertion to request an OAuth access token to call Salesforce APIs. This flow provides an alternative for orgs that are currently using SAML to access Salesforce and want to access the web services API in the same way3. This flow can be used for inbound OAuth-enabled integration clients that want to use SAML-based single sign-on for authentication.
References: OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps, Access Data with AP
Integration, Error ‘Invalid assertion’ in OAuth 2.0 SAML Bearer Flow

NEW QUESTION 15
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

• A. The Identity Provider is also used to SSO into five other applications.
• B. The clock on the Identity Provider server is twenty minutes behind Salesforce.
• C. The Issuer Certificate from the Identity Provider expired two weeks ago.
• D. The default language for the Identity Provider and Salesforce are Different.

Answer: BC

Explanation:
The two issues outside of the Salesforce SSO settings that are most likely contributing to the SSO errors are the clock on the identity provider server being twenty minutes behind Salesforce and the issuer certificate from the identity provider expiring two weeks ago. These issues can cause SAML assertion errors, which prevent the user from logging in with SSO. A SAML assertion is an XML document that contains information about the user’s identity and attributes, and it is signed by the identity provider and sent to Salesforce as part of the SSO process4. If the clock on the identity provider server is not synchronized with Salesforce, the SAML assertion may be rejected as invalid or expired, as it has a time limit for validity5. If the issuer certificate from the identity provider is expired, the SAML assertion may not be verified by Salesforce, as it relies on the certificate to validate the signature6. The other options are not likely issues that cause SSO errors. The identity provider being used to SSO into five other applications does not affect its ability to SSO into Salesforce, as long as it supports multiple service providers and has a separate configuration for each one7. The default language for the identity provider and Salesforce being different does not affect the SSO process, as it does not impact the SAML assertion or its validation.
References: SAML Login Errors, Troubleshoot SAML Assertion Errors, SAML SSO with Salesforce as th Service Provider, Single Sign-On, [How to Troubleshoot a Single Sign-On Error]

NEW QUESTION 16
......