Accepting 3rd party Identity in Salesforce (22%) Flashcards
Universal Containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users.
Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request?
Choose three answers.
A) The web service needs to include Source IP as a method parameter.
B) UC should whitelist all Salesforce IP ranges on their corporate firewall.
C) The return type of the Web service method should be a boolean value.
D) Delegated Authentication is enabled for the System Administrator profile.
E) The web service can be done in either SOAP or REST protocol
A) The web service needs to include Source IP as a method parameter.
B) UC should whitelist all Salesforce IP ranges on their corporate firewall.
C) The return type of the Web service method should be a boolean value.
How does Identity Connect synchronize Salesforce with Active Directory?
A) It syncs Active Directory users from Salesforce users
B) It syncs Salesforce users from Active Directory
C) It syncs Salesforce users from Active Directory and Active Directory users from Salesforce users
D) It syncs Active Directory users from the company’s central database
B) It syncs Salesforce users from Active Directory
How do you determine which users in AD have access to Salesforce?
A) Use filters
B) Create a base context for each branch of the AD tree that contains possible Salesforce users
C) You can’t. Identity Connect maps every AD user to Salesforce
D) A and B
E) B and C
D) A and B
Why would you use transformation scripts with AD and Identity Connect?
A) To transform the AD username to the Salesforce username
B) To map permissions between Salesforce and AD
C) To populate values on the fly
D) A and B
E) A and C
E) A and C
Which statement is correct?
A) You can map an AD profile to a Salesforce profile only
B) You can map an AD role to a Salesforce role only
C) You can map an AD group to a Salesforce profile, permission set, group, and role
D) You can map an AD group to a Salesforce profile, role, and user
C) You can map an AD group to a Salesforce profile, permission set, group, and role
With Identity Connect, can you sync other attributes than those listed under the Attributes tab?
A) Yes. You can add your own attributes for Identity Connect to sync
B) Yes. You can exclude Salesforce attributes from syncs
C) Yes. You can have Identity Connect retrieve attributes from your Salesforce org
D) A and B
E) B and C
E) B and C
Which of the following is true about setting up Identity Connect with multiple orgs?
A) You can set up Identity Connect to manage all production orgs at once
B) You can set up Identity Connect to centralize user data after an acquisition
C) You can set up Identity Connect with a mix of production and sandbox orgs
A) You can set up Identity Connect to manage all production orgs at once
Which of the following is true about a high-availability configuration of Identity Connect?
A) All configuration changes should be made to your primary Identity Connect instance
B) Identity Connect uses the OrientDB to store configuration data
C) High availability is important if you’re using Identity Connect for authentication
D) A and C
E) B and C
D) A and C
Why install Identity Connect in your DMZ rather than your internal network?
A) To use a global catalog when you have two Active Directories
B) To enable users to log in to your corporate network from a customer site without first accessing a VPN
C) To balance the load
D) To protect users who log in to Salesforce with their AD credentials
B) To enable users to log in to your corporate network from a customer site without first accessing a VPN
What does Identity Connect require for user provisioning?
A) LDAP or LDAPS and HTTPS
B) Active Directory installed on-premises
C) Delete access to Active Directory
D) A and B
E) B and C
D) A and B
What does DMZ stand for?
Demilitarized zone. It is a subnetwork that separates your internal network from other untrusted networks, like the Internet
From an Identity Connect perspective you can install it in the DMZ instead of installing it behind the firewall
Describe what Identity Connect is?
It integrates Microsoft Active Directory (AD) with Salesforce.
It is on-premises software that sits behind your firewall and pushes data to Salesforce. It communicates with the AD server over LDAP(S), and it communicates with Salesforce over HTTPS.
You can also use Identity Connect for single sign-on to Salesforce
If you want to disable passwords in Salesforce, what do you need to do?
Contact Salesforce Support to enable Delegated Administration.
Then you can set “Is Single Sign-On Enabled” on the profile of users who won’t have a Salesforce password
In Identity Connect, what is the downside of choosing the Schedule Updates data sync option?
A) It reacts to changes as they occur
B) It makes many more API calls
C) None. You can schedule updates whenever
D) It compares all the data between AD and Salesforce
B) It makes many more API calls
When should you disable Salesforce passwords?
A) Always
B) When Identity Connect is down
C) When you want to keep the Identity Connect login page behind the firewall
D) When you want to require users to use one set of credentials
E) C and D
D) When you want to require users to use one set of credentials
When should Salesforce admins configure Integrated Windows Authentication?
A When they have time
B) When they have IWA expertise available
C) When they use Identity Connect for user provisioning
D) As soon as possible
B) When they have IWA expertise available
For which 6 common identity providers do Salesforce provide a simple way to setup authentication provider? (Salesforce manages the third-party app for you, saving you time and effort)
Facebook, GitHub, Google, LinkedIn, Salesforce and Twitter
If an external authentication providers that do not support the OpenID Connect protocol, but they do support OAuth or other authentication protocols, what does Salesforce provide so that you can create a custom authentication provider?
An abstract Apex Auth.AuthProviderPluginClass.
Suppose you want to setup a single sign-on (SSO) using a LinkedIn authentication provider to enable login to Salesforce with LinkedIn credentials. On the Auth. Provider Setup page, which fields should you leave blank to let Salesforce manage these values?
Consumer Key
Consumer Secret
Authorize Endpoint URL
Token Endpoint URL
User Info Endpoint URL
Default Scopes
What are the two RegistrationHandler Methods that is used when Salesforce uses an authentication provider (such as Facebook or Janrain), for single sign-on into Salesforce?
createUser (portalId, userData)
updateUser (userId, portalId, userData)
How does My Domain work with single sign-on
My Domain is required for setting up single sign-on. For inbound single sign-on requests, the subdomain enables deep linking directly to pages in the org. No changes are required for the identity provider.
Please note: If you do not have My Domain enabled, then Service Provider initiated SSO will not work
What are the 5 process steps that Salesforce uses to authenticate users with delegated authentication SSO?
- When a user tries to log in (or use the API), Salesforce validates the username and checks the users’s permissions and access settings
- If the user has “Is Single Sign-On Enabled” user permission, Salesforce doesn’t validate the password, instead a web service call is made to the users’s org to validate the username and password.
- The web service call passes the username, password and source IP to your web service. The source IP is the address where the login request originated. You must create and deploy an implementation of the web service that Salesforce servers can access
- Your webservice implementation validates the passed information and returns either true or false
- When the response is true, the login process continues, when false, the user gets an error message that the username and password combination is invalid
When a Salesforce organization is Single Sign On enabled using SAML, the organization plays the role of the Service Provider (SP). What type of certificate is allowed?
A) self-signed
B) root certificate authority (CA)
A) self-signed
