Accepting 3rd party Identity in Salesforce (22%) Flashcards

1
Q

Universal Containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users.

Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request?

Choose three answers.

A) The web service needs to include Source IP as a method parameter.

B) UC should whitelist all Salesforce IP ranges on their corporate firewall.

C) The return type of the Web service method should be a boolean value.

D) Delegated Authentication is enabled for the System Administrator profile.

E) The web service can be done in either SOAP or REST protocol

A

A) The web service needs to include Source IP as a method parameter.

B) UC should whitelist all Salesforce IP ranges on their corporate firewall.

C) The return type of the Web service method should be a boolean value.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does Identity Connect synchronize Salesforce with Active Directory?

A) It syncs Active Directory users from Salesforce users

B) It syncs Salesforce users from Active Directory

C) It syncs Salesforce users from Active Directory and Active Directory users from Salesforce users

D) It syncs Active Directory users from the company’s central database

A

B) It syncs Salesforce users from Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you determine which users in AD have access to Salesforce?

A) Use filters

B) Create a base context for each branch of the AD tree that contains possible Salesforce users

C) You can’t. Identity Connect maps every AD user to Salesforce

D) A and B

E) B and C

A

D) A and B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why would you use transformation scripts with AD and Identity Connect?

A) To transform the AD username to the Salesforce username

B) To map permissions between Salesforce and AD

C) To populate values on the fly

D) A and B

E) A and C

A

E) A and C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which statement is correct?

A) You can map an AD profile to a Salesforce profile only

B) You can map an AD role to a Salesforce role only

C) You can map an AD group to a Salesforce profile, permission set, group, and role

D) You can map an AD group to a Salesforce profile, role, and user

A

C) You can map an AD group to a Salesforce profile, permission set, group, and role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

With Identity Connect, can you sync other attributes than those listed under the Attributes tab?

A) Yes. You can add your own attributes for Identity Connect to sync

B) Yes. You can exclude Salesforce attributes from syncs

C) Yes. You can have Identity Connect retrieve attributes from your Salesforce org

D) A and B

E) B and C

A

E) B and C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following is true about setting up Identity Connect with multiple orgs?

A) You can set up Identity Connect to manage all production orgs at once

B) You can set up Identity Connect to centralize user data after an acquisition

C) You can set up Identity Connect with a mix of production and sandbox orgs

A

A) You can set up Identity Connect to manage all production orgs at once

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following is true about a high-availability configuration of Identity Connect?

A) All configuration changes should be made to your primary Identity Connect instance

B) Identity Connect uses the OrientDB to store configuration data

C) High availability is important if you’re using Identity Connect for authentication

D) A and C

E) B and C

A

D) A and C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Why install Identity Connect in your DMZ rather than your internal network?

A) To use a global catalog when you have two Active Directories

B) To enable users to log in to your corporate network from a customer site without first accessing a VPN

C) To balance the load

D) To protect users who log in to Salesforce with their AD credentials

A

B) To enable users to log in to your corporate network from a customer site without first accessing a VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does Identity Connect require for user provisioning?

A) LDAP or LDAPS and HTTPS

B) Active Directory installed on-premises

C) Delete access to Active Directory

D) A and B

E) B and C

A

D) A and B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does DMZ stand for?

A

Demilitarized zone. It is a subnetwork that separates your internal network from other untrusted networks, like the Internet

From an Identity Connect perspective you can install it in the DMZ instead of installing it behind the firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe what Identity Connect is?

A

It integrates Microsoft Active Directory (AD) with Salesforce.

It is on-premises software that sits behind your firewall and pushes data to Salesforce. It communicates with the AD server over LDAP(S), and it communicates with Salesforce over HTTPS.

You can also use Identity Connect for single sign-on to Salesforce

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

If you want to disable passwords in Salesforce, what do you need to do?

A

Contact Salesforce Support to enable Delegated Administration.

Then you can set “Is Single Sign-On Enabled” on the profile of users who won’t have a Salesforce password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In Identity Connect, what is the downside of choosing the Schedule Updates data sync option?

A) It reacts to changes as they occur

B) It makes many more API calls

C) None. You can schedule updates whenever

D) It compares all the data between AD and Salesforce

A

B) It makes many more API calls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When should you disable Salesforce passwords?

A) Always

B) When Identity Connect is down

C) When you want to keep the Identity Connect login page behind the firewall

D) When you want to require users to use one set of credentials

E) C and D

A

D) When you want to require users to use one set of credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When should Salesforce admins configure Integrated Windows Authentication?

A When they have time

B) When they have IWA expertise available

C) When they use Identity Connect for user provisioning

D) As soon as possible

A

B) When they have IWA expertise available

17
Q

For which 6 common identity providers do Salesforce provide a simple way to setup authentication provider? (Salesforce manages the third-party app for you, saving you time and effort)

A
Facebook, 
GitHub, 
Google, 
LinkedIn, 
Salesforce and 
Twitter
18
Q

If an external authentication providers that do not support the OpenID Connect protocol, but they do support OAuth or other authentication protocols, what does Salesforce provide so that you can create a custom authentication provider?

A

An abstract Apex Auth.AuthProviderPluginClass.

19
Q

Suppose you want to setup a single sign-on (SSO) using a LinkedIn authentication provider to enable login to Salesforce with LinkedIn credentials. On the Auth. Provider Setup page, which fields should you leave blank to let Salesforce manage these values?

A

Consumer Key

Consumer Secret

Authorize Endpoint URL

Token Endpoint URL

User Info Endpoint URL

Default Scopes

20
Q

What are the two RegistrationHandler Methods that is used when Salesforce uses an authentication provider (such as Facebook or Janrain), for single sign-on into Salesforce?

A

createUser (portalId, userData)

updateUser (userId, portalId, userData)

21
Q

How does My Domain work with single sign-on

A

My Domain is required for setting up single sign-on. For inbound single sign-on requests, the subdomain enables deep linking directly to pages in the org. No changes are required for the identity provider.

Please note: If you do not have My Domain enabled, then Service Provider initiated SSO will not work

22
Q

What are the 5 process steps that Salesforce uses to authenticate users with delegated authentication SSO?

A
  1. When a user tries to log in (or use the API), Salesforce validates the username and checks the users’s permissions and access settings
  2. If the user has “Is Single Sign-On Enabled” user permission, Salesforce doesn’t validate the password, instead a web service call is made to the users’s org to validate the username and password.
  3. The web service call passes the username, password and source IP to your web service. The source IP is the address where the login request originated. You must create and deploy an implementation of the web service that Salesforce servers can access
  4. Your webservice implementation validates the passed information and returns either true or false
  5. When the response is true, the login process continues, when false, the user gets an error message that the username and password combination is invalid
23
Q

When a Salesforce organization is Single Sign On enabled using SAML, the organization plays the role of the Service Provider (SP). What type of certificate is allowed?

A) self-signed

B) root certificate authority (CA)

A

A) self-signed