Exam 1 + 2 Flashcards
Question
Correct Answers
Cosmic Electronics uses multiple identity providers (IdP) to authenticate Salesforce users. Users are required to go through Multi-Factor Authentication (MFA) before accessing Salesforce. Which of the following are valid considerations for using the ‘Authentication Method Reference’ (AMR) field in the login history to see which users log in with MFA from a particular identity provider?
Choose 2 answers.
- The AMR field is used to monitor how OpenID Connect providers authenticate users who log in to Salesforce.
- The authentication method is pulled from JSON strings in the token returned by the identity provider.
- The authentication method includes the HTTP method used for the session login.
- The World Wide Web Consortium (W3C) specification can be used as a reference.
- The AMR field is used to monitor how OpenID Connect providers authenticate users who log in to Salesforce.
- The authentication method is pulled from JSON strings in the token returned by the identity provider.
Cosmic Data Solutions uses an Experience Cloud site that allows customers to access information about the company’s services. It would like to authenticate customers using Experience Cloud before they can make a purchase on the company’s main website. Which feature should an identity architect recommend for this requirement?
Choose 1 answer.
- Embedded Login
- Headless Identity APIs
- Self-Registration
- Delegated Authentication
- Embedded Login
Cosmic Enterprises utilizes a third-party cloud solution for an employee portal that only supports the OAuth protocol for user authentication. It would like employees to be able to log in to Salesforce with their third-party portal credentials for a seamless user experience. In addition, it is building a custom employee hub application on Amazon Web Services (AWS) that will store users’ credentials. The application users will also need to access Salesforce for certain internal operations. What mechanisms should an identity architect recommend to accept user authentication from the third-party portal and AWS?
Choose 2 answers.
- Configure an OpenID Connect Authentication Provider for AWS.
- Create a custom external authentication provider for the employee portal.
- Create a custom external authentication provider for AWS.
- Configure an OpenID Connect Authentication Provider for the employee portal.
- Configure an OpenID Connect Authentication Provider for AWS.
- Create a custom external authentication provider for the employee portal.
Cosmic Data Solutions has set up SAML Single Sign-On (SSO) for Salesforce users using an external identity provider. A user has reported a ‘Signature Invalid’ error while logging in to Salesforce from the identity provider’s login page. Which of the following statements about this error are true?
Choose 2 answers.
- There is a problem with the SAML assertion issued by the identity provider.
- There is a problem with the SAML configuration in Salesforce.
- The uploaded certificate failed to validate the signature in the assertion.
- The issuer specified in the SAML configuration does not match the issuer in the assertion.
- There is a problem with the SAML configuration in Salesforce.
- The uploaded certificate failed to validate the signature in the assertion.
Cosmic Innovation would like to enable self-registration for its business-to-consumer (B2C) portal that is built on Experience Cloud. Which steps are required to configure self-registration using person accounts for this use case?
Choose 3 answers.
- Enable person accounts in Salesforce Setup.
- Enable access to the person account record type.
- Leave the Account field empty on the Login & Registration page.
- Enable self-registration in Salesforce Setup.
- Set organization-wide sharing for contact records to Public Read/Write.
- Enable person accounts in Salesforce Setup.
- Enable access to the person account record type.
- Leave the Account field empty on the Login & Registration page.
Cosmic Financial Services needs to audit and verify user login activity using an out-of-the-box Salesforce feature to meet certain compliance requirements. Specifically, the company needs to monitor login attempts, track user authentication methods, and identify suspicious behavior or unauthorized access. Which feature should an identity architect recommend for this use case?
Choose 1 answer.
- Login History
- Custom Login Flow
- Event Monitoring
- Activations
- Login History
Cosmic Whole Foods is building an Experience Cloud site for its customers and considering purchasing External Identity licenses. Which of the following are the advantages of assigning an External Identity license to a user?
Choose 2 answers.
- The license provides access to several standard objects, such as Account, Contact, and Asset.
- The license allows a customer to access multiple apps with a single set of credentials.
- The license provides access to 100 custom objects and offers additional data storage.
- The license allows a customer to create and view cases in an Experience Cloud site.
- The license provides access to several standard objects, such as Account, Contact, and Asset.
- The license allows a customer to access multiple apps with a single set of credentials.
A Salesforce development team at Cosmic Supermarket is building a business-to-business (B2B) collaboration site for the company’s platinum partners. Partners will authenticate with an existing identity provider using SAML Single Sign-On (SSO). Delegated Administration will allow the partner companies to administer their users’ access. What should an architect recommend to provision partner identities for this requirement?
Choose 1 answer.
- Create a user and a related contact record.
- Create only a user record.
- Create only a contact record.
- Create a person account.
- Create a user and a related contact record.
Cosmic Service Solutions has enabled My Domain and integrated Salesforce with an external identity provider. The company wants to ensure users can only use Single Sign-On (SSO) to log in to Salesforce. Which steps should an architect recommend to meet this requirement?
Choose 3 answers.
- Select “Prevent login from https://login.salesforce.com” on the My Domain page in Salesforce Setup.
- Assign the “Is Single Sign-On Enabled” permission to users who should use Single Sign-On to log in.
- Select “Disable login with Salesforce credentials” on the Single Sign-On Settings page in Salesforce Setup.
- Set up delegated authentication using a custom web service and a Lightweight Directory Access Protocol (LDAP).
- Enable the “Single Sign-On (SSO) Only” policy on the My Domain page in Salesforce Setup.
- Select “Prevent login from https://login.salesforce.com” on the My Domain page in Salesforce Setup.
- Assign the “Is Single Sign-On Enabled” permission to users who should use Single Sign-On to log in.
- Select “Disable login with Salesforce credentials” on the Single Sign-On Settings page in Salesforce Setup.
A Salesforce administrator is setting up SAML Single Sign-On (SSO) using an external identity provider. However, the login history shows intermittent ‘Replay Detected’ and ‘Assertion Invalid’ login errors during testing. Which of the following issues are most likely causing these errors?
Choose 2 answers.
- The <Subject> element is missing from the SAML assertion.
- Salesforce detected an assertion ID that was previously used.
- The <Subject> in the configuration doesn't match the <Subject> in the assertion.
- The uploaded certificate failed to validate the signature in the assertion.</Subject></Subject></Subject>
- The <Subject> element is missing from the SAML assertion.</Subject>
- Salesforce detected an assertion ID that was previously used.
Cosmic Harmony is a digital music services provider that uses Active Directory (AD) as its corporate identity provider and Salesforce as its CRM. When a new employee logs in to Salesforce using SAML Single Sign-On (SSO), it would like to automatically create a new user record in Salesforce, assigning them to a profile that maps to their Active Directory department. Which method in the SAML JIT handler class should be used to meet this requirement?
Choose 1 answer.
- createUser
- updateUser
- insertUser
- upsertUser
- createUser
Cosmic Digital Solutions has an existing web application that is used for HR management. Users should be able to access the application from Salesforce without re-authentication. If required, the IT team can add new JavaScript code and/or libraries to the application. Which of the following should an identity architect recommend for this requirement?
Choose 1 answer.
- Canvas App and Signed Requests
- Connected App and OAuth 2.0 User-Agent Flow
- Custom Lightning Web Component
- Authentication Provider and App Launcher
- Canvas App and Signed Requests
A Salesforce administrator has been assigned to set up SAML Single Sign-On (SSO) using an external identity provider. The administrator has configured the SAML settings for SSO in Salesforce but needs assistance with Just-In-Time (JIT) provisioning of users. Users must be provisioned in Salesforce based on various custom fields defined on the User object. What should an identity architect recommend to configure JIT provisioning for this requirement?
Choose 3 answers.
- Enable user provisioning in the Single Sign-On (SSO) setting.
- Select the User Provisioning Type.
- Create a custom SAML JIT handler.
- Set up standard JIT provisioning.
- Create a connected app for the identity provider.
- Enable user provisioning in the Single Sign-On (SSO) setting.
- Select the User Provisioning Type.
- Create a custom SAML JIT handler.
Cosmic Electronics is building an Experience Cloud site for its partners and would like to enable self-registration for the site. The self-registration form should capture custom data elements from partner users. Based on the data provided by a partner, the partner should be assigned to an appropriate profile, and field values should be auto-populated on the partner account. Also, users should receive a different site experience based on the data provided during self-registration. What should the company’s Salesforce architect recommend to meet these requirements?
Choose 2 answers.
- Build a custom Visualforce page for self-registration and modify the CommunitiesSelfRegController to assign the profile and account field values.
- Use the Configurable Self-Reg Page for self-registration and create an Apex controller to assign the profile and account field values.
- Create page variations for site pages using specific Contact and User fields for dynamic site experiences.
- Create multiple site pages for different user profiles to implement dynamic site experiences.
- Build a custom Visualforce page for self-registration and modify the CommunitiesSelfRegController to assign the profile and account field values.
- Create page variations for site pages using specific Contact and User fields for dynamic site experiences.
Cosmic Data Solutions (NDS) uses a SAML-based identity provider (IdP) to authenticate employees to multiple enterprise systems, such as an ERP system. The IdP authenticates them against a Lightweight Directory Access Protocol (LDAP) directory. Only a small percentage of employees require access to Salesforce. The company wants to ensure new employees have immediate access to Salesforce using the existing IdP. Which of the following should an identity architect recommend for this requirement?
Choose 1 answer.
- Just-In-Time (JIT) Provisioning
- Registration Handler
- Identity Connect
- SCIM (System for Cross-Domain Identity Management)
- Just-In-Time (JIT) Provisioning
A developer at Cosmic Electronics is building a custom web service that will allow secure access to product data stored in Salesforce. The web service will use a connected app and the OAuth 2.0 web server flow. Which of the following represents the correct sequence of steps in the OAuth flow?
Choose 1 answer.
- The web service requests an authorization code, the user authenticates and authorizes access, Salesforce grants an authorization code, the web service requests an access token, and Salesforce grants an access token.
- The web service requests an authorization code, Salesforce grants an authorization code, the web service requests an access token, the user authenticates and authorizes access, and Salesforce grants an access token.
- The web service requests an access token, the user authenticates and authorizes access, Salesforce grants an access token, the web service requests an authorization code, and Salesforce grants an authorization code.
- The web service requests an access token, Salesforce grants an access token, the web service requests an authorization code, the user authenticates and authorizes access, and Salesforce grants an authorization code.
- The web service requests an authorization code, the user authenticates and authorizes access, Salesforce grants an authorization code, the web service requests an access token, and Salesforce grants an access token.
Cosmic Software Solutions wants to use Salesforce as the identity provider for certain external applications, such as a project management tool. The Technology Director would like to use the App Launcher in Salesforce to control the applications available to individual users. What steps should an identity architect recommend to meet this requirement?
Choose 3 answers.
- Create a connected app for each external application.
- Specify the Start URL in each connected app to add it to the App Launcher.
- Set up Salesforce as a SAML identity provider (IdP).
- Create an authentication provider for each external application.
- Set up delegated authentication for the external applications.
- Create a connected app for each external application.
- Specify the Start URL in each connected app to add it to the App Launcher.
- Set up Salesforce as a SAML identity provider (IdP).
Cosmic Electronics employees use a custom helpdesk application to request and track access to various enterprise systems and cloud applications, including Salesforce. The company wants to provision Salesforce users as soon as they are approved in the helpdesk application. A new user should be automatically assigned to the appropriate profile, role, and permission sets. What solution should an identity architect recommend to meet this requirement?
Choose 1 answer.
- Build an integration based on SCIM (System for Cross-Domain Identity Management) and Salesforce REST API.
- Create a custom login flow that retrieves user information from the helpdesk application.
- Set up Salesforce Connect to integrate the user data in the helpdesk application with Salesforce.
- Configure JIT (Just-In-Time) Provisioning to automatically provision users.
- Build an integration based on SCIM (System for Cross-Domain Identity Management) and Salesforce REST API.
Cosmic Solutions is a multinational company with more than 30 sub-brands. It is building an Experience Cloud site for its customers. The brand experience must be different for each sub-brand, and each of these branded experiences must utilize a unique login experience, depending on which sub-brand a customer is logging into. What recommendations should an identity architect provide for implementing dynamic branding features for the site’s login process?
Choose 2 answers.
- To dynamically brand the login experience, each sub-brand must be assigned a unique Experience ID (expid).
- The login implementation must set the login URL according to the value of the Experience ID.
- The Experience ID should be specified as a placeholder parameter in Experience Builder settings.
- The expid query parameter can be set programmatically with the setExpId method of the System.Site class.
- To dynamically brand the login experience, each sub-brand must be assigned a unique Experience ID (expid).
- The login implementation must set the login URL according to the value of the Experience ID.
Cosmic Footwear has built an Experience Cloud site for customers and partners. It is implementing a mobile-first Consumer Identity and Access Management (CIAM) solution for external users. The solution requires only user authentication. The user’s email or mobile phone number should be supported as a username. Which licenses should an identity architect recommend to meet this requirement?
Choose 1 answer.
- External Identity and Identity Only
- External Identity and Identity Verification Credits
- Identity Only and Identity Connect
- Identity Only and Identity Verification Credits
- External Identity and Identity Verification Credits
Cosmic Emporium is a major furniture manufacturer in the United States. The company is building a digital space using Experience Cloud to allow its B2B customers to design custom products. It would like to simplify the login process by allowing customers to use their social media credentials to register and access the digital space. It wants to implement social sign-on for Facebook, Twitter, Amazon, and a social media service that supports only the OAuth protocol. What recommendations should the company’s Salesforce architect make for this requirement?
Choose 3 answers.
- An OpenID Connect authentication provider should be configured for Amazon.
- A custom authentication provider should be created for the service that supports only the OAuth protocol.
- Apex coding skills are required for custom registration handlers to create and update users automatically.
- A declarative registration handler process can be implemented using a flow to create and update users and contacts.
- Authentication providers should be defined for each social media provider on the Login & Registration page of the Administration workspace.
- An OpenID Connect authentication provider should be configured for Amazon.
- A custom authentication provider should be created for the service that supports only the OAuth protocol.
- Apex coding skills are required for custom registration handlers to create and update users automatically.
Cosmic Data Solutions uses a SAML-based Lightweight Directory Active Protocol (LDAP) directory for user management. When a company’s employee is terminated, they are first disabled in the LDAP directory. Requests for user deactivations are then sent to various applications and systems. However, a terminated employee who was recently disabled in the LDAP directory was able to log in to Salesforce two days after termination. What should an architect recommend to prevent this from happening in the future?
Choose 2 answers.
- Configure an authentication provider for the LDAP directory.
- Define a SAML Single Sign-On Setting for the LDAP directory in Salesforce.
- Disable Login Form authentication on the My Domain page in Setup.
- Define a custom login flow that executes a callout during login.
- Define a SAML Single Sign-On Setting for the LDAP directory in Salesforce.
- Disable Login Form authentication on the My Domain page in Setup.
Cosmic Electronics has set up an Experience Cloud site that allows customers to access order data. The company would like to enable them to log in with their Facebook or LinkedIn credentials. What should an identity architect recommend for this requirement?
Choose 1 answer.
- Set up Salesforce as a service provider by configuring predefined authentication providers for Facebook and LinkedIn.
- Configure Facebook and LinkedIn as service providers and set up Salesforce as the identity provider.
- Configure Facebook and LinkedIn as both identity and service providers.
- Set up Facebook and LinkedIn as service providers and Active Directory (AD) as the identity provider.
- Set up Salesforce as a service provider by configuring predefined authentication providers for Facebook and LinkedIn.
Cosmic Solutions has integrated Google Workspace with Salesforce by defining a connected app. It would like to implement automation to enable, disable, freeze, suspend, and reactivate existing users in Google Workspace based on similar actions in Salesforce. Users should be automatically provisioned via a service endpoint before they can access Google Workspace tools from Salesforce. What should be recommended to meet this requirement?
Choose 1 answer.
- Configure User Provisioning for the connected app.
- Create a SAML JIT (Just-In-Time) handler class.
- Define an Apex trigger on the UserLogin object.
- Use Apex callouts to perform the required actions.
- Configure User Provisioning for the connected app.
