Salesforce as an Identity Provider (23%)

Question 1

What are the 5 OAuth token types?

Answer 1

• Authorization code
• Initial access token
• Access token
• Refresh token
• ID token

Question 2

Select which token type the description is for:

The authorization server creates this short-lived token and passes it to the client application via the browser. The client application then sends this token to the authorization server

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

Answer 2

A) Authorization code

Question 3

Select which token type the description is for:

This token is generated after configuring an OAuth 2.0 connected app. Salesforce requires this token to authenticate the dynamic client registration request

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

Answer 3

B) Initial access token

Question 4

Select which token type the description is for:

The client uses this token to make authenticated requests on behalf of the end user. It has a longer lifetime (usually minutes or hours). When it expires, attempts to use it fail and the app must obtain a new token.

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

Answer 4

C) Access token

Question 5

Select which token type the description is for:

This token can have an indefinite lifetime, persisting for an admin-configured interval or until explicitly revoked. The client application can store the token. For this reason, the app must protect a this token against unauthorized access.

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

Answer 5

D) Refresh token

Question 6

Select which token type the description is for:

OpenID Connect, an authentication layer on top of OAuth 2.0, defines this token as a signed data structure. The data structure contains authenticated user attributes, including a unique identifier for the user. It also contains the time when the token was issued, and an identifier for the requesting client. This token is encoded as a JSON web token (JWT).

A) Authorization code

B) Initial access token

C) Access token

D) Refresh token

E) ID token

Answer 6

E) ID token

Question 7

Name the 8 Authentication Flows

Answer 7

• Web Server
• User-Agent
• JWT Bearer Token Flow
• Device Authentication Flow
• Asset Token Flow
• SAML Bearer Assertion Flow
• SAML Assertion Flow
• Username and Password

Question 8

Which authentication flow should be used for the following use case?

Apps hosted on a secure server. A critical aspect of this flow is the protection of the client secret. It uses an OAuth 2.0 authorization code grant type

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 8

A) Web Server

Question 9

Which authentication flow should be used for the following use case?

Users can authorize a desktop or mobile application to access data using an external or embedded browser for authentication. These apps often use a scripting language, such as JavaScript, running within the browser. This flow uses the OAuth2.0 implicit grant type

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 9

B) User-Agent

Question 10

Which authentication flow should be used for the following use case?

Server-to-server API integration. The flow uses a certificate to sign the request and doesn’t require explicit user interaction

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 10

C) JWT Bearer Token Flow

Question 11

Which authentication flow should be used for the following use case?

Command-line apps or applications that run on devices with limited input and display capabilities, such as TVs, application and other IOT devices, can use this flow.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 11

D) Device Authentication Flow

Question 12

Which authentication flow should be used for the following use case?

Client applications use this flow to request a token from Salesforce for connected devices.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 12

E) Asset Token Flow

Question 13

Which authentication flow should be used for the following use case?

An app can reuse an existing authorization.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 13

F) SAML Bearer Assertion Flow

Question 14

Which authentication flow should be used for the following use case?

An alternate flow for orgs to access Salesforce in a specific way and also want to access the web services API in the same way.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 14

G) SAML Assertion Flow

Question 15

Which authentication flow should be used for the following use case?

Used primarily for testing when a user is not present at app startup, or with highly privileged apps.

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 15

H) Username and Password

Question 16

What is the Identity URL?

Answer 16

It is a RESTful API that you can use to query user information, including the username, email address, and org ID. It also returns endpoints that the client can talk to, such as photos for profiles and accessible API endpoints

The URL is returned in the id scope parameter

Question 17

Which flow does not require a connected app to be created?

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

Answer 17

G) SAML Assertion Flow

Question 18

What are the 7 steps for the OAuth 1.0.A Authentication Flow?

Answer 18

1. The consumer requests an access token. Salesforce verifies the request and returns a request token.
2. The consumer redirects the user to Salesforce, where the user is prompted to log in.
3. Salesforce authorizes the user.
4. After the user is authorized, the consumer requests an access token.
5. Salesforce verifies the request and grants the token.
6. After the token is granted, the consumer accesses the data either through the app or through the Lightning Platform Web Services API.
7. Salesforce verifies the request and allows access to the data.

Question 19

What are the 6 steps for the OAuth 2.0 SAML Bearer Assertion Flow?

Answer 19

1. The developer creates a connected app and registers an X509 Certificate. This certificate corresponds to the private key of the app. When the connected app is saved, a consumer key (OAuth client_id) is generated and assigned to the app.
2. The developer writes an app that generates a SAML assertion and signs it with the private key.
3. The SAML Bearer assertion is posted to the token endpoint https://login.salesforce.com/services/oauth2/token, https://test.salesforce.com/services/oauth2/token, or https://your_community_URL/services/oauth2/token (if implementing for a community).
4. The token endpoint validates the signature using the certificate registered by the developer.
5. The token endpoint validates the audience, issuer, subject, and validity of the assertion.
6. Assuming that the assertion is valid and that the user or admin authorized the app previously, Salesforce issues an access token.

Question 20

What are the 6 general steps for the OAuth 2.0 JWT bearer token flow?

Answer 20

1. The developer creates a connected app or uses an existing one, and registers an X509 Certificate for the app. The certificate corresponds to the private key of the app. When the connected app is saved, the consumer key (OAuth client_id) and consumer secret are generated and assigned to the app.
2. The developer writes an app that generates a JWT. The JWT is signed with the X509 Certificate’s private key, and the connected app uses the certificate to verify the signature.
3. The JWT is posted to the token endpoint, https://login.salesforce.com/services/oauth2/token, or if implementing for a community, https://community.force.com/customers/services/oauth2/token.
4. The token endpoint validates the signature using the certificate registered by the developer.
5. The token endpoint validates the JWT’s audience (aud), issuer (iss), validity (exp), and subject (sub).
6. Assuming that the JWT is valid and that the user or admin authorized the app previously, Salesforce issues an access token.

Question 21

What are the two steps for the refresh token authentication flow?

Answer 21

1. The consumer uses the existing refresh token to request a new access token.
2. After the request is verified, Salesforce sends a response to the client.

Question 22

What are the 5 steps for the OAuth 2.0 Web Server Authentication Flow?

Answer 22

1. The web server redirects the user to Salesforce, which authenticates and authorizes the server to access the data on the user’s behalf.
2. After the user approves access, the web server receives a callback with an authorization code.
3. The web server passes back the authorization code to get a token response.
4. After validating the authorization code, Salesforce passes back a token response. If there’s no error, the token response includes an access code and additional information.
5. After the token is granted, the web server accesses the user’s data.

Question 23

What are the two steps for the OAuth2.0 Username-Password Flow (and what are two important facts you need to know about this flow?

Answer 23

1. The consumer uses the user’s username and password to request an access token (session ID.)
2. After the request is verified, Salesforce sends a response to the client.

Facts:
1. This OAuth authentication flow passes the user’s credentials back and forth. Use this authentication flow only when necessary. No refresh token is issued

2. Salesforce communities don’t support the OAuth 2.0 username-password authentication flow

Question 24

In the OAuth 2.0 User-Agent Flow the access token is encoded into the redirection URL, so it can be exposed to the user and other apps residing on the device. If you’re using Javascript to authenticate, what should you call to remove the callback from the browser’s history?

Answer 24

window.location.replace();

Question 25

What are the 3 steps in the OAuth2.0 User-Agent Flow?

Answer 25

1. The client app directs the user to Salesforce to authenticate and authorize the app.
2. The user approves access for this authentication flow.
3. The app receives the callback from Salesforce.

Question 26

What are the 7 steps in the OAuth2.0 Device Authentication Flow?

Answer 26

1. The device requests authorization from Salesforce.
2. Salesforce verifies the request and returns the following: human-readable user code, verification URL, device code, and minimum polling interval (in seconds).
3. The device displays the user code and instructs the user to enter it at the specified verification URL.
4. On a separate device that has more developed input capabilities, such as a desktop computer or smartphone, the user opens a browser.
   - The user navigates to the verification URL and is prompted to enter the user code.
   - If the code is valid, the user is prompted to log in if not already logged in.
   - After successful login, the user is prompted to allow the device to access Salesforce data.
5. After displaying the user code and verification URL, the device starts polling the token endpoint for authorization. Polling frequency can’t exceed the minimum polling interval. The device continues polling until the user has allowed (or been denied) access, or until the user code has expired.
6. If allowed, the authorization server returns to the device an access token, a refresh token if requested, and other information.
7. After the access token is granted, the device can use it in API requests to access data on the user’s behalf. The device uses a refresh token to get a new access token if the access token becomes invalid.

Question 27

What are the 5 general OAuth 2.0 Asset Token Flow steps?

Answer 27

1. Create a new connected app or use an existing one that has asset tokens enabled and required settings configured.
2. Get an access token so that you can request an asset token.
3. Create your asset token request.
   - Create your actor token payload JWT.
   - Understand how Salesforce attempts to register a new or existing Asset using information from the actor token.
   - Create your actor token JWT.
4. Post your asset token request to the token endpoint.
5. If the asset token JWT is valid, Salesforce issues your asset token in an access token response and publishes an asset token event.

Question 28

What are the 4 steps for the OAuth 2.0 SAML Assertion Flow?

Answer 28

1. Configure SAML for your org. SAML version 2.0 is required.
2. Exchange a SAML assertion for an access token.
3. Salesforce sends the response.
4. Use a JSON parser to process the response and extract the access_token.

Question 29

Which of the following flows isn’t supported for communities? (Choose 2)

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 29

G) SAML Assertion Flow

H) Username and Password

Question 30

What is the scope parameter in OAuth 2.0?

Answer 30

The scope parameter fine-tunes the permissions associated with the tokens that you’re requesting. Scope is a subset of values that you specified when defining the connected app.

Question 31

Name the 9 Scope parameter values in OAuth 2.0

Answer 31

• api
• chatter_api
• custom_permissions
• full
• id
• openid
• refresh_token
• visualforce
• web

Question 32

What is the description for the api scope parameter in OAuth 2.0

Answer 32

Allows access to the current, logged-in user’s account using APIs, such as REST API and Bulk API. This value also includes chatter_api, which allows access to Chatter REST API resources.

Question 33

What is the description for the chatter_api scope parameter in OAuth 2.0

Answer 33

Allows access to Chatter REST API resources only.

Question 34

What is the description for the custom_permissions scope parameter in OAuth 2.0

Answer 34

Allows access to the custom permissions in an organization associated with the connected app, and shows whether the current user has each permission enabled.

Question 35

What is the description for the full scope parameter in OAuth 2.0

Answer 35

Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.

Question 36

What is the description for the id scope parameter in OAuth 2.0

Answer 36

Allows access to the identity URL service. You can request profile, email, address, or phone, individually to get the same result as using id; they are all synonymous.

Question 37

What is the description for the openid scope parameter in OAuth 2.0

Answer 37

Allows access to the current, logged in user’s unique identifier for OpenID Connect apps.

Use the openid scope in the OAuth 2.0 user-agent flow and the OAuth 2.0 web server authentication flow to receive a signed ID token conforming to the OpenID Connect specifications in addition to the access token.

Question 38

What is the description for the refresh_token scope parameter in OAuth 2.0

Answer 38

Allows a refresh token to be returned when you are eligible to receive one. Then the app can interact with the user’s data while the user is offline, and is synonymous with requesting offline_access.

Question 39

What is the description for the visualforce scope parameter in OAuth 2.0

Answer 39

Allows access to customer-created Visualforce pages. Doesn’t allow access to standard Salesforce UIs.

Question 40

What is the description for the web scope parameter in OAuth 2.0

Answer 40

Allows the ability to use the access_token on the web, and includes visualforce, allowing access to customer-created Visualforce pages.

Question 41

Which three attributes can be used to represent the identity of the user when Salesforce is acting as a Service Provider in a SAML configuration?

Choose three answers.

A) Salesforce User ID.

B) Salesforce Username.

C) Federation ID.

D) User Email Address.

E) User Full Name.

Answer 41

A) Salesforce User ID.

B) Salesforce Username.

C) Federation ID.

Question 42

Universal Containers (UC) has multiple Salesforce orgs and would like to use a single Identity Provider to access all of their orgs.

How should UC’s Architect enable this behaviour?

Choose one answer.

A) Ensure that users have the same Alias value in their user records in all of UC’s Salesforce orgs.

B) Ensure the same username is allowed in multiple orgs by contacting Salesforce Support.

C) Ensure that users have the same Email Address in their user records in all of UC’s Salesforce orgs.

D) Ensure that users have the same Federation ID value in their User records in all of UC’s Salesforce orgs.

Answer 42

D) Ensure that users have the same Federation ID value in their User records in all of UC’s Salesforce orgs.

Question 43

Universal Containers uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

A) Create a Connected App that supports the JWT Bearer Token OAuth Flow.

B) Create a Connected App that supports the Refresh Token OAuth Flow.

C) Create a Connected App that supports the Web Server OAuth Flow.

D) Create a Connected App that supports the User-Agent OAuth Flow.

Answer 43

A) Create a Connected App that supports the JWT Bearer Token OAuth Flow.

Why? JWT Bearer Token OAuth Flow is the scenario that best supports this requirement

Question 44

Universal containers (UC) wants to integrate a Web application with Salesforce. The UC team has implemented the Oauth web-server authentication flow for authentication process. Which two considerations should an architect point out to UC?

Choose two answers.

A) The web application should be hosted on a secure server.

B) The web server must be able to protect consumer privacy.

C) The flow involves passing the user credentials back and forth.

D) The flow will not provide an Oauth refresh token back to the server.

Answer 44

A) The web application should be hosted on a secure server.

B) The web server must be able to protect consumer privacy.

Question 45

Universal Containers (UC) has a mobile application that it wants to deploy to all of its Salesforce users, including customer Community users. UC would like to minimize the administration overhead.

Which two items should an architect recommend?

Choose two answers.

A) Enable the “Refresh Tokens is valid until revoked” setting in the Connected App.

B) Enable the “All users may self-authorize” setting in the Connected App.

C) Enable the “Enforce IP restrictions” settings in the Connected App.

D) Enable the “High Assurance session required” setting in the Connected App.

Answer 45

A) Enable the “Refresh Tokens is valid until revoked” setting in the Connected App.

B) Enable the “All users may self-authorize” setting in the Connected App.

Question 46

What does JWT stand for and what does it consist out of?

Answer 46

JSON Web Token

It consist of three parts separated by dots:

• Header
• Payload
• Signature

ex: xxxxx.yyyyy.zzzzz

Question 47

What are the two authentication methods that can be used for canvas apps?

Answer 47

• Signed request (default method)

- OAuth 2.0

Question 48

What are the two OAuth 2.0 authorization flow options for canvas apps?

Answer 48

• Web Server OAuth Authentication Flow

- User-Agent OAuth Authentication Flow

Question 49

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site.

What needs to be configured on the Salesforce org in order for the external application to integrate with Salesforce APIs? Is this configuration for outbound/inbound or bi-directional scenario?

Answer 49

• A connected app needs to be configured in the Salesforce org
• A connected app is only for an inbound scenario from an external application into Salesforce

Question 50

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site.

UC wants to provide read-only access to some subset of photos for only a limited amount of time, after which the authorization becomes invalid.

How do we ensure access is only given for a limited period of time for the application?

Answer 50

Configure the Refresh Token Policy setting under the OAuth Policy for the Connected App

Question 51

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site.

UC wants to provide read-only access to some subset of photos for only a limited amount of time, after which the authorization becomes invalid.

How do we allow Universal Containers to revoke access if they decide they no longer wish the client to have access?

Answer 51

Use the Revoke action on the user row in the Connected Apps Usage page to revoke access to the valid token. Any third party with the device will now need to authenticate again in order to get access with a new access/refresh token

Question 52

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site.

Access between the client applications and the resource server should be seamless.

Do we need to pass and store user credentials on the client application to achieve the seamless access requirement?

Answer 52

No. Both the OAuth Web Server Flow and User Server Flow provide access to the application through the use and exchange of tokens. No user credentials are stored on the client application

Question 53

Scenario: UC has set up a photo-sharing web site as the resource server and a print service, which as a client application, has both a desktop client as well as a web-based application client through a third-party hosted web site.

Access between the client applications and the resource server should be seamless.

Can we use SAML only for single sign-on scenarios for the desktop client application in Salesforce? If not, why?

Answer 53

No. SAML is a browser-based protocol and requires a browser to facilitate the exchange of SAML tokens in order for the authentication to take place.

Question 54

Why is the My Domain configuration required for an SP Initiated SAML Flow when you want seamless access across two Salesforce orgs?

Answer 54

By configuring a My domain, admins enable the Force.com platform to recognize the org for which unauthenticated requests are intended, and perform customized behavior, such as redirecting to their Identity Provider through the retrieval of the Single Sign-On settings configuration of the Service Provider org.

This would not have been possible if the login was done through a URL at login.salesforce.com as the application will only know which org you are trying to log in to only after the authentication happens.

Question 55

How do you simulate an IDP-initiated flow in the configuration setup when you want seamless access across two Salesforce orgs?

Answer 55

From the IdP Salesforce org, click on a link to a resource that is hosted in the SP Provider Salesforce org. The user should not be prompted for any login to the SP Provider org

Question 56

How do you simulate an SP initiated flow in the configuration setup when you want seamless access across two Salesforce orgs?

Answer 56

Access the SP Salesforce org through its MyDomain URL. If there is no valid authentication session, the browser will redirect the user to the IdP to enter their credentials for authentication

Question 57

What is the role of the browser in the flow when you want seamless access across two Salesforce orgs?

Answer 57

The browser is used to facilitate the exchange of SAML tokens between the SP and the IdP

Question 58

How do we ensure that the browser knows how to redirect to the original requested resource when you want seamless access across two Salesforce orgs?

Answer 58

This is achieved through the use of the RelayState parameter, which is passed via the browser as part of the SAML token exchange

Question 59

What are the 5 parameters for an OAuth access token request?

Answer 59

• Code
• Grant_type
• Client_id
• Client_Secret
• Redirect_uri

ex: https://login.salesforce.com/services/oauth2/token?code=<code>&amp;grant_type=&amp;client_id=&amp;client_secret=&amp;redirect_uri=';
</code>

Question 60

True or false: OAuth 2.0 APIs enable a user to work in one app but see the data from another

A) True

B) False

Answer 60

A) True

Question 61

You’re creating a connected app that allows a Smart TV to display a customer’s movie order history. Which OAuth 2.0 authentication flow would you use for the connected app?

A) OAuth 2.0 web server authorization code flow

B) OAuth 2.0 device authentication flow

C) OAuth 2.0 JSON Web Token Exchange (JWT) bearer flow

D) OAuth 2.0 user-agent flow

Answer 61

B) OAuth 2.0 device authentication flow

Question 62

True or false: You can integrate identity providers with Salesforce using connected apps

A) True

B) False

Answer 62

B) False

Question 63

How is OpenID Connect different from SAML?

A) You can’t use OpenID connect to enable SSO between two services

B) You can only use OpenID Connect to enable SSO between two services

C) OpenID Connect is built for today’s API economy because it adds an authentication layour on top of OAuth 2.0

D) B and C

Answer 63

C) OpenID Connect is built for today’s API economy because it adds an authentication layour on top of OAuth 2.0

Question 64

True or false: Dynamic client registration enables resource servers to dynamically create client apps as connected apps

Answer 64

True

Question 65

What role does your Salesforce org play in providing authorization for external API gateways?

A) My Salesforce org requests the creation of client apps as connected apps from the external API gateway

B) My Salesforce org hosts the protected data

C) My Salesforce org is the OAuth authorization server that protects resources hosted on an external API gateway

D) My Salesforce org asks the external API gateway to authenticate a client app

Answer 65

C) My Salesforce org is the OAuth authorization server that protects resources hosted on an external API gateway

Question 66

When enabling Salesforce as an identity provider, what type of certificate is required?

Answer 66

A Salesforce certificate and key pair that’s signed by an external certificate authority (CA-Signed) or self-signed.

Question 67

Describe what the Canvas App User Flow - Signed Request is

Answer 67

It is the default authorization method for canvas apps. The signed request authorization flow varies depending on whether the canvas app’s Permitted Users field is set to “Admin approved users are pre-authorized” or “All users my self-authorize”

Question 68

Describe what the Canvas App User Flow -OAuth is?

Answer 68

Canvas supports OAuth 2.0 for authorization. When using OAuth, you have two options:
- Web Server OAuth Authentication Flow

• User-Agent OAuth Authentication Flow

Question 69

Which two flows uses digital signatures?

A) Web Server

B) User-Agent

C) JWT Bearer Token Flow

D) Device Authentication Flow

E) Asset Token Flow

F) SAML Bearer Assertion Flow

G) SAML Assertion Flow

H) Username and Password

Answer 69

C) JWT Bearer Token Flow

F) SAML Bearer Assertion Flow

Question 70

What is one of the most secure OAuth Scope settings?

A) api

B) chatter_api

C) custom_permissions

D) full

E) id

F) openid

G) refresh_token

H) visualforce

I) web

Answer 70

C) custom_permissions

Question 71

When sending outbound messages, delegated authentication requests or Apex callouts to secure/SSL endpoints, the Salesforce org will require which type of license?

A) self-signed

B) root certificate authority (CA)

Answer 71

B) root certificate authority (CA)

Salesforce acts as the client, and the target host acts as the server