Web: www.dumpscafe.com
Email: support@dumpscafe.com
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any suggestions, please feel free to contact us at feedback@dumpscafe.com
Support
If you have any questions about our product, please provide the following items: exam code screenshot of the question login id/email please contact us at and our technical experts will provide support within 24 hours. support@dumpscafe.com
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Question #:1
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated fornew and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers
Implement Auth.SamlJitHandler Interface.
Create and update methods.
Implement RegistrationHandler Interface.
Implement SesslonManagement Class.
Answer: A B
Explanation
To populate data for new and existing users in the Salesforce User object custom field when they log in using SSO, the identity architect should implement the Auth.SamlJitHandler interface and create and update methods. The Auth.SamlJitHandler interface is an interface that defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. The create and update methods are methods in the Auth.SamlJitHandler interface that define how to create or update users in Salesforce based on the information from the SAML assertion. References: Auth.SamlJitHandler Interface, Just-in-Time Provisioning for SAML and OpenID Connect
Question #:2
Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers
Activate My Domain to Brand each org to the specific business use case.
Implement SP-Initiated Single Sign-on flows to allow deep linking.
ImplementIdP-Initiated Single Sign-on flows to allow deep linking.
Implement Delegated Authentication from each org to the LDAP provider.
Answer: A B
Explanation
Question #:3
D. Activating My Domain allows each org to have a unique domain name that can be branded to the specific business use case2. This can help users identify which org they are logging into and avoid confusion. Implementing SP-Initiated Single Sign-on flows enables users to start from a service provider (such as Salesforce) and be redirected to an identity provider (such as Active Directory) for authentication3. This can also allow deep linking, which means users can access specific resources withinthe service provider after logging in4. These two recommendations can address the complaints of the users who have licenses across multiple orgs.
B. C.
Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
Use information in the Signed Request that is received from Facebook.
Develop a scheduled job that calls out to Facebook on a nightly basis.
Use the update User () method on the Registration Handler class.
Answer: D
Explanation
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?
The update User() methodonthe Registration Handler class is used to update the Salesforce user record with information from the Facebook profile, such as name, email, and photo1. This method is invoked every time a user logs in to Salesforce using Facebook credentials2. The other options are not suitable for this requirement because:
SAML Just-In-Time Provisioning is used to create or update users in Salesforce based on SAML assertions from an identity provider3. Facebook does not support SAML as an identity provider.
The Signed Request is a parameter that contains information about the user who is logging in to Salesforce via Facebook. It does not contain the user’s profile information, such as name, email, or photo.
A scheduled job that calls out to Facebook on a nightly basis would not reflect the changes in the Facebook profile in real time, as the requirement states. It would also require storing the user’s Facebook access token and making API calls to Facebook,which could be inefficient and insecure. References: Set Up Social Sign-On, Configure a Facebook Authentication Provider, SAML Just-inTime Provisioning, [Facebookas a SAML Identity Provider], [Facebook Login for Apps - Signed Request], [Facebook Login for Apps - Access Tokens], [Facebook Graph API - User]
Question #:4
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory ActProtocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's
A.
Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled inLDAP.
Configure an authentication provider to delegate authentication to the LDAP directory.
use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
Answer: B
Explanation
Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues. References: Login History
Question #:5
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers
Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
UseSalesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.
Answer: B D
Explanation
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenanceeffort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning orSSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions … 3: [SingleSign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation
Question #:6
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers
OAuth Refresh Token FLow
OAuth Username-Password Flow
OAuth SAML Bearer Assertion FLow
OAuth JWT Bearer Token FLow
Answer: C D
Explanation
OAuth is an open-standard protocol that allows a client app toaccess protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.
Verified References: [OAuth 2.0 SAML Bearer AssertionFlow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]
Question #:7
D. OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Delegated Authentication is enabled or disabled for the entire Salesforce org.
UC will be required to develop and support a custom SOAP web service.
Salesforce users will be locked out of Salesforce ifthe web service goes down.
The web service must reside on a public cloud service, such as Heroku.
Answer: B C
Explanation
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers
The two risks that the architect should point out for using delegated authentication as the sole means of authenticating Salesforce users are:
UC will be required to develop and support a custom SOAP web service. Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service by making a SOAP callout to a web service that verifies the user’s credentials. This feature requires UC to develop and support a custom SOAP web service that can accept and validate the user’s username and password, and return a boolean value to indicate whether the authentication is successful or not. This could increase complexity and cost for UC, as they need to write custom code and maintain the web service.
Salesforce users will be locked out of Salesforce if the web service goes down. Delegated authentication relies on the availability and performance of the external web service that handles the authentication requests from Salesforce. If the web service goes down or becomes slow, Salesforce users will not be able to log in or access Salesforce, as they will receive an error message or a timeout response. This could cause disruption and frustration for UC’s business operations and user satisfaction.
The other options are not valid risks for using delegated authentication. Delegated authentication can be enabled or disabled for individual users or groups of usersby using permission sets or profiles, not for the entire Salesforce org. The web service does not need to reside on a public cloud service, such as Heroku, as it can be hosted on any platform that supports SOAP services and can communicate with Salesforce.References: [Delegated Authentication], [Enable ‘Delegated Authentication’], [Troubleshoot Delegated Authentication]
Question #:8
Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.
Which OAuth flow should the identity architect recommend to meet the requirement?
OAuth 2.0 Asset Token Flow for Securing Connected Devices
OAuth 2.0 Username-Password Flow for Special Scenarios
OAuth 2.0 WebServer Flow for Web App Integration
OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
Answer: A
Explanation
OAuth 2.0 Asset Token Flow is the flow that allows connected devices to request an asset token from Salesforce. The device obtains an access tokenand an actor token, and uses them to create an asset token. This flow enables efficient token exchange and automatic linking of devices to Service Cloud Asset records. References: OAuth 2.0 AssetToken Flow for Securing Connected Devices, OAuth Authorization Flows
Question #:9
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and wouldlike to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?
Use Active Directory with Reverse Proxy as the Identity Provider.
Use Microsoft Access control Service as the Authentication provider.
Use Active Directory Federation Service (ADFS) as the Identity Provider.
Use Salesforce Identity Connect as the Identity Provider.
Answer: D
Explanation
The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional
References: Salesforce Identity Connect Implementation Guide, Single Sign-On Implementation Guide
Question #:10
D. configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018. Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile andpermission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.
Disallow the use of single Sign-on for any users of the mobile app.
Require high assurance sessions in order to use the connected App
Use Google Authenticator as an additional part of the logical processes.
Set login IP ranges to the internal network for all of the app users profiles.
Answer: B C
Explanation
Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properlysecure access to the app. Which two are recommendations to make the UC? Choose 2 answers
High assurance sessions are sessions that require a stronger level of identity verification, such astwo-factor authentication or SAML assertions1. Google Authenticator is an app that generates verification codes on your mobile device that you canuse as a second factor of authentication2. These measures can help prevent unauthorized access to the connected app by ensuring that the useris who they claim to be and that they have access to their mobile device. Disallowing the use of single sign-on (SSO) for the mobile app is not a recommendation because SSO can provide a seamless and secure user experience across multiple applications3. Setting login IP ranges totheinternal network for the app users profiles is not a recommendation because it can limit the mobility and flexibility of the users who are commonly out of the office.
References: 1: Session Security Levels 2: Google Authenticator 3: Connected Apps : [Restrict Login Access by IP Address]
A. B. C.
About dumpscafe.com
dumpscafe.com was founded in 2007. We provide latest & high quality IT / Business Certification Training Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed below.
Sales: sales@dumpscafe.com
Feedback: feedback@dumpscafe.com
Support: support@dumpscafe.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24 hours.