Rahul Bose
Quiz by , created more than 1 year ago

Information Technology Quiz on SF IAMD Part 1, created by Rahul Bose on 10/07/2019.

1406
2
0
Created by a deleted user over 6 years ago
Rahul Bose
Copied by Rahul Bose over 5 years ago
Close

SF IAMD Part 1

Question 1 of 65

1

Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user.

Which two mechanisms can the Architect provide? Choose 2 Answers

Select one or more of the following:

  • Authentication Token

  • Session ID

  • Refresh Token

  • Access Token

Explanation

Question 2 of 65

1

Universal Containers (UC) has implemented SSO Pingfederate uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position.

Which two systems are acting as Identity Providers? Select 2 answers

Select one or more of the following:

  • Financial System

  • Pingfederate

  • Salesforce Org 2

  • Salesforce Org 1

Explanation

Question 3 of 65

1

Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization.

Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?

Select one of the following:

  • redirect_uri

  • state

  • scope

  • callback_uri

Explanation

Question 4 of 65

1

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app.

Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

Select one or more of the following:

  • Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.

  • Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

  • Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

  • Create a registration handler Apex class to allow the third-party app to authenticate itself against Salesforce as Idp.

Explanation

Question 5 of 65

1

Universal Containers (UC) has decided to build a new, highly sensitive application on the Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/password to authenticate to this application.

How can an Architect support fingerprints as a form of identification for Salesforce authentication?

Select one of the following:

  • Use Salesforce Two-factor authentication with callouts to a third-party fingerprint scanning application.

  • Use an AppExchange product that does fingerprint scanning with native Salesforce Identity Confirmation.

  • Use delegated Authentication with callouts to a third-party fingerprint scanning application.

  • Use custom login flows with callouts to a third-party fingerprint scanning application.

Explanation

Question 6 of 65

1

Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again.

What Oauth flows should be considered to support this requirement?

Select one of the following:

  • Web Server flow with a Refresh Token.

  • Mobile Agent flow with a Bearer Token.

  • User Agent flow with a Refresh Token.

  • SAML Assertion flow with a Bearer Token.

Explanation

Question 7 of 65

1

What item should an Architect consider when designing a Delegated Authentication implementation?

Select one of the following:

  • The Web service should be secured with TLS using Salesforce trusted certificates.

  • The Web service should be able to accept one to four input method parameters.

  • The web service should use the Salesforce Federation ID to identify the user.

  • The Web service should implement a custom password decryption method.

Explanation

Question 8 of 65

1

Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users.

Which three steps are required to make this happen? Select 3 answers

Select one or more of the following:

  • Add each connected App to the App Launcher with a Start URL.

  • Set up an Auth Provider for each External Application.

  • Set up Salesforce as a SAML Idp with My Domain.

  • Set up Identity Connect to synchronize user data.

  • Create a Connected App for each external application.

Explanation

Question 9 of 65

1

An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error.

Which two optimal actions should the Architect take to troubleshoot the issue? Select 2 answers

Select one or more of the following:

  • Ensure the Callback URL is correctly set in the Connected Apps settings.

  • Use a browser that has an add-on/extension that can inspect SAML.

  • Paste the SAML Assertion Validator in Salesforce.

  • Use the browser's Development tools to view the Salesforce page's markup.

Explanation

Question 10 of 65

1

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO.

What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

Select one of the following:

  • Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the classified information system.

  • Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.

  • Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.

  • Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

Explanation

Question 11 of 65

1

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment.
What limitation should an Architect inform the IT Manager about?

Select one of the following:

  • Identity Connect will not support user provisioning in UC's current environment.

  • Identity Connect will only support Idp-initiated SAML flows in UC's current environment.

  • Identity Connect will only support SP-initiated SAML flows in UC's current environment.

  • Identity connect is not compatible with UC's current identity environment.

Explanation

Question 12 of 65

1

A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: "Failed: Not approved for access.
" What is the most likely cause of this issue?

Select one of the following:

  • The Connected App settings "All users may self-authorize" is enabled.

  • The Salesforce Administrators have revoked the OAuth authorization.

  • The Users do not have the correct permission set assigned to them.

  • The User of High Assurance sessions are required for the Connected App.

Explanation

Question 13 of 65

1

Universal Containers (UC) has decided to implement a federated single Sign-on solution using a thirdparty Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users.

What are the underlining mechanisms that the Architect must ensure are part of product?

Select one of the following:

  • SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.

  • Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.

  • Provisioning API for both Provisioning and Deprovisioning.

  • Just-in-Time (JIT) for both Provisioning and Deprovisioning.

Explanation

Question 14 of 65

1

Universal Containers (UC) would like to enable SAML based SSO for a Salesforce Partner Community. UC has an existing LDAP identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community.

What SSO flow should an Architect recommend?

Select one of the following:

  • Idp-Initiated

  • Web Server.

  • SP-Initiated.

  • User- Agent

Explanation

Question 15 of 65

1

Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org.

What action should the IT team take while implementing the second org?

Select one of the following:

  • Use the same SAML Identity location as the first org.

  • Use a different Entity ID than the first org.

  • Use the same request bindings as the first org.

  • Use the Salesforce Username as the SAML Identity Type.

Explanation

Question 16 of 65

1

An architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct.

Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

Select one or more of the following:

  • The Identity Provider is also used to SSO into five other applications.

  • The clock on the Identity Provider server is twenty minutes behind Salesforce.

  • The Issuer Certificate from the Identity Provider expired two weeks ago.

  • The default language for the Identity Provider and Salesforce are Different.

Explanation

Question 17 of 65

1

Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless.

What Authorization flow should the Architect recommend?

Select one of the following:

  • JWT Bearer Token flow

  • Web Server Authentication Flow

  • User Agent Flow

  • Username and Password Flow

Explanation

Question 18 of 65

1

An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers.

What SAML SSO setting in Salesforce provides this capability?

Select one of the following:

  • Identity Provider Login URL

  • Issuer

  • Entity Id

  • SAML Identity Location.

Explanation

Question 19 of 65

1

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between SF & Target System is Secure.

What Certificate is sent along with the Outbound Message?

Select one of the following:

  • The CA-Signed Certificate from the Certificate and Key Management menu.

  • The default Client Certificate from the Develop--> API Menu

  • The default Client Certificate or a Certificate from Certificate and Key Management menu.

  • The Self-Signed Certificates from the Certificate & Key Management menu.

Explanation

Question 20 of 65

1

Which three are features of federated Single sign-on solutions? Choose 3 Answers

Select one or more of the following:

  • It establishes trust between Identity Store and Service Provider.

  • It federates credentials control to authorized applications.

  • It solves all identity and access management problems.

  • It improves affiliated applications adoption rates.

  • It enables quick and easy provisioning and deactivating of users.

Explanation

Question 21 of 65

1

Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customer's experience. It is expected that 25% of the e-commerce customers will utilize the customer community. The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users.
How should UC create the identities of its e-commerce users with the customer community?

Select one of the following:

  • Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.

  • Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.

  • Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.

  • Use the standard Salesforce API to create users in the Community When a User is created in the eCommerce platform and use SAML to allow SSO.

Explanation

Question 22 of 65

1

How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?

Select one of the following:

  • Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.

  • Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.

  • Remove the Login page from the list of Authentication Services on the My Domain configuration.

  • Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML config.

Explanation

Question 23 of 65

1

Universal Containers (UC) has an existing Customer Community. UC wants to expand the selfregistration capabilities such that customers receive a different community experience based on the data they provide during the registration process.

What is the recommended approach an Architect Should recommend to UC?

Select one of the following:

  • Create an After Insert Apex trigger on the user object to assign specific custom permissions.

  • Create separate login flows corresponding to the different community user personas.

  • Modify the Community pages to utilize specific fields on the User and Contact records.

  • Modify the existing Communities registration controller to assign different profiles.

Explanation

Question 24 of 65

1

Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user.

How can this requirement be met?

Select one of the following:

  • Use the updateUser method on the registration Handler Class.

  • Develop a scheduled job that calls out to Facebook on a nightly basis.

  • Use information in the signed Request that is received from facebook.

  • Use SAML Just-In-Time Provisioning between Facebook and Salesforce

Explanation

Question 25 of 65

1

What are three capabilities of Delegated Authentication? Choose 3 answers

Select one or more of the following:

  • It can be assigned by Custom Permissions.

  • It can connect to SOAP services.

  • It can be assigned by Permission Sets.

  • It can be assigned by Profiles.

  • It can connect to REST services.

Explanation

Question 26 of 65

1

Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider,

which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

Select one or more of the following:

  • Configure SAML SSO settings.

  • Create a Connected App.

  • Configure Delegated Authentication.

  • Set up My Domain.

Explanation

Question 27 of 65

1

In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider,

What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resource after authentication?

Select one of the following:

  • RedirectURL

  • RelayState

  • DisplayState

  • StartURL

Explanation

Question 28 of 65

1

Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts.

How can the Architect meet these requirements?

Select one of the following:

  • Create a custom application on Heroku that manages the sign-on process from Facebook.

  • Use JIT Provisioning to automatically create the account in the accounting system.

  • Add an Apex callout in the registration handler of the authorization provider.

  • Use OAuth JWT flow to pass the data from Salesforce to the Accounting System

Explanation

Question 29 of 65

1

Universal Containers (UC) has multiple Salesforce Orgs and would like to use a single Identity Provider to access all of their orgs.

How should UC's Architect enable this behavior?

Select one of the following:

  • Ensure that users have the same Alias value in their user records in all of UC's Salesforce orgs.

  • Ensure the same username is allowed in multiple orgs by contacting Salesforce Support.

  • Ensure that users have the same Federation ID value in their User records in all of UC's Salesforce orgs

  • Ensure that users have the same Email Value in their user records in all of UC's Salesforce orgs.

Explanation

Question 30 of 65

1

Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook & Linkedin Icons when they register and login.

What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers

Select one or more of the following:

  • Enable Facebook and Linkedin as Login options in the login section of the Community configuration.

  • Create custom Registration Handlers to link Linkedin and facebook accounts to user records.

  • Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.

  • Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.

Explanation

Question 31 of 65

1

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well.

What is the recommended solution as Architect should consider?

Select one of the following:

  • Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

  • Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

  • Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

  • Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Explanation

Question 32 of 65

1

Which two statements are capable of Identity Connect? Choose 2 answers

Select one or more of the following:

  • Synchronization of Salesforce Permission Set license assignments.

  • Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.

  • Support multiple orgs connecting to multiple Active Directory servers.

  • Automated user synchronization and de-activation.

Explanation

Question 33 of 65

1

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location.

Which two options should an Architect recommend? Choose 2 answers

Select one or more of the following:

  • Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

  • Remove existing restrictions on IP ranges for all types of user access.

  • Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.

  • Use Login Flow to bypass IP range restriction for the mobile app.

Explanation

Question 34 of 65

1

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a thirdparty cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for internal users and would like to follow the same approach for the GS users as well.

What are the most appropriate license types for GS regional Leads and the GS Capacity Planners?

Select one of the following:

  • Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

  • Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

  • Identity License for GS Regional Leads and External Identity license for GS capacity Planners.

  • Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

Explanation

Question 35 of 65

1

Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation.

What two risks should the Architect point out? Choose 2 answers

Select one or more of the following:

  • Delegated Authentication is enabled or disabled for the entire Salesforce org.

  • UC will be required to develop and support a custom SOAP web service.

  • Salesforce users will be locked out of Salesforce if the web service goes down.

  • The web service must reside on a public cloud service, such as Heroku.

Explanation

Question 36 of 65

1

Universal Containers (UC) has implemented SAML-based single Sign-on for their Salesforce application and is planning to provide access to Salesforce on mobile devices using the Salesforce1 mobile app. UC wants to ensure that Single Sign-on is used for accessing the Salesforce1 mobile App.

Which two recommendations should the Architect make? Choose 2 Answers

Select one or more of the following:

  • Configure the Embedded Web Browser to use My Domain URL

  • Configure the Salesforce1 App to use the MY Domain URL.

  • Use the existing SAML-SSO flow along with User Agent Flow.

  • Use the existing SAML SSO flow along with Web Server Flow.

Explanation

Question 37 of 65

1

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs.

Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

Select one or more of the following:

  • The Federation ID must be a valid Salesforce Username

  • The Federation ID must is case sensitive

  • The Federation ID must be in the form of an email address.

  • The Federation ID must be populated on the user record.

Explanation

Question 38 of 65

1

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure.

Which are two recommended practices for using OAuth flow in this scenario. Choose 2 answers

Select one or more of the following:

  • OAuth Refresh Token FLow

  • OAuth Username-Password Flow

  • OAuth SAML Bearer Assertion FLow

  • OAuth JWT Bearer Token Flow

Explanation

Question 39 of 65

1

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app.

Which two are recommendations to make the UC? Choose 2 answers

Select one or more of the following:

  • Disallow the use of Single Sign-on for any users of the mobile app

  • Require High Assurance sessions in order to use the Connected App.

  • Set Login IP Ranges to the internal network for all of the app users Profiles.

  • Use Google Authenticator as an additional part of the login process

Explanation

Question 40 of 65

1

Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system? Choose 2 answers

Select one or more of the following:

  • Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system

  • Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system

  • Use a self-signed certificate for salesforce and a self-signed cert for the external system

  • Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

Explanation

Question 41 of 65

1

Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a thirdparty application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption.
Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose.
Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication? Choose 2 answers

Select one or more of the following:

  • Salesforce license for sales users and Identity license for Marketing users

  • Salesforce license for sales users and External Identity license for Marketing users

  • Identity license for sales users and Identity connect license for Marketing users

  • Salesforce license for sales users and platform license for marketing users.

Explanation

Question 42 of 65

1

Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access.

What Oauth feature of Salesforce should be used to achieve the goal?

Select one of the following:

  • Access Tokens

  • Refresh Tokens

  • Mobile PINS

  • Scopes

Explanation

Question 43 of 65

1

Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally, UC would like to provide the optimal experience for its mobile users.

Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

Select one or more of the following:

  • Refresh Tokens

  • full

  • Web

  • API

Explanation

Question 44 of 65

1

Universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team.

What would be the recommended solution to grant mobile app access to sales users?

Select one of the following:

  • Use a custom attribute on the user object to control access to the mobile app

  • Use connected apps Oauth policies to restrict mobile app access to authorized users.

  • Use the permission set license to assign the mobile app permission to sales users

  • Add a new identity provider to authenticate and authorize mobile users.

Explanation

Question 45 of 65

1

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users.
UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers

Select one or more of the following:

  • Enable the "Refresh Tokens is valid until revoked" setting in the Connected App.

  • Enable the "Enforce Ip restrictions" settings in the connected App.

  • Enable the "All users may self-authorize" setting in the Connected App.

  • Enable the "High Assurance session required" setting in the Connected App.

Explanation

Question 46 of 65

1

The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials.
What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

Select one of the following:

  • Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.

  • Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.

  • Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.

  • Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.

Explanation

Question 47 of 65

1

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

Select one of the following:

  • Add the company's list of network IP addresses to the Login Range list under 2FA Setup.

  • Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA in needed.

  • Apply the "Two-factor Authentication for User Interfae Logins" permission and Login IP Ranges for all Profiles.

  • Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.

Explanation

Question 48 of 65

1

Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications.

What SAML SSO flow should an Architect recommend for UC?

Select one of the following:

  • SP-Initiated with Deep Linking

  • SP-Initiated

  • IdP-Initiated

  • User-Agent

Explanation

Question 49 of 65

1

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages.
What OAuth flow is best suited for this scenario?

Select one of the following:

  • Web Application flow

  • SAML Bearer Assertion flow

  • User-Agent flow

  • Web Server flow

Explanation

Question 50 of 65

1

Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get esignatures from its customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signature as a file attachment and uses OAuth protocol for both authentication and authorization.

What is the most recommended and secure OAuth scope setting that an Architect should recommend?

Select one of the following:

  • ID

  • Web

  • API

  • custom_permissions

Explanation

Question 51 of 65

1

IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection.

What should an Architect recommend to address the issue?

Select one of the following:

  • Use the Salesforce Authenticator mobile app with two-step verification

  • Lock sessions to the IP address from which they originated.

  • Increase Password complexity requirements in Salesforce.

  • Implement Single Sign-on using a corporate Identity store.

Explanation

Question 52 of 65

1

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application.

What implementation should an Architect recommend to UC?

Select one of the following:

  • Create a Canvas app and use Signed Requests to authenticate the users.

  • Rewrite the web application as a set of Visualforce pages and Apex code.

  • Configure the web application as an item in the Salesforce App Launcher.

  • Add the web application as a ConnectedApp using OAuth User-Agent flow.

Explanation

Question 53 of 65

1

Universal containers wants to implement SAML SSO for their internal salesforce users using a third-party IDP. After some evaluation, UC decides not to set up my domain for their salesforce.org.

How does that decision impact their SSO implementation?

Select one of the following:

  • Neither sp - nor IDP - initiated SSO will work

  • Either sp - or IDP - initiated SSO will work

  • IDP - initiated SSO will not work

  • Sp-Initiated SSO will not work

Explanation

Question 54 of 65

1

Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication.

What Oauth flow would be recommended in this scenario?

Select one of the following:

  • User-Agent Oauth flow

  • SAML assertion Oauth flow

  • User-Token Oauth flow

  • Web server Oauth flow

Explanation

Question 55 of 65

1

Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The IT team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups.

Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

Select one or more of the following:

  • Use the salesforce REST API to sync users from active directory to salesforce

  • Use an app exchange product to sync users from Active Directory to salesforce.

  • Use Active Directory Federation Services to sync users from active directory to salesforce.

  • Use Identity connect to sync users from Active Directory to salesforce

Explanation

Question 56 of 65

1

Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

Select one or more of the following:

  • Google is the identity provider

  • Salesforce is the identity provider

  • Google is the service provider

  • Salesforce is the service provider

Explanation

Question 57 of 65

1

Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce.

What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

Select one of the following:

  • Include client ID and client secret in the login header callout.

  • Set up a proxy server for the login service in the DMZ.

  • Require the use of Salesforce security Tokens on password.

  • Enforce mutual Authentication between systems using SSL.

Explanation

Question 58 of 65

1

Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day.

What is the most likely cause of the issue?

Select one of the following:

  • The Oauth authorizations are being revoked by a nightly batch job.

  • The refresh token expiration policy is set incorrectly in salesforce

  • The app is requesting too many access Tokens in a 24-hour period

  • The users forget to check the box to remember their credentials.

Explanation

Question 59 of 65

1

What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

Select one of the following:

  • Reference to a URL redirect parameter at the identity provider.

  • Reference to a URL redirect parameter at the service provider.

  • Reference to the login address URL of the service provider.

  • Reference to the login address URL of the identity Provider.

Explanation

Question 60 of 65

1

Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy.

Which two options should an architect recommend to UC? Choose 2 answers

Select one or more of the following:

  • Use a professional social media such as LinkedIn as an Authentication provider

  • Build a custom web page that uses the identity store and calls frontdoor.jsp

  • Build a custom Web service that is supported by Delegated Authentication.

  • Implement the Openid protocol and configure an Authentication provider

Explanation

Question 61 of 65

1

Universal containers uses an Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory.

What is the role of Active Directory in this scenario?

Select one of the following:

  • Identity store

  • Authentication store

  • Identity provider

  • Service provider

Explanation

Question 62 of 65

1

Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection.

How can the connection to salesforce be restricted only to the employee portal server?

Select one of the following:

  • Add the Employee portals IP address to the Trusted IP range for the connected App

  • Use a digital certificate signed by the employee portal Server

  • Add the employee portals IP address to the login IP range on the user profile.

  • Use a dedicated profile for the user the Employee portal uses.

Explanation

Question 63 of 65

1

Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users.

Which 2 actions should an architect recommend to UC? Choose 2 answers

Select one or more of the following:

  • Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience.

  • Build a custom visualforce page for both the change password and Forgot password experiences.

  • Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.

  • Build a community builder page for both the change password and Forgot password experiences.

Explanation

Question 64 of 65

1

Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants its users to be able to access them from their main Salesforce org seamless.

Which action should an architect recommend?

Select one of the following:

  • Configure the main salesforce org as an Authentication provider.

  • Configure the main salesforce org as the Identity provider.

  • Configure the regional salesforce orgs as Identity Providers.

  • Configure the main Salesforce org as a service provider.

Explanation

Question 65 of 65

1

Which three types of attacks would a 2-Factor Authentication solution help garden against? choose 3 answer

Select one or more of the following:

  • Key logging attacks

  • Network perimeter attacks

  • Phishing attacks

  • Dictionary attacks

  • Man-in-the-middle attacks

Explanation