Identity-and-Access-Management-Architect Sample Questions Answers

 these are the optimal actions to troubleshoot a SAML error. According to the Salesforce documentation1, you can use the following methods to debug a SAML error:

Use a browser that has an add-on/extension that can inspect SAML. This will allow you to see the SAML request and response messages and identify any issues with the SAML assertion or the SAML response2.

Paste the SAML Assertion Validator in Salesforce. This is a tool that helps you validate the last SAML operation on your organization and shows you any errors or warnings with the SAML assertion or the SAML response1.

Option A is incorrect because the Callback URL is not related to SAML SSO. The Callback URL is used for OAuth SSO, which is a different protocol3. Option D is incorrect because using the browser’s Development tools to view the Salesforce page’s markup will not help you debug a SAML error. The page’s markup doesnot contain any information about the SAML request or response4.

The best option for UC’s architect to enable the behavior of using a single identity provider to access all of their Salesforce orgs is to ensure that users have the same Federation ID value in their user records in all of UC’s Salesforce orgs. The Federation ID is a field on the user object that stores a unique identifier for each user that is consistent across multiple systems. The Federation ID is used by Salesforce to match the user with the SAML assertion that is sent by the identity provider during the single sign-on (SSO) process. By ensuring that users have the same Federation ID value in all of their Salesforce orgs, UC can enable users to log in with the same identity provider and credentials across multiple orgs. The other options are not valid ways to enable this behavior. Ensuring that users have the same email value in their user records in all of UC’s Salesforce orgs does not guarantee that they can log in with SSO, as email is not used as a unique identifier by Salesforce. Ensuring the same username is allowed in multiple orgs by contacting Salesforce support is not possible, as username must be unique across all Salesforce orgs. Ensuring that users have the same alias value in their user records in all of UC’s Salesforce orgs does not affect the SSO process, as alias is not used as a unique identifier by Salesforce. References: [Federation ID], [SAML SSOwith Salesforce as the Service Provider], [Username], [Alias]

To allow employees to sign in to a custom Benefits web app using their Salesforce credentials, the identity architect should recommend the Identity Only License. The Identity Only License is a license type that enables users to access external applications that are integrated with Salesforce using single sign-on (SSO) or delegated authentication, but not access Salesforce objects or data. The other license types are not relevant for this scenario. References: Identity Only License, User Licenses

The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider

My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforcedomain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:

My Domain lets you work in multiple Salesforce orgs in the samebrowser. Without My Domain, you can only log in to one org at a time in the same browser.

My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.

My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.

 Configuring an authentication provider to delegate authentication to the LDAP directory ensures that users can only log in to Salesforce if they are active in the LDAP directory. Thisprevents terminated employees from accessing Salesforce with their old credentials. References: Authentication Providers, Delegated Authentication Single Sign-On

To help employees remember fewer passwords, an identity architect should recommend setting up Salesforce as a service provider (SP) to the existing IdP. A SP is the system that relies on the IdP for authentication and provides access to its services based on the SAML assertions from the IdP. Toset up Salesforce as a SP, you need to create a connected app for Salesforce in the IdP, enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type. You also need to enable SSO for your Salesforce org, upload the IdP certificate, and configure the SSO settings, such as the issuer, identity type, and service provider initiated request binding.

 Experience Builder and Community Administration settings are the tools that allow branding the login and registration pages in Experience Cloud. Custom pages are not necessary for this use case. References: Architect Journey: Identity and Access Management Trailmix - Trailhead

 Configuring SSO to use the third-party portal as an identity provider is the best option to enable SSO between the portal and Salesforce. The portal can use OAuth as the protocol to authenticate users and redirect them to Salesforce. The other options are either not feasible or not relevant for this use case. References: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, Single Sign-On with SAML on Force.com

Theweb server flow is used for web applications when server-side code needs to interact with APIs. This flow implements the OAuth 2.0 authorization code grant type, which allows the web app to obtain an access token and a refresh token from Salesforce after theuser grants permission1. The web app can then use the access token to call the Salesforce APIs and use the refresh token to obtain a new access token when the previous one expires2. The other options are not valid scenarios for using the web server flow. The webserver flow is not used for server-side components when page needs to be rendered, as this does not involve API calls. The web server flow is not used for mobile applications and testing legacy integrations, as these scenarios are better suited for other OAuthflows, such as theuser-agent flow or the password flow3. The web server flow is not used for verifying access protected resources, as this is a general purpose of OAuth, not a specific scenario for the web server flow. References: OAuth 2.0 Web Server Flow for Web AppIntegration, Mastering Salesforce Canvas Apps, OAuth Authorization Flows

The best option for UC to ensure that changes in the Facebook profile are reflected onthe appropriate customer community user is to use the updateUser method on the registration handler class. A registration handler class is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating auser account when a user logs in with an external authentication provider, such as Facebook. The updateUser method is a method in the registration handler class that takes a user ID and a JSON string as parameters and updates the user record with the information from the JSON string. This method can be used to update the user’s profile, email, name, or other attributes based on the changes in the Facebook profile. The other options are not optimal for this scenario. Developing a scheduled job that calls out to Facebook on a nightly basis would introduce a delay in updating the user information and require custom code and API integration. Using information in the signed request that is received from Facebook would only provide limited information about the user, such as name, email, and locale, and not reflect any changes made after the initial login. Using SAML Just-in-Time provisioning between Facebook and Salesforce would require UC to configure Facebook as a SAML identity provider, which is not supportedby Facebook. References: [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Facebook Signed Request], [Facebook as SAML Identity Provider]

 The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that’s part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforceusing APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that’s part of Open CTI is a valid location for a Canvas app because it allows you to display the appas part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [OpenCTI Developer Guide]

Adding the employee portal’s IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal’s IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0 Username-Password Flow]

To allowcustomers to use phone numbers to log in to their new digital portal, the identity architect should create a Login Discovery page and provide a Login Discovery Handler Apex class. A Login Discovery page is a custom page that allows users to enter their phone number or email address and receive a verification code via email or text. A Login Discovery Handler is a class that implements the Auth.LoginDiscoveryHandler interface and defines how to handle the user input and verification code. This approach can provide a passwordless login experience for the customers. References: Login Discovery, Create a Login Discovery Page

The web service that is used for delegated authentication should be secured with TLS using Salesforce trusted certificates4. This ensures that the communication between Salesforce and the external authentication method is encrypted and authenticated. The other options are not relevant for designing a delegated authentication implementation. The web service does not need to accept one to four inputmethod parameters, as it can accept any number ofparameters as long as they are wrapped in a SOAP envelope5. The web service does not need to use the Salesforce Federation ID to identify the user, as it can use any identifier that is unique and consistent across systems6. The web service does not need to implement acustom password decryption method, as it can use any encryption or hashing algorithm that is supported by both systems7. References: Delegated Authentication, Enable ‘Delegated Authentication’, Delegated Authentication Flow in Salesforce, FAQs for Delegated Authentication

 Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not loggedin from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow

Self-registration allows guests to create their own user accounts and access the community. The self-registration page can be customized to collect order details and use them to retrieve customer data from the org. References: Customize Self-Registration

Amazon supports OpenID Connect as an authentication protocol, which allows usersto sign in with their Amazon credentials and access Salesforce resources. To enable this, an identity architect needs to configure an OpenID Connect Authentication Provider for Amazon and link it to a connected app. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

The recommended approach for UC to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process is to modify the community pages to utilize specific fields on the user and contact records. This approach allows UC to customize the community pages based on the user’s profile, preferences, interests, or other attributes that are stored in the user or contact fields. For example, UC can use conditional visibility rules or audience criteria to display different components or content based on the user’s field values. This approach does not require any code or complex configuration, and it provides a flexible and personalized community experience for different customer segments. The other options are not recommended for this scenario. Creating an after-insert Apex trigger on the user object to assign specific custom permissionswould require UC to write code and manage custom permissions, which could increase maintenance and testing efforts. Creating separate login flows corresponding to the different community user personas would require UC to create multiple login pages and logic, which could increase complexity and confusion. Modifying the existing communities’ registration controller to assign different profiles would require UC to write code and manage multiple profiles, which could increase security and governance risks. References: [Customize Your Community Pages], [Set Component Visibility], [Create Custom Login Flows], [Customize Self-Registration]

User provisioning is a feature that allows Salesforce to create, update, or deactivate user accounts on a third-party system, such as Concur, based on user assignments in Salesforce1. To implementuser provisioning for Concur with an approval process, the identity architect should use the following steps2:

Create a connected app for Concur in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To create a connected app for Concur, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type4.

Enable User Provisioning for the connected app. This step allows you to configure the user provisioning settings for the connected app, such as theprovisioning API endpoint URL, the client ID and client secret, the mapping of user attributes, and the linkage rules5. You can also choose to require an approval process for user provisioning requests by selecting the Approval Required option6.

Create an approval process for UserProvisioningRequest object associated with the provisioning flow. A UserProvisioningRequest object represents a user provisioning request that is sent to or received from a third-party system7. An approval process specifies the steps necessary for a record to beapproved and whomust approve it at each step8. To create an approval process for UserProvisioningRequest object, you need to define theapproval steps, assignees, actions, criteria, and email alerts9.

The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.

Using the App Launcher with SSO and using a connected app are two features that can be utilized to provide users with login and identity services for the third-party application. The App Launcher allows users to access multiple apps from one location with SSO. The connected app allows users to authorize access to the third-party application using OAuth 2.0. The other options are either not relevant or not applicable for this use case. References: App Launcher, Connected Apps

Multi-factor authentication (MFA) is a security feature that requires users to verify their identity with two or more factors when they log in to Salesforce4. Salesforcesupports several types of authentication and verification methods that meet the criteria for secure MFA, such as5:

Username and password + security key: A security key is a physical device that plugs into a USB port or connects wirelessly to your computeror mobile device. It generates a unique code that you use to verify your identity when you log in to Salesforce5.

Third-party single sign-on with Mobile Authenticator app: Single sign-on (SSO) is an authentication method that allows users to access multiple applications with one login and one set of credentials. A mobile authenticator app is an app that generates temporary codes or sends push notifications that you use to verify your identity when you log in to Salesforce via SSO5.

Lightning Login: Lightning Login is an authentication method that allows users to log in to Salesforce without entering a password. Instead, users scan a QR code with their mobile device or click an email link that they receive when they try to log in. Then they use their fingerprint, face ID, or PIN to verifytheir identity on their mobile device5.

 To have all of its user’s access Salesforce using the ADFS, the multinational company should implement Identity Connect to provide single sign-on to Salesforce and federate across multiple ADFS systems. Identity Connect is a tool that synchronizes user data between Microsoft Active Directory and Salesforce. It allowssingle sign-on and federation between multiple Active Directory domains and a single Salesforce org. Identity Connect can also handle user provisioning and deprovisioning based on the changes made in Active Directory. The other options are not recommended for this scenario, as they either require additional applications, do not support federation, or do not provide a seamless user experience. References: Identity Connect Implementation Guide, Identity Connect Overview

 Active Directory Password Sync Plugin allows usersto log in to Salesforce with their Active Directory password without using a VPN. Salesforce Identity Connect synchronizes users and groups between Active Directory and Salesforce and enables single sign-on. References: Active Directory Password Sync Plugin, Salesforce Identity Connect

The twostatements that are capabilities of Identity Connect are:

It supports both identity-provider-initiated and service-provider-initiated SSO. Identity Connect is a desktop application that integrates Salesforce with Microsoft Active Directory (AD) and enablessingle sign-on (SSO) between the two systems. Identity Connect supports both identity-provider-initiated SSO, which is when the user starts at the AD site and then is redirected to Salesforce with a SAML assertion, and service-provider-initiated SSO, which is when the user starts at the Salesforce site and then is redirected to AD for authentication.

It enables automated user synchronization and deactivation. Identity Connect allows administrators to synchronize user accounts and attributes between AD andSalesforce, either manually or on a scheduled basis. Identity Connect also allows administrators to deactivate user accounts in Salesforce when they are disabled or deleted in AD, which helps maintain security and compliance.

The other options are not capabilities of Identity Connect. Identity Connect does not support synchronization of Salesforce permission set license assignments, as these are not related to AD attributes. Identity Connect does not support multiple orgs connecting to multiple AD servers,as it can only connect one Salesforce org to one AD domain at a time. References: [Identity Connect], [Identity Connect Features], [Identity Connect User Synchronization], [Identity Connect Single Sign-On]

The appropriate license type choices for sales and marketing users, given that Salesforce is using delegated authentication, are:

Salesforce license for sales users. This license type allows internalusers, such as employees, to access standard and custom Salesforce objects and features, such as opportunities and reports. This license type also supports delegated authentication, which is a feature that allows Salesforce to delegate the authentication process to an external service by making a SOAP callout to a web service that verifies the user’s credentials. This license type is suitable for sales users who use Salesforce for opportunity management and need to log in with delegated authentication.

Platform license for marketing users. This license type allows internal users to access custom Salesforce objects and features, such as custom apps and tabs. This license type also supports delegated authentication and single sign-on (SSO), which are featuresthat allow users to log in with an external identity provider (IdP) or service provider (SP). This license type is suitable for marketing users who use a third-party application called Nest for lead nurturing and need to log in with SSO using Salesforce asthe IdP or SP.

The other options are not appropriate license types for this scenario. Identity license for sales or marketing users would not allow them to access standard or custom Salesforce objects and features, as this license type only supports identity features, such as SSO and social sign-on. External Identity license for marketing users would not allow them to access custom Salesforce objects and features, as this license type is designed for external users, such as customers or partners, who access a limited set of standard and custom objects in a community. Identity Connect license for marketing users is not a valid license type, as Identity Connect is a desktop application that integrates Salesforce with Microsoft Active Directory (AD) and enables SSO between the two systems. References: [Salesforce Licenses], [Delegated Authentication], [Platform Licenses], [Single Sign-On], [External Identity Licenses], [Identity Connect]

 To set up SSO for a selected group of users to access external applications from Salesforce through App Launcher, UC must complete the following steps in Salesforce:

Associate user profiles with theconnected apps. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To access a connected app, usersmust have the appropriate permissions assigned to them, either through their profile or a permission set4. UC can associate user profiles with the connected apps to control which users can access which apps.

Complete My Domain and identity provider setup. My Domain isa feature that lets UC create a custom domain name for their Salesforce org. It is required for setting up SSO with external identity providers. An identity provider is a trusted system that authenticates users for other service providers. UC must set up an identity provider that supports SSO protocols such as SAML or OpenID Connect and configure it to communicate with Salesforce.

Create connected apps for the external applications. UC must create connected apps for each external application that they wantto access from Salesforce through App Launcher. A connected app defines the attributes of the external application, such as its name, logo, description, and callback URL4. It also specifies the SSO protocol and settings thatare used to authenticate users and grant access tokens4.

The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose. The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague anddoes not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.

Just-in-time provisioning is a feature thatallows Salesforce to create user accounts automatically when users log in for the first time via an external identity provider. This way, UC can avoid creating user records manually or synchronizing them with another system. On-the-fly provisioning is nota valid term in Salesforce. Salesforce APIs can be used to create users programmatically, but they are not related to SSO. Identity Connect is a tool that can sync users between Salesforce and Active Directory, but it is not required for SSO. References: Certification - Identity and Access Management Architect - Trailhead, [Just-in-Time Provisioning for SAML and OpenID Connect]

This is an OAuth authorization flow that allows a webserver application to obtain an access token to access Salesforce resources on behalf ofthe user1. This flow is suitable for integrating adesktop application with Salesforce, as it does not require the user to enter their credentials in the application, but rather redirects them to the Salesforce login page to authenticate and authorize theapplication2. This way, theintegration between the desktop application and Salesforce is seamless and secure. The other options are not optimal for this requirement because:

JWT Bearer Token Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending a signed JSON Web Token (JWT) to Salesforce3. This flow does not involve user interaction, and requires the client application to have a certificate and a private key to sign the JWT. This flow is more suitable for server-to-server integration, not for desktop application integration.

User Agent Flow is an OAuth authorization flow that allows a user-agent-based application (such as a browser or a mobile app) to obtain an access token by redirecting the user to Salesforce and receiving the token in the URL fragment4. This flow is not suitable for desktop application integration, as it requires the application to parse the URLfragment and store the token securely.

Username and Password Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending the user’s username and password to Salesforce5. This flow is not recommended for desktop application integration, as itrequires the user to enter their credentials in the application, which is not secure or seamless. References: OAuth Authorization Flows, Implement the OAuth 2.0 Web Server Flow, JWT-Based Access Tokens (Beta), User-Agent Flow, Username-Password Flow

 JWT Bearer Flow is an OAuth 2.0 flow that allows a client app to obtain an access token without user interaction. It requires a certificate to sign the JWT and the API and Offline Access scopes to access the Salesforce REST API and refresh the token. The connected app must also be pre-approved by the admin to avoid the OAuth approval page. References: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration, Authorize an Org Using the JWT Flow

User Provisioning for Connected Apps allows Salesforce to create, update, and deactivate users in an external service such as Google Workspace based on user and permission set assignments in Salesforce. References: User Provisioning for Connected Apps

To limit the level of access to the data of the protected resource in a flexible way, the identity architect should create custom scopes and assign them to the connected app. Custom scopes are permissions that define the specific data that an external application can access or modify in Salesforce. Custom scopes can be created using Apex or Metadata API and assigned to a connected app using OAuth 2.0 or SAML protocols. Custom scopes can provide more granular control over data access than standard scopes, which are predefined by Salesforce. References: Custom Scopes, Create and Assign Custom Scopes

 To enable a trusted connection between the login service and Salesforce, an architect should enforce mutual authentication between systems using SSL. Mutual authentication, also known as two-way SSL or client certificate authentication, is a process in whichboth parties in a communication exchange certificates to verify their identities7. This mechanism ensures that only authorized systems can access each other’s resources and prevents unauthorized access or spoofing attacks8. To use mutual authentication with delegated authentication, you need to do the following steps9:

Generate a self-signed certificate in Salesforce and download it.

Import the certificate into your login service’s truststore.

Configure your login service to require client certificates for incoming requests.

Generate a certificate for your login service and export it.

Import the certificate into Salesforce’s certificate and key management tool.

Enable mutual authentication for your login service’s endpoint URL in Salesforce.

 Enabling “MFA for User Interface Logins” for the organization is the simplest way to ensure that all user logins include a single MFA prompt. This setting applies to both direct logins and SSO logins, and overrides any other MFA settings at the profile or permission set level. References: Enable MFA for Direct User Logins, Everything You Need to Know About MFA Auto-Enablement and Enforcement

 Enabling My Domain in the context of a SAML SSO configuration enables resource deep linking and SSO from Salesforce1 mobile app. Resource deep linking allows users to access specificrecords or pages after logging in with SSO5. SSO from Salesforce1 mobile app requires using the My Domain URL as the login server4. Enabling My Domain does not affect the app launcher or login forensics features. Therefore, option A and C are the correct answers. References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On, Considerations for setting up My Domain and SSO

Dynamic branding is a feature that allows Experience Cloud sites to display differentbranding elements, such as logos, colors, or images, based on the user’s profile or preferences. To use dynamic branding, the community must be built with the Customer Account Portal template, which supports this feature. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand and trigger the dynamic branding logic.

Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. This eliminates the need for manual or batch user provisioning in Salesforce. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

B is correct because the user has not configured the Salesforce1 mobile app to use My Domain for login, which is the likely cause of the issue. The My Domain URL is used to redirect theuser to the identity provider’s login page and initiate the SP-Initiated SAML flow. If the user does not configure the Salesforce1 mobile app to use My Domain for login, they will be prompted for Salesforce credentials instead of being shown the IDP loginpage. A is incorrect because the “Redirect to Identity Provider” option has been selected in the My Domain configuration, which is not the cause of the issue. The “Redirect to Identity Provider” option determines whether users are redirected to the identity provider’s login page automatically or after clicking a button. C is incorrect because the “Redirect to Identity Provider” option has not been selected in the SAML configuration, which is not the cause of the issue. The “Redirect to Identity Provider” option determines whether users are redirected to the identity provider’s login page automatically or after clicking a button. D is incorrect because the user has been granted the “Enable Single Sign-On” permission, which is not the cause of the issue. The “Enable Single Sign-On” permission allows users to use SSO with connected apps or external systems. Verified References: [My Domain URL], [SP-Initiated SAML Flow], [Redirect to Identity Provider Option], [Enable Single Sign-On Permission]

 Salesforce Identity Connect can map AD groups to Salesforce public groups, roles, profiles, and permission sets. These permissions control the access and visibility of data and features in Salesforce. References: Salesforce Identity Connect Implementation Guide

Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are notrelevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites

To reduce the frequency of prompt verification for users logging into Salesforce, the identity architect should recommend setting trusted IP ranges for the organization. Trusted IP ranges are IP addresses that are considered safe for logging in without any additional verification. Users who log in from trusted IP ranges do not need to activate their computer or use a verification code. Trusted IP ranges can improve user convenience and security. References: Trusted IP Ranges, Set Trusted IP Ranges for Your Organization

To generate sensor information in Salesforce, the architect should recommend OAuth 2.0 Asset Token Flow. OAuth 2.0 Asset Token Flow is a protocol that allows devices, such as sensors, to obtain an access token from Salesforce by using a certificate instead of an authorization code. The access token can be used to access Salesforce APIs and send datato Salesforce. OAuth 2.0 Asset Token Flow is designed for devices that do not have a user interface or a web browser. References: OAuth 2.0 Asset Token Flow, Authorize Apps with OAuth

The ‘Relaystate’ parameter is an HTTP parameter that can be included as part of the SAML request and SAML response. In an SP-initiated sign-in flow, the SP can set the RelayState parameter in the SAML request with additional information about the request,such as the URL of the resource that the user is trying to access. The IDP should just relay it back in the SAML response without any modification or inspection. Therefore, the ‘Relaystate’ parameter contains a reference to a URL redirect parameter at theservice provider123. References: 1: single sign on - What isexactly RelayState parameter used in SSO (Ex. SAML)? - Stack Overflow 2: java - How to send current URL as relay state while sending authentication request to IDP - Stack Overflow 3: Understanding SAML | Okta Developer

OAuth 2.0 SAML Bearer Assertion Flow allows a client application to use a SAML assertion to request an access token from Salesforce. This flow can leverage theexisting SAML configuration for single sign-on and secure the Salesforce APIs. References: OAuth 2.0 SAML Bearer Assertion Flow

Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or CA-signed. A self-signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two-way SSL between Salesforce and an external system, two valid choices fordigital certificates are:

Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other’s self-signed certificates explicitly.

Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system. This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system’s certificate implicitly.

Partner Community Login License is the best option for UC’s use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users. References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing

The OAuth 2.0Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:

The device displays or reads out a verification code and a verification URL to the user.

The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.

The user logs in to Salesforce and approves the device.

The device polls Salesforce for an access token using the verification code.

Salesforce returns an access token to the device, which can then access Salesforce APIs.

To enable self-registration using person accounts for consumers on a B2C portal built on Experience Cloud, the identity architect should configure three steps:

Enable access to person and business account record types under Public Access Settings. Public Access Settings are settings that control the access level and permissions for guest users onExperience Cloud sites. By enabling access to person and business account record types, the identity architect can allow guest users to create person accounts or business accounts when they self-register on the portal.

Under Login and Registration settings, ensure that the default account field is empty. Login and Registration settings are settings that control the login and registration options for Experience Cloud sites. By ensuring that the default account field is empty, the identity architect can prevent guest users from being associated with a default account when they self-register on the portal.

Contact Salesforce Support to enable person accounts. Person accounts are a type of account that combines an individual consumer with an account record. Person accounts are not enabled by default in Salesforce orgs and require contacting Salesforce Support to enable them. References: Public Access Settings, Login and Registration Settings, Person Accounts

To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identityprovider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because SalesforceMobile Applications only work with service provider initiated setups46. Therefore, option B and D are the correct answers.

The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.

The first thing that the architect at UC should investigate is the refresh token policy defined in the Salesforce connected app. A refresh token is a credential that allows an application to obtain new access tokens without requiring the user to re-authenticate. The refresh token policy determines how long a refresh token is valid and under what conditions it can be revoked. If the refresh token policy is set to expire after a certain period of time or after a change in IP address or device ID, then the users may have to re-authenticate after using the app for a while or from a different location or device. Option B is not a good choice because validating that the users are checking the box to remember their passwords may not be relevant, as the app uses SSO with a third-party identity provider and does not rely on Salesforce credentials. Option C is not a good choice because verifying that the callback URL is correctly pointing to the new URI scheme may not be necessary, as the callback URL is used for redirecting the user back to the app after authentication, but it does not affect how long the user can stay authenticated. Option D is not a good choice because confirming that the access token’s time-to-live policyhas been set appropriately may not be effective, as the access token’s time-to-live policy determines how long an access token is valid before it needs to be refreshed by a refresh token, but it does not affect how long a refresh token is valid or when itcan be revoked. References: [Connected Apps Developer Guide], [Digging Deeper into OAuth 2.0 on Force.com]

Salesforce acts as an OAuth client when it uses Okta to authorize a Forecasting web application to access Salesforce records on behalf of the user. Salesforce acts as a SAML service provider when it accepts SAML assertions from Okta to authenticateNTO users. References: OAuth 2.0 Web Server Authentication Flow, SAML Single Sign-On Overview

Identity Connect will not support user provisioning inUC’s current environment. Identity Connectis a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.

Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC’s current identity environment. Identity Connect supports both Idp-initiated and SP-initiatedSAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.

 Authentication provider configuration and Apex coding skills are two recommendations that the Salesforce IAM architect should make to the IT Lead. Authentication providers are used to configure social sign-on providers, such as Facebook, Twitter, and any OpenID Connect compliant provider. Apex coding skills are needed for registration handlers, which are custom classes that create and update users based on social sign-on data. References: Authentication Providers, Registration Handlers

 The identity provider must correctly preserve the Relay state in order to redirect the user to the specific case record after login with SAML SSO. According to the Salesforce documentation3, “The RelayState parameter is used by SAML to indicate where the user should be redirected after they’ve been authenticated by the identity provider.” Therefore, option C is the correct answer. References: Salesforce Documentation

To allow customers to login using Facebook, Google, and other social sign-on providers, the identity architect should configure an authentication provider and a registration handler for each social sign-on provider. Authentication providersare configurations that enable users to authenticate with an external identity provider and access Salesforce resources. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as Facebook or Google, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to aconnected app. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The registration handler can also be used to link the user’s social identity with their Salesforce identity and prevent duplicate accounts.References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler

The Entity Id is the SAML SSO setting in Salesforce that provides the capability to differentiate Salesforce from other service providers. The Entity Id is a unique identifier for the service provider that is sent to the identity provider as part of the SSO request4. The identity provider uses the Entity Id to determine which service provider configuration to use and which SAML assertion to sendback5. The other options are not valid SAML SSO settings for this purpose. The Identity Provider Login URL is the URL of the identity provider’s SSOservice that Salesforce redirects the user to for authentication4. The Issuer is the unique identifier for the identity provider that is sent by the identity provider as part of the SAML response4. The SAMLIdentity Location is the location of the user’s identity inthe SAML assertion, either in the Subject element or in an Attribute element4.

The action that an architect should recommend to UC is to configure the main Salesforce org as the identity provider. An identity provider is an application that authenticates users and provides information about them to service providers. A service provider is an application that provides a service to users and relies on an identity provider for authentication. SAML (Security AssertionMarkup Language) is an XML-based standard that allows identity providers and service providers to exchange authentication and authorization data. SSO (Single Sign-On) is a feature that allows users to access multiple applications with one login. In this scenario, the main Salesforce org is the identity provider that authenticates users using SAML and provides information about them to the regional Salesforce orgs. The regional Salesforce orgs are the service providers that provide services to users and relyon the main Salesforce org for authentication. This way, users can access the regional Salesforce orgs from the main Salesforce org seamlessly using SSO.

 Identity Connect is a Salesforce product that integrates Microsoft Active Directory with Salesforce user records. It allows provisioning, deprovisioning, and authentication of users based on AD data.The other options are either incorrect or irrelevant for this use case. References: Get to Know Identity Connect, Identity Connect

The JWT Bearer Token flow is an OAuth flow in which an external app (also called client or consumer app) sends a signedJSON string to Salesforce called JWT to obtain an access token. The access token can then be used by the external app to read & write data in Salesforce1. This flow does not require storing credentials, client secret or refresh tokens, as theJWT is self-contained and includes information about the app and the user2. The other flows require either user interaction (Web Server flow and User Agent flow) or storing credentials (Username-Password flow)3.

Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external web service. The web service needs to include the source IP address of the user as a method parameter, so that Salesforce can pass it along with the username and password. UC should whitelist all Salesforce IP ranges on their corporate firewall, so that the web service can accept requests from Salesforce. The return type of the web service methodshould be a Boolean value, indicating whether the authentication was successful or not. The web service can be written using either SOAP or REST protocol, but this is not a consideration for UC while building the web service. Delegated authentication is not enabled for the system administrator profile, but it can be enabled for other profiles or permission sets. References: Certification - Identity and AccessManagement Architect - Trailhead, [Delegated Authentication Single Sign-On], [Implementing Single Sign-On Across Multiple Organizations]

The Salesforce Authenticator mobile app adds an extra layer of security for online accounts with two-factor authentication. It allowsusers to respond to push notifications or use location services to verify their logins and other account activity1. This can help prevent phishing scams and unauthorized access. References: Salesforce Authenticator, Salesforce Authenticator: Mobile App Security Features, Salesforce Authenticator

 B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.

D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.

A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenanceeffort than using a third-party product or Salesforce as an IdP.

C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning orSSO.

To allow customers to log in to the communitywith any of their social identities, such as Facebook, Google, or Twitter, the identity architect needs to use authentication providers for social sign-on. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. To ensure that Salesforce has only one user per customer, regardless of how many social identities they have, the identity architect needs to use the custom registration handler to link social identities to Salesforce identities. The custom registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The custom registration handler can also be used to insert or update personal details of the customers when they log in to Salesforce using their social identity. References: Authentication Providers, Social Sign-On with Authentication Providers, Create a Custom Registration Handler

A is correct because creating a connected app that supports the JWT Bearer Token OAuth Flow allows the middleware to authenticate to Salesforce without storing usernames and passwords.The JWT Bearer Token OAuth Flow uses a certificate and a private key to sign a JSON Web Token (JWT) that contains information about the user identity andrequested access. The middleware sends the JWTto Salesforce, which verifies it using the certificate and grants an access token2.

B is incorrect because creatinga connected app that supports the Refresh Token OAuth Flow requires storing usernames and passwords in the middleware. The Refresh Token OAuth Flow uses a username-password authentication flow to obtain an access token and a refresh token. The middleware can use the refresh token to obtain new access tokens without user interaction, but it still needs to store the username and password for the initial authentication3.

C is incorrect because creating a connected app that supports the Web Server OAuth Flow requires user interaction to authenticate to Salesforce. The Web Server OAuth Flow redirects the user to a Salesforce login page, where they enter their credentials and grant access to the middleware. The middleware then receives an authorization code that it can exchange for an access token and a refresh token4.

D is incorrect because creating a connected app that supports the User-Agent OAuth Flow also requires user interaction to authenticate to Salesforce. The User-Agent OAuth Flow is similar to the Web Server OAuth Flow, except that it does not return a refresh token. The middleware can only use the access token until it expires5.

The JWT Bearer Token flowis an OAuth flow in which an external app (also called client or consumer app) sends a signed JSON string to Salesforce called JWT to obtain an access token. The access token canthen be used by the external app to read and write data in Salesforce1. This flow is suitable for UC’s scenario because it allows seamless integration between the desktop application and Salesforce without requiring user interaction or login credentials2. The other options are not valid authorization flows for this scenario. The Web Server Authentication Flow and the User Agent Flow both require user interaction and redirection to the Salesforce OAuthauthorization endpoint, which is not seamless3. The Username and Password Flow requires the external app to store the user’s login credentials, which is not secure or recommended3.

The Federation ID is a field on the user object that is used to link a Salesforce user with an external identity provider. When using SAML SSO, Salesforce matches the Federation ID value with the NameID element in the SAML assertion to identify the user. To troubleshoot the issue of getting a generic SAML error message when accessing the other orgs, the architect should review the following considerations:

The Federation ID must be case sensitive, which means that the value in the user record must match exactly with the value in the SAML assertion. For example, if the Federation ID is “John.Doe”, then “john.doe” or “JOHN.DOE” will not work.

The Federation ID must be populated on the user record, which means that the user must have a value for this field in each org that they want to access via SSO. If the Federation ID is blank or missing, then Salesforce will not be able to match the user with the SAML assertion.