Salesforce identity and access management architect practice test

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a
third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce
org. How does that decision impact their SSO implementation?

• A. IdP-initiated SSO will NOT work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. SP-initiated SSO will NOT work

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose
2 answers

• A. App Launcher
• B. Resource deep linking
• C. SSO from Salesforce Mobile App
• D. Login Forensics

Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-
party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How
does that decision impact their SSO implementation?

• A. SP-initiated SSO will not work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. IdP-initiated SSO will not work.

Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC
wants to extend this application to integrate with Salesforce to create leads. Integration between the
desktop application and Salesforce should be seamless. What Authorization flow should the
Architect recommend?

• A. JWT Bearer Token Flow
• B. Web Server Authentication Flow
• C. User Agent Flow
• D. Username and Password Flow

which three are features of federated Single Sign-on solutions? Choose 3 answers

• A. It federates credentials control to authorized applications.
• B. It establishes trust between Identity store and service provider.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their
existing on-premise applications. Thru are now implementing salesforce and would like to enable a
Two-factor login process for it, as well. What is the recommended solution an architect should
consider?

• A. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
• B. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
• C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
• D. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Universal containers (UC) has a custom, internal-only, mobile billing application for users who are
commonly out of the office. The app is configured as a connected App in salesforce. Due to the
nature of this app, UC would like to take the appropriate measures to properly secure access to the
app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of single Sign-on for any users of the mobile app.
• B. Require high assurance sessions in order to use the connected App
• C. Use Google Authenticator as an additional part of the logical processes.
• D. Set login IP ranges to the internal network for all of the app users profiles.

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in
near real time. UC has implemented Outbound Message to enable near real-time data sync. UC
wants to ensure that communication between Salesforce and Target System is secure. What
certificate is sent along with the Outbound Message?

• A. The Self-signed Certificates from the Certificate & Key Management menu.
• B. The default client Certificate from the Develop--> API menu.
• C. The default client Certificate or the Certificate and Key Management menu.
• D. The CA-signed Certificate from the Certificate and Key Management Menu.

An architect needs to advise the team that manages the identity provider how to differentiate
salesforce from other service providers. What SAML SSO setting in salesforce provides this
capability?

• A. Entity id
• B. Issuer
• C. Identity provider login URL
• D. SAML identity location

The security team at Universal containers(UC) has identified exporting reports as a high-risk action
and would like to require users to be logged into salesforce with their active directory (AD)
credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD
credentials or salesforce credentials. What solution should be recommended to prevent exporting
reports except when logged in using AD credentials while maintaining the ability to view reports
when logged in with salesforce credentials?

• A. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
• B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
• D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.