NEW QUESTION 1
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?

• A. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.
• B. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.
• C. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
• D. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

Answer: C

NEW QUESTION 2
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers

• A. Users leaving laptops unattended and not logging out of Salesforce.
• B. Users accessing Salesforce from a public Wi-Fi access point.
• C. Users choosing passwords that are the same as their Facebook password.
• D. Users creating simple-to-guess password reset questions.

Answer: BC

NEW QUESTION 3
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers

• A. Identity Connect
• B. Delegated Authentication
• C. Connected Apps
• D. Embedded Login

Answer: BD

NEW QUESTION 4
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

• A. My domain is configured and active within salesforce.
• B. The salesforce SSO settings are using http post
• C. The identity provider is correctly preserving the Relay state
• D. The users have the correct Federation ID within salesforce.

Answer: C

NEW QUESTION 5
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?

• A. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
• B. Use information in the Signed Request that is received from Facebook.
• C. Develop a scheduled job that calls out to Facebook on a nightly basis.
• D. Use the updateUser() method on the Registration Handler class.

Answer: D

NEW QUESTION 6
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

• A. Include client ID and client secret in the login header callout.
• B. Set up a proxy server for the login service in the DMZ.
• C. Require the use of Salesforce security Tokens on password.
• D. Enforce mutual Authentication between systems using SSL.

Answer: C

NEW QUESTION 7
Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization. Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?

• A. Redirect_uri
• B. State
• C. Scope
• D. Callback_uri

Answer: A

NEW QUESTION 8
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers

• A. To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
• B. To use dynamic branding, the community must be built with the Customer Account Portal template.
• C. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
• D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.

Answer: BC

NEW QUESTION 9
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?

• A. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.
• B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
• C. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloudfunctionality available to the user.
• D. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs tomatch the number on the contact record.

Answer: C

NEW QUESTION 10
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?

• A. Configure a predefined authentication provider for Amazon.
• B. Create a custom external authentication provider for Amazon.
• C. Configure an OpenID Connect Authentication Provider for Amazon.
• D. Configure Amazon as a connected app.

Answer: C

NEW QUESTION 11
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

• A. Custom_permissions
• B. Api
• C. Refresh_token
• D. Full

Answer: BC

NEW QUESTION 12
Which three are features of federated Single sign-on solutions? Choose 3 Answers

• A. It establishes trust between Identity Store and Service Provider.
• B. It federates credentials control to authorized applications.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: ADE

NEW QUESTION 13
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

• A. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
• B. Create a Connected App that supports the Refresh Token OAuth Flow
• C. Create a Connected App that supports the Web Server OAuth Flow.
• D. Create a Connected App that supports the User-Agent OAuth Flow.

Answer: A

NEW QUESTION 14
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

• A. Require users to provide their RSA token along with their credentials.
• B. Require users to supply their email and phone number, which gets validated.
• C. Require users to enter a second password after the first Authentication
• D. Require users to use a biometric reader as well as their password

Answer: AD

NEW QUESTION 15
Universal containers wants to implement SAML SSO for their internal salesforce users using a third-party IDP. After some evaluation, UC decides not to set up my domain for their salesforce.org. How does that decision impact their SSO implementation?

• A. Neithersp - nor IDP - initiated SSO will work
• B. Either sp - or IDP - initiated SSO will work
• C. IDP - initiated SSO will not work
• D. Sp-Initiated SSO will not work

Answer: D

NEW QUESTION 16
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers

• A. salesforce Canvas
• B. Identity Connect
• C. Connected Apps
• D. App Launcher

Answer: AD

NEW QUESTION 17
......