NEW QUESTION 1
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

• A. Identity store
• B. Authentication store
• C. Identity provider
• D. Service provider

Answer: C

NEW QUESTION 2
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers

• A. Resource deep linking
• B. App launcher
• C. SSO from salesforce1 mobile app.
• D. Login forensics

Answer: AC

NEW QUESTION 3
A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

What is recommended to ensure these requirements are met ?

• A. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.
• B. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.
• C. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.
• D. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce

Answer: B

NEW QUESTION 4
Containers (UC) uses an internal system for recruiting and would like to have the candidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows should be considered to meet the requirement? Choose 2 answers

• A. JWT Bearer Token flow
• B. Refresh Token flow
• C. SAML Bearer Assertion flow
• D. Web Service flow

Answer: AC

NEW QUESTION 5
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?

• A. The CA-Signed Certificate from the Certificate and Key Management menu.
• B. The default Client Certificate from the Develop--> API Menu.
• C. The default Client Certificate or a Certificate from Certificate and Key Management menu.
• D. The Self-Signed Certificates from the Certificate & Key Management menu.

Answer: B

NEW QUESTION 6
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

• A. Enable My Domain and select "Prevent login from https://login.salesforce.com".
• B. Request Salesforce Support to enable delegated authentication.
• C. Once SSO is enabled, users are only able to login using Salesforce credentials.
• D. Assign user "is Single Sign-on Enabled" permission via profile or permission set.

Answer: AD

NEW QUESTION 7
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

• A. Just-in-Time (JIT) provisioning
• B. Custom middleware and web services
• C. Custom login flow and Apex handler
• D. Third-party AppExchange solution

Answer: A

NEW QUESTION 8
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

• A. Sp-Initiated
• B. IDP-initiated with deep linking
• C. IDP-initiated
• D. Web server flow.

Answer: A

NEW QUESTION 9
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1 Choose 2 answers

• A. Configure Registration for Communities to use a custom Visualforce Page.
• B. Modify the SelfRegistration trigger to assign Profile and Account.
• C. Modify the CommunitiesSelfRegController to assign the Profile and Account.
• D. Configure Registration for Communities to use a custom Apex Controller.

Answer: AC

NEW QUESTION 10
A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: " Failed: Not approved for access." What is the most likely cause of this issue?

• A. The Connected App settings "All users may self-authorize" is enabled.
• B. The Salesforce Administrators have revoked the OAuth authorization.
• C. The Users do not have the correct permission set assigned to them.
• D. The User of High Assurance sessions are required for the Connected App.

Answer: C

NEW QUESTION 11
Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers

• A. Federation ID
• B. Salesforce User ID
• C. User Full Name
• D. User Email Address
• E. Salesforce Username

Answer: ACD

NEW QUESTION 12
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?

• A. Select "Admin approved users are pre-authonzed" and assign specific profiles.
• B. Create custom scopes and assign to the connected app.
• C. Define a permission set that grants access to the app and assign to authorized users.
• D. Leverage external objects and data classification policies.

Answer: B

NEW QUESTION 13
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?

• A. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
• B. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
• C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
• D. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

Answer: B

NEW QUESTION 14
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

• A. IdP-initiated SSO will NOT work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. SP-initiated SSO will NOT work

Answer: B

NEW QUESTION 15
Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers

• A. App Launcher
• B. Resource deep linking
• C. SSO from Salesforce Mobile App
• D. Login Forensics

Answer: BC

NEW QUESTION 16
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.
Which three functions meet the Salesforce criteria for secure mfa? Choose 3 answers

• A. username and password + SMS passcode
• B. Username and password + secunty key
• C. Third-party single sign-on with Mobile Authenticator app
• D. Certificate-based Authentication
• E. Lightning Login

Answer: BCE

NEW QUESTION 17
......