Identity-and-Access-Management-Architect Exam Dumps - Salesforce Identity-and-Access-Management-Architect Questions and Answers

A Canvas app is a web application that can be embedded within Salesforce and access Salesforce data using the signed request authentication method. This method allows the Canvas app to receive a signed request that contains the context and OAuth token when it is loaded. The Canvas app can use the SDK to request a new or refreshed signed request on demand2. This way, the users do not need to re-authenticate when accessing the web application from Salesforce. References: Requesting a Signed Request, SAML SingleSign-On for Canvas Apps, Mastering Salesforce Canvas Apps

Using the App Launcher with SSO and using a connected app are two features that can be utilized to provide users with login and identity services for the third-party application. The App Launcher allows users to access multiple apps from one location with SSO. The connected app allows users to authorize access to the third-party application using OAuth 2.0. The other options are either not relevant or not applicable for this use case. References: App Launcher, Connected Apps

The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018. Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile andpermission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.

To give customers the ability to login with their Facebook and Twitter credentials, the identity architect should configure a predefined authentication provider for Facebook and a predefined authentication provider for Twitter. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for somecommon identity providers, such as Facebook and Twitter, which can be easily configured with minimal customization. Creating a custom external authentication provider is not necessary for this scenario. References: Authentication Providers, Social Sign-Onwith Authentication Providers

The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioningis a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning ordeprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning.

 To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre-Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

The three differentattributes that can be used to identify the user in a SAML assertion when Salesforce is acting as a Service Provider are Federation ID, User Email Address, and Salesforce Username. According to the Salesforce documentation, “Salesforce supports three attributes for identifying users in a SAML assertion: Federation ID, User Email Address, and Salesforce Username.” Therefore, option A, D, and E are the correct answers.

The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.

Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.

Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a secondfactor, such as a verification code or biometric scan, before they can access the connected app.

Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can begenerated by the Google Authenticator app on the user’s mobile device.

Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.

Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.

 To authenticate and authorize Salesforce users with AWS, the identity architect should configure AWS as an OpenID Connect Provider. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as AWS, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. The other options are not relevant for this scenario. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect