Question 1

An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?

Options :

A : Ensure the Callback URL is correctly set in the Connected Apps settings.

B : Use a browser that has an add-on/extension that can inspect SAML.

C : Paste the SAML Assertion Validator in Salesforce.

D : Use the browser-s Development tools to view the Salesforce page-s markup.

Answer: B,C

Question 2

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an

appropriate profile that maps to its Active Directory Department.

How should an identity architect implement this requirement?

Options :

A :

Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the

appropriate profile.

B :

Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the

appropriate profile.

C :

Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate

profile during Just-In-Time

(JIT) provisioning.

D :

Make a callout during the login flow to query department from Active Directory to assign the

appropriate profile.

Answer: B

Question 3

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to

log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good

things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may

face if they decided to use Identity Connect in their current environment. What limitation Should an Architect

inform the IT Manager about?

Options :

A :

Identity Connect will not support user provisioning in UC-s current environment.

B :

Identity Connect will only support Idp-initiated SAML flows in UC-s current environment.

C :

Identity Connect will only support SP-initiated SAML flows in UC-s current environment.

D : Identity connect is not compatible with UC-s current identity environment.

Answer: A

Question 4

Identity-and-Access-Management-Architect-page101-image4

An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication

and user management, which must be utilized by all applications as follows:

1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the

integrated cloud applications.

2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users

authenticated at identity provider (Central IAM Service).

Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

Options :

A :

A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain

Identity Management) for provisioning and deprovisioning of users.

B :

Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and

deprovisioning of users

C :

Configure central IAM Service as an authentication provider and extend registration handler to manage

provisioning and deprovisioning of users.

D :

Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as

well as SAML-based SSO.

Answer: A

Question 5

Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has

implemented the Oauth web-server Authentication flow for authentication process. Which two considerations

should an architect point out to UC? Choose 2 answers

Options :

A : The web application should be hosted on a secure server.

B : The web server must be able to protect consumer privacy

C : The flow involves passing the user credentials back and forth.

D : The flow will not provide an Oauth refresh token back to the server.

Answer: A,B