Question 1

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

Options :

A : IdP-initiated SSO will NOT work.

B : Neither SP- nor IdP-initiated SSO will work.

C : Either SP- or IdP-initiated SSO will work.

D : SP-initiated SSO will NOT work

Answer: B

Question 2

Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?

Options :

A : Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.

B : Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.

C : Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.

D : Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO.

Answer: A

Question 3

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the

OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not

be forced to approve API access in the mobile app or reauthenticate for 3 months.

Which two connected app options need to be configured to fulfill this use case?

Choose 2 answers

Options :

A : Set Permitted Users to "Admin approved users are pre-authorized".

B : Set Permitted Users to "All users may self-authorize".

C : Set the Session Timeout value to 3 months.

D : Set the Refresh Token Policy to expire refresh token after 3 months.

Answer: B,D

Question 4

Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.

Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes

should UC configure in the connected App? Choose 2 answers

Options :

A :

Refresh token

B : API

C : full

D : Web

Answer: A,B

Question 5

Identity-and-Access-Management-Architect-page101-image4

An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication

and user management, which must be utilized by all applications as follows:

1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the

integrated cloud applications.

2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users

authenticated at identity provider (Central IAM Service).

Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

Options :

A :

A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain

Identity Management) for provisioning and deprovisioning of users.

B :

Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and

deprovisioning of users

C :

Configure central IAM Service as an authentication provider and extend registration handler to manage

provisioning and deprovisioning of users.

D :

Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as

well as SAML-based SSO.

Answer: A