Identity-and-Access-Management-Architect Free Practice Test

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

1. A. Call SOAP API upsertQ on user object.
2. B. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
3. C. Run registration handler on incoming OAuth responses.
4. D. Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.

Correct Answer: C
To automate provisioning and deprovisioning of users into Salesforce from an external system, the identity architect should run a registration handler on incoming OAuth responses. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from an external identity provider. OAuth is a protocol that allows users to authorize an external application to access Salesforce resources on their behalf. By running a registration handler on incoming OAuth responses, the identity architect can automate user provisioning and deprovisioning based on the OAuth attributes. References: Registration Handler, Authorize Apps with OAuth

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers

1. A. salesforce Canvas
2. B. Identity Connect
3. C. Connected Apps
4. D. App Launcher

Correct Answer: AD
Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on and use Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connect Apps

A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on Salesforce will be the system of records. Users are getting error messages when logging in.
Which Salesforce feature should be used to debug the issue?

1. A. Apex Exception Email
2. B. View Setup Audit Trail
3. C. Debug Logs
4. D. Login History

Correct Answer: D

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

1. A. Disallow the use of Single Sign-on for any users of the mobile app.
2. B. Require High Assurance sessions in order to use the Connected App.
3. C. Set Login IP Ranges to the internal network for all of the app users Profiles.
4. D. Use Google Authenticator as an additional part of the login process

Correct Answer: BD
Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.
Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a second factor, such as a verification code or biometric scan, before they can access the
connected app.
Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can be generated by the Google Authenticator app on the user’s mobile device.
Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.
Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.
References: [High Assurance Sessions], [Google Authenticator], [Single Sign-On], [Login IP Ranges]

An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?

1. A. Configure user Provisioning for Connected Apps.
2. B. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for user provisioning and de-provisioning.
3. C. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
4. D. Build an Apex trigger on the userlogin object to make asynchronous callouts to Google APIs.

Correct Answer: A
User Provisioning for Connected Apps allows Salesforce to create, update, and deactivate users in an external service such as Google Workspace based on user and permission set assignments in Salesforce. References: User Provisioning for Connected Apps