Identity-and-Access-Management-Architect Free Practice Test

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.
Which three steps should an identity architect take to implement social sign-on? Choose 3 answers

1. A. Register both Facebook and Linkedln as connected apps.
2. B. Create authentication providers for both Facebook and Linkedln.
3. C. Check "Facebook" and "Linkedln" under Login Page Setup.
4. D. Enable "Federated Single Sign-On Using SAML".
5. E. Update the default registration handlers to create and update users.

Correct Answer: BCE
To implement social sign-on for customers to register and log in to a portal built on Salesforce Experience Cloud using their Facebook or LinkedIn credentials, the identity architect should take three steps:
Create authentication providers for both Facebook and LinkedIn. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and LinkedIn, which can be easily configured with minimal customization.
Check “Facebook” and “LinkedIn” under Login Page Setup. Login Page Setup is a setting that allows administrators to customize the login page for Experience Cloud sites. By checking “Facebook” and “LinkedIn”, the identity architect can enable social sign-on buttons for these identity providers on the login page.
Update the default registration handlers to create and update users. Registration handlers are classes that implement the Auth.RegistrationHandler interface and define how to create or update users in Salesforce based on the information from the external identity provider. The identity architect can update the default registration handlers to link the user’s social identity with their Salesforce identity and prevent duplicate accounts. References: Authentication Providers, Social Sign-On with Authentication Providers, Login Page Setup, Create a Custom Registration Handler

A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?

1. A. OAuth 2.0 JWT Bearer How
2. B. OAuth 2.0 Device Flow
3. C. OAuth 2.0 User-Agent Flow
4. D. OAuth 2.0 Asset Token Flow

Correct Answer: B
The OAuth 2.0 Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:
The device displays or reads out a verification code and a verification URL to the user.
The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.
The user logs in to Salesforce and approves the device.
The device polls Salesforce for an access token using the verification code.
Salesforce returns an access token to the device, which can then access Salesforce APIs.
References:
OAuth 2.0 Device Flow

Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforce, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.
Which two Salesforce license types does UC need for its employees' Choose 2 answers

1. A. Company Community and Identity licenses
2. B. Identity and Identity Connect licenses
3. C. Chatter Only and Identity licenses
4. D. Salesforce and Identity Connect licenses

Correct Answer: BD
The two Salesforce license types that UC needs for its employees are Identity and Identity Connect licenses. According to the Salesforce documentation, “Identity licenses let your employees access any app that supports standards-based single sign-on (SSO). Identity Connect licenses let you integrate your Active Directory with Salesforce.” Therefore, option B and D are the correct answers. References: [Identity Licenses]

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers

1. A. OAuth Refresh Token FLow
2. B. OAuth Username-Password Flow
3. C. OAuth SAML Bearer Assertion FLow
4. D. OAuth JWT Bearer Token FLow

Correct Answer: CD
OAuth is an open-standard protocol that allows a client app to access protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.
OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Verified References: [OAuth 2.0 SAML Bearer Assertion Flow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers

1. A. The subject element is missing from the assertion sent to salesforce.
2. B. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
3. C. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
4. D. The assertion sent to 5alesforce contains an assertion ID previously used.

Correct Answer: CD
A SAML SSO ‘Replay Detected and Assertion Invalid’ error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected. References: SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On