Identity-and-Access-Management-Architect Questions Bank

 B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.

D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.

A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.

C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.

References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions … 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation

The HTTP parameter that should be used when submitting a SAML request to the IdP to ensure the user is returned to the intended resource after authentication is RelayState. RelayState is an optional parameter that can be used to preserve some state information across the SSO process. For example, RelayState can be used to specify the URL of the resource that the user originally requested on the SP before being redirected to the IdP for authentication. After the IdP validates the user’s identity and sends back a SAML response, it also sends back the RelayState parameter with the same value as it received from the SP. The SP then uses the RelayState value to redirect the user to the intended resource after validating the SAML response. The other options are not valid HTTP parameters for this purpose. RedirectURL, DisplayState, and StartURL are not standard SAML parameters and they are not supported by Salesforce as SP or IdP. References: [SAML SSO Flows], [RelayState Parameter]

OAuth 2.0 SAML Bearer Assertion Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a SAML assertion instead of an authorization code. The SAML assertion contains information about the client app and the user who wants to access Salesforce APIs. To use this flow, the client app needs to have a connected app configured in Salesforce with the Use Digital Signature option enabled and the “api” OAuth scope assigned. The administrators can authorize the applications that will be consuming the APIs by setting the Permitted Users policy of the connected app to Admin approved users are pre-authorized and assigning profiles or permission sets to the connected app. References: OAuth 2.0 SAML Bearer Assertion Flow, Connected Apps, OAuth Scopes

The two OAuth flows that support refresh tokens are Web server and User-Agent. According to the Salesforce documentation2, “The web server authentication flow and user-agent flow both provide a refresh token that can be used to get a new access token.” Therefore, option A and C are the correct answers.

References: Salesforce Documentation