Identity and Access Management Designer Changed Identity-and-Access-Management-Architect Questions

The best solution to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials is to use SAML federated authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports. SAML federated authentication is a process that allows users to log in to Salesforce with an external identity provider (IdP), such as AD, that authenticates the user and issues a security token to Salesforce. By treating SAML sessions as high assurance, Salesforce assigns a higher level of trust and security to the sessions that are established by SAML federated authentication. By raising the session level required for exporting reports, Salesforce requires users to have a high assurance session before they can export reports. This solution ensures that only users who log in with AD credentials can export reports, while users who log in with Salesforce credentials can still view reports but not export them.

The other options are not valid solutions for this scenario. Using SAML federated authentication and blocking access to reports when accessed through a standard assurance session would prevent users who log in with Salesforce credentials from viewing reports at all, which is not the desired outcome. Using SAML federated authentication and custom SAML JIT provisioning to dynamically add or remove a permission set that grants the export reports permission would require UC to write custom code and logic to implement the JIT provisioning and manage the permission set, which could increase complexity and cost. Using SAML federated authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission would also require UC to write custom code and logic to implement the login flow and manage the permission set, which could introduce errors and performance issues. References: [SAML Single Sign-On], [Session Security Levels], [Set Session Security Levels for Your Org], [Just-in-Time Provisioning for SAML], [Login Flows]

 To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre-Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

The SAML SSO flow that an architect should recommend for UC is IdP-initiated. IdP-initiated SSO is a process that allows users to start at the IdP site, such as UC’s custom web page, and then be redirected to Salesforce or other SPs with a SAML assertion that contains information about the user’s identity and attributes. This flow enables UC to provide a single point of entry for its users to access multiple applications with the same credentials, as they do not need to enter their username and password again for each application. This flow also simplifies the configuration and maintenance of SSO, as UC does not need to create or manage deep links or URLs for each application.

The other options are not valid SAML SSO flows for this scenario. SP-initiated with deep linking is a process that allows users to start at a specific resource on the SP site, such as a report or dashboard, and then be redirected to the IdP for authentication and back to the resource with a SAML assertion. This flow is not suitable for UC’s scenario, as they want their users to start at their custom web page, not at a specific resource on Salesforce or other SPs. SP-initiated is a process that allows users to start at the SP site, such as Salesforce or other applications, and then be redirected to the IdP for authentication and back to the SP site with a SAML assertion. This flow is not suitable for UC’s scenario, as they want their users to start at their custom web page, not at each application separately. User-agent is not a standard term for SAML SSO, but it could refer to user-agent flow, which is an OAuth authorization flow that allows users to obtain an access token from Salesforce by using a browser or web-view. This flow is not suitable for UC’s scenario, as it does not use SAML or IdP for authentication. References: [SAML Single Sign-On], [IdP-Initiated Login], [SP-Initiated Login], [Deep Linking], [OAuth User-Agent Flow]

 The most appropriate license types for GS regional leads and the GS capacity planners are:

• Customer Community Plus license for GS regional leads. This license type allows external users, such as customers or partners, to access standard Salesforce objects, such as cases and dashboards, and custom objects in a community. This license type also supports role hierarchy, sharing rules, and reports. This license type is suitable for GS regional leads who need to report damage of goods using cases and access dashboards to track regional shipping KPIs.
• External Identity license for GS capacity planners. This license type allows external users to access a limited set of standard Salesforce objects, such as contacts and documents, and custom objects in a community. This license type also supports identity features, such as single sign-on (SSO) and social sign-on. This license type is suitable for GS capacity planners who need to access the third-party cloud analytics tool using Salesforce as the identity provider.

The other options are not appropriate license types for this scenario. Customer Community license for GS capacity planners would not allow them to access the third-party cloud analytics tool using SSO, as this license type does not support identity features. Identity license for GS regional leads would not allow them to access cases and dashboards in the community, as this license type does not support standard Salesforce objects. References: [Customer Community Plus Licenses], [External Identity Licenses], [Customer Community Licenses], [Identity Licenses]