Identity-and-Access-Management-Architect Exam Dumps - Salesforce Identity and Access Management Designer Questions and Answers

Salesforce acts as an OAuth client when it uses Okta to authorize a Forecasting web application to access Salesforce records on behalf of the user. Salesforce acts as a SAML service provider when it accepts SAML assertions from Okta to authenticate NTO users. References: OAuth 2.0 Web Server Authentication Flow, SAML Single Sign-On Overview

The default client certificate or the certificate from the Certificate and Key Management menu is sent along with the outbound message. When sending outbound messages, Salesforce will present the CA-signed or self-signed certificate configured under Setup | Security Controls | Certificate and Key Management | API Client Certificate1. The default client certificate is a self-signed certificate that Salesforce generates for you when you enable outbound messages2. You can also create your own self-signed or CA-signed certificates and upload them to the Certificate and Key Management menu3. The certificate from the Develop | API menu is not used for outbound messages, but for SOAP API clients that need to authenticate with Salesforce4. References: 1: Know more about all the SSL certificates that are supported by Salesforce 2: Setting Up Outbound Messaging 3: Create a Self-Signed Certificate 4: [Generate or Regenerate a Client Certificate]

To meet the requirements of using a central cloud-based IAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based on the changes made in the central IAM service. References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps

The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose. The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague and does not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.

References: [Outbound Messages], [Sign Outbound Messages with a Certificate], [CA-Signed Certificates], [Default Client Certificate], [Self-Signed Certificates]

To track login data and highlight or curb fraudulent activity, the identity architect should use Login Forensics. Login Forensics is a tool that analyzes login history data and provides insights into user login patterns, such as average number of logins, login outliers, login anomalies, and login risk scores. Login Forensics can help identify suspicious or malicious login attempts and take preventive actions. References: Login Forensics, Login Forensics Implementation Guide

 To allow users to login with their Facebook or LinkedIn credentials, Salesforce will play the role of a service provider (SP). A SP is an entity that relies on an identity provider (IdP) to authenticate and authorize users. In this scenario, Facebook and LinkedIn are the IdPs, and Salesforce is the SP. The SP receives a token from the IdP and uses it to access Salesforce resources. The other options are not correct for this scenario. References: Service Provider, Social Sign-On with Authentication Providers

OpenID Connect is an authentication protocol that allows a service provider to obtain user attributes in an ID token from an IdP. The other flows are OAuth 2.0 flows that are used for authorization, not authentication. References: Configure an Authentication Provider Using OpenID Connect, Integrate Service Providers as Connected Apps with OpenID Connect

The OAuth 2.0 Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:

• The device displays or reads out a verification code and a verification URL to the user.
• The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.
• The user logs in to Salesforce and approves the device.
• The device polls Salesforce for an access token using the verification code.
• Salesforce returns an access token to the device, which can then access Salesforce APIs.

References:

• OAuth 2.0 Device Flow

 To integrate the order fulfillment app with the Salesforce API using OAuth 2.0 protocol, the identity architect should use a Connected App and OAuth scopes. A Connected App is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as OAuth 2.0. OAuth scopes are permissions that define the specific data that an external application can access or modify in Salesforce. To use OAuth 2.0 protocol, the identity architect needs to configure a Connected App in Salesforce and assign the appropriate OAuth scopes to it, such as “api” or “full”. References: Connected Apps, OAuth Scopes

 B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.

D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.

A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.

C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.

References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions … 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation