Free Salesforce Identity-and-Access-Management-Architect Practice Exam with Questions & Answers | Set: 6

According to the Salesforce documentation1, OpenID Connect Token Introspection allows all OAuth connected apps to check the current state of an OAuth 2.0 access or refresh token. Theresource server or connected apps send the client app’s client ID and secret to the authorization server, initiating an OAuth authorization flow. As part of this flow, the authorization server validates, or introspects, the client app’s access token. If the access token is current and valid, the client app is granted access.

To meet the requirements of using a central cloud-basedIAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate andauthorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based onthe changes made in the central IAM service. References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps

To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario. References: Revoke OAuth Tokens, OAuth 2.0 Token Revocation

Building an integration that performs a remote call-in to theSalesforce SOAP or REST API is the best way to provision Salesforce users as soon as they are approved in the helpdesk application. The API allows creating and updating user records with the approved profiles and permission sets. The other options are either not suitable or not sufficient for this use case. References: User SOAP API Developer Guide, User REST API Developer Guide

To have users provisioned via a service endpoint before users access their app from Salesforce, the identity architect should recommend using a connected app with user provisioning flow. A connected app is a framework thatenables an external application to integrate with Salesforce using APIs and standard protocols. A user provisioning flow is a custom post-authentication process that can be used to create or update users in the external application using a service endpoint when users access the connected app from Salesforce. This approach can provide automatic user provisioning with limited changes to the third-party app. References: Connected Apps, User Provisioning for Connected Apps

 D is correct because External Identity license is designed forcustomers who need to log in to Salesforce using external authentication providers, such as Facebook and Google. External Identity license also supports App Launcher, which allows customers to access other applications from Salesforce using OAuth or OpenIDConnect .

A is incorrect because Customer Community license is designed for customers who need to access data and records in Salesforce, such as cases, accounts, and contacts. Customer Community license does not support App Launcher or external authentication providers.

B is incorrect because Identity license is designed for employees who need to access multiple applications from Salesforce using SSO and App Launcher. Identity license does not support external authentication providers or customer data access.

C is incorrect because Customer Community Plus license is designed for customers who need to access data and records in Salesforce, as well as collaborate with other customers and partners. Customer Community Plus license does not support App Launcheror external authentication providers.

  These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokensto the service providers (SPs). The SPs are the websites that hostapps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ Systemare the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.

Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.

 To allow agents to access the Canvas appwithout needing to log in to the pricing application, the identity architect should consider two options:

Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. A connected app is a framework that enables an externalapplication to integrate with Salesforce using APIs and standard protocols. A Canvas app is a type of connected app that allows an external application to be embedded within Salesforce. By setting Admin-approved users as pre-authorized, the identity architect can control which users can access the Canvas app by assigning profiles or permission sets to the connected app.

Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. SAML is aprotocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By enabling SAML in the connected app, the identity architect can use Salesforce as a service provider (SP) and the pricing application as an identity provider (IdP) for single sign-on (SSO). By setting SAML Initiation Method as Service Provider Initiated, the identity architect can initiate the SSO process from Salesforce and send a SAML request to the pricing application. References: Connected Apps, Canvas Apps, SAML Single Sign-On Settings

 To integrate the order fulfillment app with the Salesforce API using OAuth 2.0 protocol, the identity architect should use aConnected App and OAuth scopes. A Connected App is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as OAuth 2.0. OAuth scopes are permissions that define the specific data that an external application can access or modify in Salesforce. To use OAuth 2.0 protocol, the identity architect needs to configure a Connected App in Salesforce and assign the appropriate OAuth scopes to it, such as “api” or “full”. References: Connected Apps, OAuth Scopes

To allowcustomers to use phone numbers to log in to their new digital portal, the identity architect should create a Login Discovery page and provide a Login Discovery Handler Apex class. A Login Discovery page is a custom page that allows users to enter their phone number or email address and receive a verification code via email or text. A Login Discovery Handler is a class that implements the Auth.LoginDiscoveryHandler interface and defines how to handle the user input and verification code. This approach can provide a passwordless login experience for the customers. References: Login Discovery, Create a Login Discovery Page