NEW QUESTION 1
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?

• A. Check the Refresh Token policy defined in the Salesforce Connected App.
• B. Validate that the users are checking the box to remember their passwords.
• C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
• D. Confirm that the access Token's Time-To-Live policy has been set appropriately.

Answer: A

NEW QUESTION 2
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

• A. Just-in-Time (JIT) provisioning
• B. Custom middleware and web services
• C. Custom login flow and Apex handler
• D. Third-party AppExchange solution

Answer: A

NEW QUESTION 3
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?

• A. Use a HTTP POST to request the refresh token for the current user.
• B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
• C. Use a HTTP POST to make a call to the revoke token endpoint.
• D. Enable Single Logout with a secure logout URL.

Answer: C

NEW QUESTION 4
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

• A. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.
• B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
• C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
• D. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user atfirst login.

Answer: C

NEW QUESTION 5
Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

• A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
• B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself againstSalesforce as the Idp.
• C. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.
• D. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Answer: AC

NEW QUESTION 6
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?

• A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.
• B. The user has not configured the salesforce1 mobile app to use my domain for login
• C. The "Redirect to identity provider" option has not been selected the SAML configuration.
• D. The user has not been granted the "Enable single Sign-on" permission

Answer: B

NEW QUESTION 7
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a
Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

• A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
• B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
• C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
• D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Answer: D

NEW QUESTION 8
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers

• A. To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
• B. To use dynamic branding, the community must be built with the Customer Account Portal template.
• C. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
• D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.

Answer: BC

NEW QUESTION 9
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

• A. Oauth refresh token flow
• B. Oauth SAML bearer assertion flow
• C. Oauthjwt bearer token flow
• D. Oauth Username-password flow

Answer: BC

NEW QUESTION 10
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?

• A. OAuth 2.0 JWT Bearer How
• B. OAuth 2.0 Device Flow
• C. OAuth 2.0 User-Agent Flow
• D. OAuth 2.0 Asset Token Flow

Answer: B

NEW QUESTION 11
Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?

• A. Create a custom application on Heroku that manages the sign-on process from Facebook.
• B. Use JIT Provisioning to automatically create the account in the accounting system.
• C. Add an Apex callout in the registration handler of the authorization provider.
• D. Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.

Answer: C

NEW QUESTION 12
An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute.
What should the IAM do to fulfill this requirement?

• A. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider.
• B. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce.
• C. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case.
• D. Confirm performance considerations with Salesforce Customer Support due to high peaks.

Answer: D

NEW QUESTION 13
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

• A. Add each connected App to the App Launcher with a Start URL.
• B. Set up an Auth Provider for each External Application.
• C. Set up Salesforce as a SAML Idp with My Domain.
• D. Set up Identity Connect to Synchronize user data.
• E. Create a Connected App for each external application.

Answer: ACE

NEW QUESTION 14
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

• A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
• B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
• C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
• D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Answer: AC

NEW QUESTION 15
Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signature as a file attachment and uses OAuth protocol for both authentication and authorization. What is the most recommended and secure OAuth scope setting that an Architect should recommend?

• A. Id
• B. Web
• C. Api
• D. Custom_permissions

Answer: D

NEW QUESTION 16
......