Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP).

Both companies rely

extensively on Salesforce processes that send emails to users to take specific actions in Salesforce. How should the combined
company's employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

A. Have generated links be prefixed with the appropriate IdP URL to invoke an Idp-initiated Security Assertion Markup
Language flow when clicked.
B. Have generated links append a querystring parameter indicating the IdP. The login service will redirect to the appropriate
IdP.
C. Configure unique MyDomains for each company and have generated links use the appropriate MyDomain in the URL.
D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate
IdP button.

D
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server
Flow (this flow uses the OAuth 2.0 authorization code grant type). Which three OAuth concepts apply to this flow? Choose 3
answers

A. Client Secret
B. Scopes
C. Access Token
D. Authentication Token
E. Verification URL

A, B, C
Northern Trail Outfitters manages functional group permissions in a custom security application supported by a relational
database and a REST service layer. Group permissions are mapped as permission sets in Salesforce. Which action should an
identity architect use to ensure functional group permissions are reflected as permission set assignments?

A. Use the Apex Just-in-Time (JIT) handler to query the Security Assertion Markup Language (SAML) attributes and set
permission sets.
B. Use a Login Flow to query SAML attributes and set permission sets.
C. Use a Login Flow with invocable Apex to callout to the security application and set permission sets
D. Use the Apex JIT handler to callout the security application and set permission sets.

C
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile
app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required
and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re-
verification of devices if an employee has not logged in from that device in the last week. Which connected app setting should
be leveraged to comply with this policy change?

A. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
B. Session Policy - Set timeout value of the connected app to 7 days.
C. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.
D. Scope Deny refresh_token scope for this connected app.

A
Northern Trail Outfitters (NTO) has an existing business-to-consumer (B2C) website that does not support single sign-on
standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register and
authenticate new customers on the website. Which three Salesforce features should an Identity architect use in order to
provide social sign-in capabilities for the website? Choose 3 answers

A. Authentication Providers
B. Connected Apps
C. Delegated Authentication
D. Embedded Login
E. Identity Connect

C,D,E
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The
following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?

A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used And then set the
connected app access settings to "Admin Pre Approved". Enable the Full Access Scope and then set the connected app
access settings to "Admin Pre Approved".
B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected
C. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to
"User may self authorize"
D. App to access settings to "Admin Pre-Approved"

C
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following Requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device
registers issues with tracking.
Which OAuth flow should be used to meet these requirements?

A. OAuth 2.0 Asset Token Flow

B. OAuth 2.0 Username-Password Flow
C. OAuth 2.0 SAML Bearer Assertion Flow
D. OAuth 2.0 User-Agent Flow

A
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The
user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?

A. JWT Bearer Token Flow

B. OpenID Connect
C. User Agent Flow
D. Web Server Flow

D
A consumer products company uses Salesforce to maintain consumer information, including orders. The company
implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their
credentials. The company is considering allowing users to login with their Facebook or LinkedIn credentials. Once enabled,
what role will Salesforce play?

A. Salesforce will be the service provider (SP)

B. Salesforce will be the identity provider (Idp)
C. Facebook and LinkedIn will be the SPS.
D. Facebook and LinkedIn will act as the IdPs and SPs

A
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight
Directory Access Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user
deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even
though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this
from happening in the future?

A. Configure an authentication provider to delegate authentication to the LDAP directory.

B. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce As they are disabled in
LDAP.
C. Use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce
D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login
Form authentication.

A
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have
the following requirements:
1. They plan to implement Partner communities to provide access to their partner network
2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
3. Some of their partners do business in multiple countries and will need information from multiple Salesforce Communities.
4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?

A. Consolidate Partner related information in a single org and provide access through Salesforce community.
B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs
C. Register partners in one org and access information from other orgs using APIS.
D. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

B
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on
Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured
to enable self-registration using person accounts? Choose 3 answers

A. Contact Salesforce Support to enable business accounts

B. Enable access to person and business account record types under Public Access Settings.
C. Contact Salesforce Support to enable person accounts.
D. Set organization-wide default sharing for Contact to Public Read Only
E. Under Login and Registration settings, ensure that the default account field is empty.

B,C,E
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce
Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a
discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link
they clicked on; otherwise, users will view a recognizable NTO branded page. The campaign is launching quickly, so there is no
time to procure any additional licenses. However, the development team is available to apply any required changes to the
portal. Which approach should the identity architect recommend?

A. Use Heroku to build the new brand site and embedded login to reuse identities.
B. Configure an additional community site on the same org that is dedicated for the new brand.
C. Create a full sandbox to replicate the portal site and update the branding accordingly.
D. Implement Experience ID in the code and extend the URLs and endpoints, as required

D
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

A. Call SOAP API upsert() on User object.

B. Run registration handler on incoming OAuth responses.
C. OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
D. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

B
Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud.
Customers should be able to use their Facebook or LinkedIn credentials for ease of use. Which three steps should an identity
architect take to implement social sign-on? Choose 3 answers

A. Enable "Federated Single Sign-On Using SAML".

B. Create authentication providers for both Facebook and LinkedIn.
C. Update the default registration handlers to create and update users.
D. Check "Facebook" and "LinkedIn" under Login Page Setup.
E. Register both Facebook and LinkedIn as connected apps.

B,C,D
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit
the level of access to the data of the protected resource in a flexible way. What should be done to improve security?

A. Define a permission set that grants access to the app and assign to authorized users.
B. Select "Admin approved users are pre-authorized" and assign specific profiles.
C. Leverage external objects and data classification policies.
D. Create custom scopes and assign to the connected app

D
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should
an identity architect ensure a specific brand experience in Salesforce is presented?

A. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply
branding based on the parameters value.
B. The Audience ID, which can be set in a shared cookie.
C. Provide a brand picker that the end user can use to select its sub-brand
when they arrive on Salesforce
D. The Experience ID, which can be included in OAuth/Open ID flows and
E. Security Assertion Markup Language (SAML) flows as a URL parameter.

D
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce
out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The
CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-
frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers

A. Build custom pages for branding requirements in Experience Cloud.

B. Use Experience Builder to build branded Reset and Forgot Password pages.
C. Login & Registration pages can be branded in the Community Administration settings.
D. Build custom site pages for reset and forgot password features.

B,C
Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user
account and needs to perform a forensic analysis and identify signals that could indicate a breach has occurred. What should
NTO's first step be in gathering signals that could indicate account compromise?

A. Download the Login History and evaluate the details of logins performed by the user.
B. Download the Setup Audit Trail and review all recent activities performed by the user.
C. Download the Identity Provider Event Log and evaluate the details of activities performed by the User
D. Review the User record and evaluate the login and transaction history.

A
Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to
control access to the custom app. At a minimum, which Salesforce license is required to support this requirement?

A. Identity Verification
B. Identity Only
C. Identity Connect
D. External Identity

B
A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on
and Salesforce will be the system of records. Users are getting error messages when logging in. Which Salesforce feature
should be used to debug the issue?

A. Apex Exception Email

B. Debug Logs
C. Login History
D. View Setup Audit Trail

C
Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity
architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site?
Choose 2 answers

A. Embedded Login Page

B. Experience Builder Page
C. Lightning Experience Page
D. Login Discovery Page

A, D
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer
care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage
User permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to
provision agents with the appropriate permissions? Choose 2 answers

A. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
B. Use SAML Just-in-Time (JIT) Handler class run as current user to update role and permission sets.
C. Use Login Flow in System Context to update role and permission sets.
D. Use Login Flow in User Context to update role and permission sets.

A,C
A web service is developed that allows secure access to customer order status on the Salesforce Platform. The Service
connects to Salesforce through a connected app with the web server flow. The following are the required Actions for the
authorization flow:
1. User Authenticates and Authorizes Access
2. Request an Access Token
3. Salesforce Grants an Access Token
4. Request an Authorization Code
5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?
A. 4, 5, 2, 3, 1
B. 2, 1, 3, 4, 5
C. 1, 4, 5, 2, 3
D. 4, 1, 5, 2, 3

A
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a
secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the
architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help. Which two
considerations should the architect keep in mind? Choose 2 answers

A. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

B. High-assurance sessions must be configured under Session Security Level Policies.
C. AMR field shows the authentication methods used at IdP.
D. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be Implemented at IdP.

C,D
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from
Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party
App?

A. Use a connected app with user provisioning flow

B. Redirect users to the third-party app for registration.
C. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users
D. Create Canvas app in Salesforce for third-party app to provision users.

A
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with
its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services
for the third-party Application? Choose 2 answers

A. Use a connected app.

B. External a Data source with Named Principal identity type.
C. Use Delegated Authentication.
D. Use the App Launcher with single sign-on (SSO).

A, D
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML)
configuration that supports the company's single sign-on process to Salesforce. Which Salesforce OAuth authorization flow
should be used?

A. OAuth 2.0 User-Agent Flow

B. SAML Assertion Flow
C. OAuth 2.0 JWT Bearer Flow
D. OAuth 2.0 SAML Bearer Assertion Flow

D
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent
flow. Application users will authenticate using username and password. They should not be forced to approve API access in the
mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case (2
Answers)?

A. Set the Session Timeout value to 3 months

B. Set Permitted Users to "Admin approved users are pre-authorized".
C. Set Permitted Users to "All users may self-authorize".
D. Set the Refresh Token Policy to expire refresh token after 3 months.

C,D
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to
be able to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution
needs to ensure the third party service providers connected app in Salesforce minimizes the need for end user interaction and
maximizes security. Which OAuth flow should be used to fulfill the requirement?

A. User Agent Flow

B. Username-Password Flow
C. JWT Bearer Flow
D. Web Server Flow

C
Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using
Salesforce Identity. Which Salesforce license should UC utilize to implement this use case?

A. Identity Only
B. Partner Community
C. Salesforce Platform
D. External Identity

D
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to
download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to
access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users
are permitted to use the apps once they have logged into Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?

A. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce
internal apps.
B. Configure Mobile App settings in connected app and Salesforce as identity provider for non Salesforce internal apps.
C. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-
Salesforce internal apps
D. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal
apps

B
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to
regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests,
to be managed by an external system that is only accessible via a SOAP webservice.
Which authentication mechanism should an identity architect recommend to meet the requirements?

A. Delegated Authentication
B. Just-in-Time Provisioning
C. OAuth Web-Server Flow
D. Identity Connect

A
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password.
Employees are unable to use mobile VPN. Which two options should an identity architect recommend to meet the
requirement? Choose 2 answers

A. Salesforce Identity Connect

B. Configure Cloud Provider Load Balancer
C. Active Directory Password Sync Plugin
D. Salesforce Trigger & Field on Contact Object

A, C
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place
orders, view the status of orders, etc. UC allows guest checkout. How can a guest register using data previously collected
during order placement?

A. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data
B. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer
data
C. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve
customer data

C
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a
better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel
preferences and purchasing history. All of this information exists but is spread across different systems and formats. NTO has
decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory
(AD) to manage its users and company assets. What should an Identity Architect do to provision, deprovision and authenticate
users?

A. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately
B. Salesforce identity can be included but NTO will require Identity Connect
C. Salesforce Identity is not needed since NTO uses Microsoft AD.
D. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

B
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which
users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?

A. Use Login Flows to capture device from which users log in and store device and user information in a custom object.
B. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information
C. Use the Activations feature to meet the compliance requirement to track device information.
D. Use the Login History object to track information about devices from which users log in.

C
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace
(formerly known as G Suite). An identity and access management (IAM) architect has been asked to implement automation to
enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in
Salesforce. Which solution is recommended to meet this requirement?

A. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
B. Configure User Provisioning for Connected Apps.
C. Build an Apex trigger on the User Login object to make asynchronous callouts to Google APIs.
D. Update the Security Assertion Markup Language Just-in-Time (SAML JIT) handler in Salesforce for User provisioning and de-
provisioning

B
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When
integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

A. They are equivalent protocols and there is no real reason to choose one over the other.
B. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login
to the SP.
C. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
D. OpenID Connect (OIDC) is more secure than SAML and therefore is the obvious choice.

C
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

A. Call SOAP API upsert() on User object.

B. OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
C. Run registration handler on incoming OAuth responses.
D. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

C
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The
development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers
and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to
implement this feature?

A. If contactless user is upgraded to Community license, the contact record is automatically created And linked to the user
record, but not associated with an Account.
B. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud
functionality available to the user.
C. Registration handler is needed to correctly assign External Identity or
Community license for the newly registered contactless user.
D. Password less authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to
match the number on the contact record

B
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and
requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be
used for identity verification. Which feature should an identity architect recommend to meet the requirements?

A. Integrate with social websites (Facebook, LinkedIn, Twitter)

B. Create a custom Lightning Web Component
C. Use Login Discovery
D. Use an external Identity Provider

C
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor Authentication (MFA)
prompt. Currently, users are allowed the choice to login with a username and password or Via single sign-on against NTO's
corporate Identity Provider, which includes built in MFA. Which configuration will meet this requirement?

A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins."
B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all
employees.
C. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity
provider to the High Assurance list for the org's Session Security Levels.
D. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.

D
Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS
coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have
no direct user input or output capabilities. Which OAuth flow should the identity architect recommend to meet the
requirement?

A. OAuth 2.0 Asset Token Flow for Securing Connected Devices

B. Oauth 2.0 Username-Password Flow for Special Scenarios
C. 2.0 JWT Bearer Flow for Server-to-Server Integration
D. OAuth 2.0 Web Server Flow for Web App Integration

A
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM SuperUser
and CRM_Reporting SuperUser groups should respectively give the user the Super User and Reporting Super User permission
set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. How
should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?

A. Use a login flow to query custom SAML attributes and set permission sets
B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
C. Use a login flow to query standard SAML attributes and set permission sets.
D. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.

B
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of
the portal should be able to self register, but be unable to automatically be assigned to a contact record, until verified.
External Identity licenses have been purchased for the project. After registered guests complete an onboarding process, a
flow will create the appropriate account and contact records for the user. Which three steps should an identity architect follow
to implement the outlined requirements? Choose 3 answers

A. Enable "Allow customers and partners to self-register".

B. Customize the self-registration Apex handler to create only the user record.
C. Set up an external login page and call Salesforce APIs for user creation
D. Select the "Configurable Self-Reg Page" option under Login & Registration.
E. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

A, B, D
A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the
registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development
team provide the option for customers to use their existing social-media credentials to register and access. The IT lead has
approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social
sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)). Which two
recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers

A. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in
community
B. Apex coding skills are needed for registration handler to create and update users.
C. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning
(JIT) and OAuth 2.0.
D. Use declarative registration handler process builder/flow to create, update users and contacts.

A, B
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region.
UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all
orgs. Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions
frequently. What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

A. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once
users have moved out of that region.
B. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same
customer.
C. Delete contact/ account records and deactivate user if user moves from a specific region;
D. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be
handled via data integration

D
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across
Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which Salesforce
security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD
permissions? Choose 3 answers

A. Roles
B. Field-Level Security
C. Profiles and Permission Sets
D. Public Groups
E. Sharing Rules

A, C, D
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service
Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless
experience. The third-party employee portal only supports OAuth. What should an identity architect recommend to enable
single sign-on (SSO) between the portal and Salesforce?

A. Configure SSO to use the third party portal as an identity provider.

B. Add the third-party portal as a connected app.
C. Configure Salesforce for Delegated Authentication.
D. Create a custom external authentication provider.

A
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud.
Customers are not able to self register. NTO would like to have customers set their own passwords when provided access to
the community. Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers

A. Add customers as contacts and add them to Experience Cloud site

B. Allow Password reset using the API to update Experience Cloud site membership.
C. Use Login Flows to allow users to reset password in Experience Cloud site
D. Enable Welcome emails while configuring the Experience Cloud site.

B,C
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will
be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC
and obtaining scheduled pickup dates from their calendar. UC is using their Salesforce production org as the identity provider
for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month. Which of
the following license types should be used to meet the requirement?

A. Partner Community License

B. Customer Community plus Login License
C. External Apps License.
D. Partner Community Login License

B
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some
intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected' and 'Assertion Invalid' login errors. Which two
issues would cause these errors? Choose 2 answers

A. The subject element is missing from the assertion sent to Salesforce

B. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight
minutes
C. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
D. The assertion sent to Salesforce contains an assertion ID previously used.

AD
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head
of IT is worried that during a SP initiated Single Sign On (SSO), the Security Assertion Markup Language (SAML) request
content will be altered. What should the identity architect recommend to make sure that there is additional trust between the
SP and the IdP?

A. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self signed Certificate
B. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP
C. Ensure that the Issuer and Assertion Consumer Service (ACS) URL is properly configured between SP and IDP
D. Ensure that there is an HTTPS connection between IDP and SP

B
An Enterprise is using a Lightweight Directory Access Protocol (LDAP) server as the only point for user authentication with a
username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).
How can end users change their password?

A. Users can request the Salesforce Admin to reset their password.

B. Users once logged in, can go to the Change Password screen in Salesforce.
C. Users can change it on the enterprise LDAP authentication portal.
D. Users can click on the "Forgot your Password" link on the Salesforce.com login page

A
An administrator created a connected app for a custom web application in Salesforce which needs to be visible as a tile in App
Launcher. The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator
requested assistance from an identity architect to resolve the issue. Which two reasons are the source of the issue?

A. Session Policy is set as "High Assurance Session required" for this connected app.
B. StartURL for the connected app is not set in Connected App settings.
C. The connected app is not set in the App menu as "Visible in App Launcher".
D. Auth scope does not include "openid".

B, C
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce
out-of-box capabilities for configuring the company's login and registration experience on Salesforce Experience Cloud. The
CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-
frame from an external URL. Which two solutions should the IAM specialist recommend? Choose 2 answers

A. Build custom site pages for reset and forgot password features.
B. Login & Registration pages can be branded in the Community Administration settings.
C. Use Experience Builder to build branded Reset and Forgot Password pages.
D. Build custom pages for branding requirements in Experience Cloud.

B,C
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-
Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web
application to access Salesforce records on their behalf. Which two roles are being performed by Salesforce? Chose 2
answers

A. SAML Service Provider

B. OAuth Client
C. OAuth Resource Server
D. SAML Identity Provider

A, B
Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track
access granted to various on premises and cloud applications, including Salesforce. Salesforce is currently used to
authenticate users. How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with
the approved profiles and permission sets?

A. Have the helpdesk initiate an IdP-initiated Just-in-Time provisioning Security Assertion Markup Language flow.
B. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.
C. Use Salesforce Connect to integrate with the helpdesk application
D. Use a login flow to query the helpdesk to validate user status

D
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the
community rules, and update key contact information for each community member before their annual partner event. Which
approach will meet this requirement?

A. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing
or outdated information
B. Create tasks for users who need to update their data or accept the new community rules.
C. Add a banner to the community Home page asking users to update their profile and accept the new community rules.
D. Create a custom landing page and email campaign asking all community members to login and verify their data.

A
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb
fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more
than the average number of times and who logged in during non-business hours?

A. Login History
B. Login Report
C. Login Inspector
D. Login Forensics

A
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes,
administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization
flow should be used?

A. OAuth 2.0 User-Agent Flow

B. OAuth 2.0 SAML Bearer Assertion Flow
C. OAuth 2.0 JWT Bearer Flow
D. SAML Assertion Flow

D
A large consumer company is planning to create a community and will require login through the customers social identity. The
following requirements must be met:
1. The customer should be able to login with any of their social identities, however Salesforce should only have one user per
customer.
2. Once the customer has been identified with a social identity, they should not be required to authorize Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using
their social identity.
4. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce.
Which two options allow the Identity Architect to fulfill the requirements? Choose 2 answers

A. Redirect the user to a custom page that allows the user to select an existing social identity for login
B. Use the custom registration handler to link social identities to Salesforce identities
C. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the
community
D. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details

B,D
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords,
permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third- party party SSO solution is
used for all corporate applications, including Salesforce. NTO has asked an architect to explore Salesforce Identity Connect
for automatic provisioning and deprovisioning of users in Salesforce. What role does identity Connect play in the outlined
requirements?

A. Identity Provider
B. User Management
C. Single Sign-On
D. Service Provider

B
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect
wants to use an authentication provider for the new site. Which two options should be utilized in creating an authentication
provider? Choose 2 answers

A. A custom registration handler can be set

B. A custom error URL can be set
C. The default authentication provider certificate can be set
D. The default login user can be set

A,B
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would
like to use an external identity provider (IDP) and for partners to register for access to the portal. Each partner should be
allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recommend to
create partners?

A. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.
B. Allow partners to register through the IdP and create partner users in Salesforce through an API
C. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping
D. Create a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store

D
Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. The employees
should sign in to a custom Benefits web app using their Salesforce credentials. Which license should the identity architect
recommend to fulfill this requirement?

A. Identity Verification Credits Add-On License

B. Identity Connect License
C. Identity Only License
D. External Identity License

C
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?

A. OAuth 2.0 Asset Token Flow

B. OAuth 2.0 Device Flow
C. OAuth 2.0 User-Agent Flow
D. OAuth 2.0 JWT Bearer Flow

B
Universal Containers (UC) wants its Closed Won Opportunities to be synced to a Data warehouse in near real time. UC has
implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between
Salesforce and Target System is secure .What certificate is sent along with the Outbound Message?

A . The Self-signed Certificates from the Certificate & Key Management menu.
B . The default client Certificate from the Develop-> API menu.
C . The default client Certificate or the Certificate and Key Management menu.
D . The CA-signed Certificate from the Certificate and Key Management Menu.

B
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their
existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenID Connect
to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service
providers per customer type. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers

A. Set each of the Connected App access settings to Admin Pre-Approved

B. Assign the connected app to the customer community, and enable the users profile in the Community settings
C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps
D. Manage which connected apps a user has access to by assigning authentication providers to the users profile

AC
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-
on standards, such as Security Assertion Markup Language (SAML) or OAuth. NTO wants to use Salesforce Identity to register
and authenticate new customers on the website. Which two Salesforce features should an identity architect use in order to
provide username/password? authentication for the website? Choose 2 answers

A. Identity Connect
B. Embedded Login
C. Delegated Authentication
D. Connected Apps

B,C
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent
flow (this flow uses the OAuth 2.0 implicit grant type). Which three OAuth concepts apply to this flow? Choose 3 answers

A. Client ID
B. Refresh Token
C. Authorization Code
D. Verification Code
E. Scopes

A,B,D
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the
billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and
leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from
Salesforce. A redirect is acceptable. Which two Salesforce tools should an identity architect recommend to satisfy the
requirements? Choose 2 answers

A. Connected Apps
B. App Launcher
C. Salesforce Canvas
D. Identity Connect

B,C
Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide
a digital portal where customers can login using their Google account. NTO would like to automatically create a case record
for first time users logging into Salesforce Experience Cloud. What should an Identity architect do to fulfill the requirement?

A. Implement a Just-in-Time handler class that has logic to create cases upon first login
B. Create an authentication provider for Social Login using Google and leverage standard registration handler
C. Implement a login flow with a record create component for Case
D. Configure an authentication provider for Social Login using Google and a custom registration handler

C
Users logging into Salesforce are frequently prompted to verify their identity. The identity architect is required to provide
recommendations so that frequency of prompt verification can be reduced. What should the identity architect recommend to
meet the requirement?

A. Set trusted IP ranges for the organization

B. Implement multi-factor authentication for the Salesforce org
C. Implement 2FA authentication for the Salesforce org
D. Implement an single sign-on for Salesforce using an external identity provider

A
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login
to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and
fitness recommendation in the community. Which should be used to satisfy this requirement?

A. OAuth Device Flow

B. Single Sign-On Settings
C. Named Credentials
D. Login Flows

A
Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce
org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

A. Create a custom OAuth scope

B. Query using OpenID Connect discovery endpoint
C. Leverage OpenID Connect Token Introspection
D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint

C
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use password less login,
allowing customers to login with a one-time passcode sent to them via email or SMS. How should the quantity of required
Identity Verification Credits be estimated?

A. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of
logins that will incur a verification challenge
B. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based
Community licenses
C. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the
number of login verification challenges for SMS verification users
D. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins
a month should estimate additional SMS verifications needed

C
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which
supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only
active Salesforce users should be able to access the order tracking system which is only visible within Salesforce. What should
be done to fulfill the requirement? Choose 2 answers

A. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion
B. Setup Salesforce as an identity provider (IDP) for Order Tracking
C. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login
D. Set up the Corporate Identity store as an identity provider (IDP) for Order Tracking

A,B
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit
the level of access to the data of the protected resource in a flexible way. What should be done to improve security?

A. Define a permission set that grants access to the app and assign to authorized users
B. Create custom scopes and assign to the connected app.
C. Leverage external objects and data classification policies.
D. Select "Admin approved users are pre-authorized" and assign specific profiles

B
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their
customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for
each of the customer's sub-brands and each of these branded experiences must be carried through the login experience
depending on which sub-brand the user is logging into Which solution should the architect recommend to support scalability
and reduce maintenance costs, if the organization has more than 150 sub-brands?

A. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community
subdomain to match the brand.
B. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience.
C. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience
D. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the
OAuth and Security Assertion Markup Language (SAML) flows

C
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert
messages to users before they land on the Experience Cloud site (formerly known as Community) homepage. What is
recommended to fulfill this requirement with the least amount of customization?

A. Build a Lightning Web Component (LWC) for a homepage that shows custom alerts
B. Create custom metadata that stores user alerts and use a LWC to display alerts
C. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the
user profile
D. Use Login Flows to add a screen that shows personalized alerts

D
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that
maps to its Active Directory Department. How should an identity architect implement this requirement?

A. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.
B. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-in-
Time (JIT) provisioning.
C. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
D. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

D
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

A. Call SOAP API upsert() on User object

B. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions
C. Run registration handler on incoming OAuth responses
D. Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token

C
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing
Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers. How
should this functionality be enabled for UC, assuming all social sign-on providers support OpenID Connect?

A. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider
B. Configure a single sign-on setting and a JIT handler for each social sign-on provider
C. Configure a single sign-on setting and a registration handler for each social sign-on provider.
D. Configure an authentication provider and a registration handler for each social sign-on provider

D
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from
Salesforce. What should an identity architect recommend to configure the requirement with limited changes to the third-party
app?

A. Use a connected app with user provisioning flow

B. Create Canvas app in Salesforce for third-party app to provision users
C. Redirect users to the third-party app for registration
D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users

A
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)- based Identity Provider (IdP) to
authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP)
directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of
users need Salesforce. What is recommended to ensure new employees have immediate access to Salesforce using their
current IdP?

A. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user
at first login
B. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login
C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user
attempts to login to Salesforce
D. Build an integration that queries LDAP periodically and creates new active users in Salesforce

C
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was
designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?

A. Create a Login Discovery page and provide a Login Discovery Handler Apex class
B. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service
C. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity
D. Create an Authentication provider and implement a self-registration handler class

A
Universal Containers is building a web application that will connect with the Salesforce API using JWT OAuth Flow. Which two
settings need to be configured in the connect app to support this requirement? Choose 2 answers

A. The "eclair_api" OAuth scope in the connected app.

B. The "api" OAuth scope in the connected app.
C. The Use Digital Signature option in the connected app.
D. The "web" OAuth scope in the connected app.

B,C
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise
single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following
requirements:
1. The development team has decided to use a Canvas app to expose the pricing application to agents.
2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers

A. Configure the Canvas app as a connected app and set Admin-approved users as preauthorized
B. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider
Initiated
C. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
D. Select "Enable as a Canvas Personal App" in the connected app settings

A,B
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order
fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the
Salesforce API using OAuth 2.0 protocol. What should an identity architect use to fulfill this requirement?

A. Connected App and OAuth Scopes

B. Canvas App Integration
C. OAuth Tokens
D. Authentication Providers

A
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO
Salesforce Administrator is having trouble getting things setup. What should an identity architect use to show which part of the
login assertion is failing?

A. Connected App Manager

B. Security Assertion Markup Language Validator
C. Identity Provider Metadata download
D. SAML Metadata file importer

B
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which
users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?

A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
B. Use Login Flows to capture device from which users log in and store device and user information in a custom object.
C. Use the Login History object to track information about devices from which users log in.
D. Use the Activations feature to meet the compliance requirement to track device information.

D
Universal Containers (UC) is building a custom employee hub application on Amazon Web Services (AWS) and would like to
store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity
architect with evaluating different solutions for authentication and authorization between AWS and Salesforce. How should an
identity architect configure AWS to authenticate and authorize Salesforce users?

A. Develop a custom Auth server in AWS.

B. Configure the custom employee app as a connected app.
C. Create a custom external authentication provider
D. Configure AWS as an OpenID Connect Provider.

D
An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience
Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute. What should the IAM
do to fulfill this requirement?

A. Confirm performance considerations with Salesforce Customer Support due to high peaks
B. Create a default account for capturing all ecommerce contacts registered on the community because person Account is not
supported for this case
C. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider
D. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time
Provisioning to B2C Commerce

A
An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User
authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which
two licenses are needed to meet this requirement? Choose 2 answers

A. Email Verification Credits

B. Identity Connect Licenses
C. External Identity Licenses
D. SMS Verification Credits

C
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock
tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure
timely maintenance of the installed sensors. They have engaged a Salesforce Architect to propose an appropriate way to
generate sensor information in Salesforce. Which OAuth flow should the architect recommend?

A. OAuth 2.0 SAML Bearer Assertion Flow

B. OAuth 2.0 JWT Bearer Token Flow
C. OAuth 2.0 Device Authentication Flow
D. OAuth 2.0 Asset Token Flow

D
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IDP) for their Sales Team to seamlessly login to
internal portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees. Which Salesforce
license is required to fulfill this requirement?

A. Identity Only
B. Identity Verification
C. Identity Connect
D. External Identity

A
Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data
across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it
contributes to successful Customer 360 Truth project. What are two are key benefits of Customer 360 Identity as it relates to
Customer 360? Choose 2 answers

A. Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to
seamlessly populate all user data
B. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user
activity, even if it spans multiple corporate brands and user experiences
C. Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an
understanding of the user's login activity across all its digital properties and applications
D. Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity
prior to signing up so organizations can understand user activity before and after the users identify themselves

B,C
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which
authentication and verification methods meet the Salesforce criteria for secure authentication. Which three functions meet the
Salesforce criteria for secure MFA? Choose 3 answers

A. Username and password + SMS passcode

B. Third-party single sign-on with Mobile Authenticator app
C. Certificate-based Authentication
D. Lightning Login
E. Username and password + security key

B,D,E
Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The
HR director wants to ensure Concur accounts for employees are created only after the appropriate approval in the Salesforce
org. Which three steps should the identity architect use to implement this requirement? Choose 3 answers

A. Create a connected app for Concur in Salesforce

B. Create an approval process for User object associated with the provisioning flow
C. Enable User Provisioning for the connected app
D. Create an approval process for User Provisioning Request object associated with the provisioning flow
E. Create an approval process for a custom object associated with the provisioning flow

A,C,D
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce? Choose 2
answers

A. Request Salesforce Support to enable delegated authentication

B. Enable My Domain and select "Prevent login from https://login.salesforce.com"
C. Assign user "Is Single Sign-On Enabled" permission via profile or permission set
D. Once SSO is enabled, users are only able to login using Salesforce credentials

B,C
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party Identity Provider (IdP) to validate
user credentials against its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees
remember as few passwords as possible. What should an identity architect recommend?

A. Setup Salesforce as an IdP to authenticate against the LDAP directory

B. Setup Salesforce as a Service Provider to the existing IdP
C. Use Salesforce connect to synchronize LDAP passwords to Salesforce
D. Setup Salesforce as an Authentication Provider to the existing IdP

B
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is
important for NTO to give its customers the ability to login with their Amazon credentials. What should an identity architect
recommend to meet these requirements?

A. Configure Amazon as a connected app.

B. Configure an OpenID Connect Authentication Provider for Amazon
C. Configure a predefined authentication provider for Amazon.
D. Create a custom external authentication provider for Amazon

B
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is
important for NTO to give its customers the ability to login with their Facebook and Twitter credentials. Which two actions
should an identity architect recommend to meet these requirements? Choose 2 answers

A. Create a custom external authentication provider for Twitter

B. Configure a predefined authentication provider for Twitter
C. Create a custom external authentication provider for Facebook
D. Configure a predefined authentication provider for Facebook

B,D
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will
continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials. The first time
a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically. Which solution
should an identity architect recommend in order to automatically provision users in Salesforce upon login?

A. Custom middleware and web services

B. Just-in-Time (JIT) provisioning
C. Third-party AppExchange solution
D. Custom login flow and Apex handler

B
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow.
Upon logout, the existing Salesforce OAuth token must be invalidated. Which action will accomplish this?

A. Enable Single Logout with a secure logout URL

B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token
C. Use a HTTP POST to make a call to the revoke token endpoint
D. Use a HTTP POST to request the refresh token for the current user

C
A technology enterprise is planning to implement Single Sign-On login for users. When users log in to the Salesforce User
object, custom field data should be populated for new and existing users. Which two steps should an identity architect
recommend? Choose 2 answers

A. Implement Session Management Class

B. Implement RegistrationHandler Interface
C. Create and update methods
D. Implement Auth.SamlJitHandler Interface

C,D
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory
(AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO). Which feature of Identity Connect is
applicable for this scenario?

A. Identity Connect can be deployed as a managed package on Salesforce org, leveraging High Availability of Salesforce
Platform out-of-the-box
B. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session is revoked
immediately
C. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing sso
as a default feature
D. If the number of provisioned users exceeds Salesforce license allowances, Identity Connect will start disabling the existing
Salesforce users in First-in, First-out (FIFO) fashion

B
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that
supports only the OAuth protocol. What should an identity architect do to fulfill this requirement?

A. Create a custom external authentication provider

B. Contact Salesforce Support and enable delegate single sign-on.
C. Configure OpenID Connect authentication provider
D. Use certificate-based authentication.

A
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The
development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers
and partners by creating users without contact information. What is the potential impact to the architecture if NTO decides to
implement this feature?

A. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud
functionality available to the user
B. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered
contactless user
C. Password less authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to
match the number on the contact record
D. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user
record, but not associated with an Account

A
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be
logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?

A. Identity Provider
B. External Identity
C. Multi-Factor Authentication
D. My Domain

D
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service
providers in order to create a more seamless user experience. What should be used and considered before recommending it
as a solution on the Salesforce Platform?

A. Salesforce REST APIs. Ensure that Secure Sockets Layer (SSL) connection for the integration is used
B. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on
C. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and
feel
D. Embedded Login. Consider whether or not it relies on third party cookies which can cause browser compatibility issues

D
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding
features as part of the login process. Which two options should the identity architect recommend to support dynamic branding
for the site?

A. To use dynamic branding, the community must be built with the Customer Account Portal template
B. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
C. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites
D. To use dynamic branding, the community must be built with the Visualforce + Salesforce Tabs template

B
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO)
solution through Salesforce to third party applications using SAML. What role does Salesforce Identity play in its relationship
with the enterprise SSO system?

A. Client Application
B. Identity Provider (IDP)
C. Resource Server
D. Service Provider (SP)

D
Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud.
The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup
Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Experience Cloud site
to allow the partners to administer their users' access. How should a partner identity be provisioned in Salesforce for this
solution?

A. Create a person account

B. Create only a contact
C. Create a user and a related contact
D. Create a contactless user

C
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that
utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to see where Refresh Tokens
can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

A . Web server
B . JWT bearer token
C . User-Agent
D . Username-password

A,C
Universal containers uses an Employee portal for their employees to collaborate. Employees access the portal from their
company's internal website via SSO. It is set up to work with Active Directory .What is the role of Active Directory in this
scenario?

A . Identity store
B . Authentication store
C . Identity provider
D . Service provider

C
Universal Containers (UC) has decided to use Identity Connect as it's identity provider. UC uses Active Directory (AD) and has a
team that is very familiar and comfortable with managing AD groups. UC would like to use AD groups to help configure
Salesforce users .Which three actions can AD groups control through Identity Connect? Choose 3 answers

A . Public Group Assignment

B . Granting report folder access
C . Role Assignment
D . Custom permission assignment
E . Permission sets assignment

A,C,E
An architect has successfully configured SAML-based SSO for Universal Containers. SSO has been working for 3 months when
Universal Containers manually adds a batch of new users to Salesforce. The new users receive an error from Salesforce when
trying to use SSO. Existing users are still able to successfully use SSO to access Salesforce .What is the probable cause of this
behavior?

A . The administrator forgot to reset the new user's salesforce password.

B . The Federation ID field on the new user records is not correctly set
C . The my domain capability is not enabled on the new user's profile.
D . The new users do not have the SSO permission enabled on their profiles.

B
Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its
customers on their mobile devices.
The mobile app connects to Salesforce to upload the e-signatures as the file attachment and uses OAuth protocol for both
authentication and authorization.
What is the most recommended and secure OAuth scope setting that an Architect should recommend?

A. ID
B. Web
C. Api
D. Custom_permission

D
Universal Containers (UC) has implemented SAML-based Single Sign-On for their Salesforce application and is planning to
provide access to Salesforce mobile devices using the Salesforce1 mobile app. UC wants to ensure that SSO is used for
accessing the Salesforce1 mobile app. Which 2 recommendations should an Architect make. Choose 2 answers

A. Configure the Embedded Web Browser to use My Domain URL

B. Configure the Salesforce1 mobile app
C. Use the existing SAML-SSO flow along with User-Agent flow
D. Use the existing SAML-SSO flow along with Web User flow

BC
Universal Containers (UC) is building custom Innovation platform Salesforce instance. The Innovation platform will be written
completely in Apex and Visualforce and will use custom objects to store the data. UC would like all users to be able to access
the system without having to log in Salesforce credentials. UC will utilize a third-party IdP using SAML SSO.What is the optimal
Salesforce license type for all of the UC employees?

A. Identity license
B. Salesforce
C. External Identity
D. Salesforce Platform

D
The CIO of Universal Containers (UC) wants to start taking advantage of the refresh token capability for the UC applications
that utilize OAuth 2.0. UC has listed an architect to analyze all of the applications that use OAuth flows. See where Tokens can
be applied. Which OAuth flows should an architect consider in their evaluation. Choose 2 answers

A. Web Server
B. JWT bearer token
C. User Agent
D. Username-Password

AC
Which item should an Identity architect consider when designing a Delegated Authentication implementation?

A. The web server should be secured with TLS using Salesforce trusted certificates
B. The web server should be able to accept one to four inout method parameters.
C. The web service should use the Salesforce Federation ID to identify the users
D. The web service should implement a custom password decryption method

A
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system.
Choose 2 answers.

A. Use a trusted CA-signed certificate for Salesforce and a trusted CA-signed certificate for the external system
B. Use a trusted CA-signed certificate for Salesforce and a self-signed certificate for the external system
C. Use a self-signed certificate for Salesforce and a self-signed certificate for the external system
D. Use a self-signed certificate for Salesforce and a CA-signed certificate for the external system

CD

An unexpected error has occurred

We're really really sorry, something has gone wrong. We've been alerted about it and will fix it ASAP.