NEW QUESTION 1
Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.
What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?

• A. Require the use of Salesforce security tokens on passwords.
• B. Enforce mutual authentication between systems using SSL.
• C. Include Client Id and Client Secret in the login header callout.
• D. Set up a proxy service for the login service in the DMZ.

Answer: A

NEW QUESTION 2
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into.
Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands?

• A. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience.
• B. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows.
• C. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand.
• D. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience.

Answer: A

NEW QUESTION 3
Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers

• A. Activate My Domain to Brand each org to the specific business use case.
• B. Implement SP-Initiated Single Sign-on flows to allow deep linking.
• C. Implement IdP-Initiated Single Sign-on flows to allow deep linking.
• D. Implement Delegated Authentication from each org to the LDAP provider.

Answer: AB

NEW QUESTION 4
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

• A. Custom_permissions
• B. Api
• C. Refresh_token
• D. Full

Answer: BC

NEW QUESTION 5
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers

• A. Use a professional social media such as LinkedIn as an Authentication provider
• B. Build a custom web page that uses the identity store and calls frontdoor.jsp
• C. Build a custom Web service that is supported by Delegated Authentication.
• D. Implement the Openid protocol and configure an Authentication provider

Answer: CD

NEW QUESTION 6
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?

• A. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.
• B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
• C. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloudfunctionality available to the user.
• D. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs tomatch the number on the contact record.

Answer: C

NEW QUESTION 7
Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?

• A. Web Application flow
• B. SAML Bearer Assertion flow
• C. User-Agent flow
• D. Web Server flow

Answer: D

NEW QUESTION 8
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a
Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

• A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
• B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
• C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
• D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Answer: D

NEW QUESTION 9
Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers

• A. App Launcher
• B. Resource deep linking
• C. SSO from Salesforce Mobile App
• D. Login Forensics

Answer: BC

NEW QUESTION 10
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.
Which three functions meet the Salesforce criteria for secure mfa? Choose 3 answers

• A. username and password + SMS passcode
• B. Username and password + secunty key
• C. Third-party single sign-on with Mobile Authenticator app
• D. Certificate-based Authentication
• E. Lightning Login

Answer: BCE

NEW QUESTION 11
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

• A. Public Group Assignment
• B. Granting report folder access
• C. Role Assignment
• D. Custom permission assignment
• E. Permission sets assignment

Answer: ACE

NEW QUESTION 12
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used7

• A. OAuth 2-0 SAML Bearer Assertion Flow
• B. OAuth 2.0 JWT Bearer Flow
• C. SAML Assertion Flow
• D. OAuth 2.0 User-Agent Flow

Answer: C

NEW QUESTION 13
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
* 1. Enter a phone number and/or email address
* 2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?

• A. Create a Login Discovery page and provide a Login Discovery Handler Apex class.
• B. Create a custom login page with an Apex controlle
• C. The controller has logic to send and verify the identity.
• D. Create an Authentication provider and implement a self-registration handler class.
• E. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service.

Answer: D

NEW QUESTION 14
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?

• A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.
• B. The user has not configured the salesforce1 mobile app to use my domain for login
• C. The "Redirect to identity provider" option has not been selected the SAML configuration.
• D. The user has not been granted the "Enable single Sign-on" permission

Answer: B

NEW QUESTION 15
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?

• A. Use the updateUser method on the registration Handler Class.
• B. Develop a scheduled job that calls out to Facebook on a nightly basis.
• C. Use information in the signed Request that is received from facebook.
• D. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Answer: A

NEW QUESTION 16
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

• A. Invoke the revocation URL and pass the refresh token.
• B. Clear out the client Id to stop auto session refresh.
• C. Invoke the revocation URL and pass the access token.
• D. Clear out all the tokens to stop auto session refresh.

Answer: A

NEW QUESTION 17
Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?

• A. JWT Bearer Token flow
• B. Web Server Authentication Flow
• C. User Agent Flow
• D. Username and Password Flow

Answer: C

NEW QUESTION 18
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

• A. Oauth refresh token flow
• B. Oauth SAML bearer assertion flow
• C. Oauthjwt bearer token flow
• D. Oauth Username-password flow

Answer: BC

NEW QUESTION 19
A web service is developed that allows secure access to customer order status on the Salesforce Platform, The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
* 1. User Authenticates and Authorizes Access
* 2. Request an Access Token
* 3. Salesforce Grants an Access Token
* 4. Request an Authorization Code
* 5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?

• A. 1, 4, 5, 2, 3
• B. 4, 1, 5, 2, 3
• C. 2, 1, 3, 4, 5
• D. 4,5,2, 3, 1

Answer: D

NEW QUESTION 20
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

• A. Require users to provide their RSA token along with their credentials.
• B. Require users to supply their email and phone number, which gets validated.
• C. Require users to enter a second password after the first Authentication
• D. Require users to use a biometric reader as well as their password

Answer: AD

NEW QUESTION 21
......