Question 1

In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

Accepted Answer

D is correct because using a self-signed certificate leads to higher maintenance for the trusting party, which is the client or browser that connects to the server. The
trusting party needs to add the self-signed certificate to their truststore, which is a repository of trusted certificates, in order to establish a secure connection with
the server. Otherwise, the trusting party will see a warning message or an error when accessing the server.
A is incorrect because using a self-signed certificate leads to higher maintenance for the trusted party, not lower. The trusted party needs to maintain multiple selfsigned certificates from different servers in their truststore.
B is incorrect because using a self-signed certificate does not make the trusted party act as the trusted CA (Certificate Authority). The trusted CA is the entity that
issues and validates certificates for servers. The trusted party only needs to trust the CA’s root certificate, which is usually pre-installed in their truststore.
C is incorrect because using a self-signed certificate leads to higher maintenance for the trusting party, not lower. The trusting party still needs to maintain a
trusted CA cert in their truststore, which is the self-signed certificate itself.
References: 1: SSL Certificate Installation Instructions & Tutorials - DigiCert 2: How To Install an SSL Certificate from a Commercial … - DigitalOcean 3: Setup SSL
CSR Creation and SSL Certificate Installatio
- DigiCert

Question 2

A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.
The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint.
What should an Identity architect do to meet this requirement?

Accepted Answer

To ensure that requests must include a certificate with a trusted certificate chain to access the company’s
on-premise application endpoint, the identity architect should generate a certificate authority-signed certificate in Salesforce and upload it to the on-premise
application Truststore. A certificate authority-signed certificate is a certificate that is issued by a trusted third-party entity, such as VeriSign or Thawte, that verifies
the identity and authenticity of the certificate holder. A Truststore is a repository that stores trusted certificates and public keys. By generating a certificate authoritysigned certificate in Salesforce and uploading it to the on-premise application Truststore, the identity architect can enable mutual authentication and secure
communication between Salesforce and the on-premise application. The other options are not recommended for this scenario, as they either do not provide a
trusted certificate chain, do not enable mutual authentication, or do not secure the communication. References: Create Certificate Authority-Signed Certificates,
Mutual Authentication

From SurePassExam
https://www.surepassexam.com/Identity-and-Access-Management-Architect-exam-dumps.html (246 New Questions)

Question 3

Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned
about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and
salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

Accepted Answer

To enable a trusted connection between the login services and Salesforce, UC should enforce mutual authentication between systems using SSL. Mutual
authentication is a process in which both parties in a communication verify each other’s identity using certificates7. SSL (Secure Sockets Layer) is a protocol that
provides secure communication over the Internet using encryption and certificates8. By using mutual authentication with SSL, UC can ensure that only authorized
login services can access Salesforce and vice versa. This can prevent unauthorized access, impersonation, or phishing attacks.
References: Mutual Authentication, SSL (Secure Sockets Layer)

Question 4

Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is
confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend
UC to take?

Accepted Answer

Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community.
This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex
Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can
control how user records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions
can meet the requirement of UC to use social media credentials for its customer community.

Question 5

Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been
brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

Accepted Answer

The two risks that the architect should point out for using delegated authentication as the sole means of authenticating Salesforce users are:
 UC will be required to develop and support a custom SOAP web service. Delegated authentication is a feature that allows Salesforce to delegate the
authentication process to an external service by making a SOAP callout to a web service that verifies the user’s credentials. This feature requires UC to develop
and support a custom SOAP web service that can accept and validate the user’s username and password, and return a boolean value to indicate whether the
authentication is successful or not. This could increase complexity and cost for UC, as they need to write custom code and maintain the web service.
 Salesforce users will be locked out of Salesforce if the web service goes down. Delegated authentication relies on the availability and performance of the
external web service that handles the authentication requests from Salesforce. If the web service goes down or becomes slow, Salesforce users will not be able to
log in or access Salesforce, as they will receive an error message or a timeout response. This could cause disruption and frustration for UC’s business operations
and user satisfaction.
The other options are not valid risks for using delegated authentication. Delegated authentication can be enabled or disabled for individual users or groups of users
by using permission sets or profiles, not for the entire Salesforce org. The web service does not need to reside on a public cloud service, such as Heroku, as it can
be hosted on any platform that supports SOAP services and can communicate with Salesforce. References: [Delegated Authentication], [Enable ‘Delegated
Authentication’], [Troubleshoot Delegated Authentication]

Question 6

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a
schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two
recommended practices for using OAuth flow in this scenario. choose 2 answers

Accepted Answer

OAuth is an open-standard protocol that allows a client app to access protected resources on a resource server, such as Salesforce API, by obtaining an access
token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward

From SurePassExam
https://www.surepassexam.com/Identity-and-Access-Management-Architect-exam-dumps.html (246 New Questions)
Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
 OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from
Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the
identity provider.
 OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from
Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Verified References: [OAuth 2.0 SAML Bearer Assertion Flow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server
Integration]

Question 7

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate
NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce? Choose 2 answers

Accepted Answer

Salesforce acts as an OAuth client when it uses Okta to authorize a Forecasting web application to access
Salesforce records on behalf of the user. Salesforce acts as a SAML service provider when it accepts SAML assertions from Okta to authenticate NTO users.
References: OAuth 2.0 Web Server Authentication
Flow, SAML Single Sign-On Overview

Question 8

Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to
create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?

Accepted Answer

This is an OAuth authorization flow that allows a web server application to obtain an access token to access Salesforce resources on behalf of the user1. This flow
is suitable for integrating a desktop application with Salesforce, as it does not require the user to enter their credentials in the application, but rather redirects them
to the Salesforce login page to authenticate and authorize the application2. This way, the integration between the desktop application and Salesforce is seamless
and secure. The other options are not optimal for this requirement because:
 JWT Bearer Token Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending a signed JSON Web Token (JWT)
to Salesforce3. This flow does not involve user interaction, and requires the client application to have a certificate and a private key to sign the JWT. This flow is
more suitable for server-to-server integration, not for desktop application integration.
 User Agent Flow is an OAuth authorization flow that allows a user-agent-based application (such as a browser or a mobile app) to obtain an access token by
redirecting the user to Salesforce and receiving the token in the URL fragment4. This flow is not suitable for desktop application integration, as it requires the
application to parse the URL fragment and store the token securely.
 Username and Password Flow is an OAuth authorization flow that allows a client application to obtain an access token by sending the user’s username and
password to Salesforce5. This flow is not recommended for desktop application integration, as it requires the user to enter their credentials in the application,
which is not secure or seamless. References: OAuth Authorization Flows, Implement the OAuth 2.0 Web Server Flow, JWT-Based Access Tokens (Beta), UserAgent Flow, Username-Pass Flow

Question 9

Which two considerations should be made when implementing Delegated Authentication? Choose 2 answers

Accepted Answer

Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service of your choice1. When implementing
delegated authentication, you should consider the following aspects2:
 The authentication web service can include custom attributes, such as user roles or permissions, in the response to Salesforce. These attributes can be used
to update user records or trigger workflows in Salesforce2.
 Delegated authentication can be used to authenticate API clients and mobile apps that use the SOAP API or REST API login() methods. However, it does not
support OAuth 2.0 flows or other authentication methods2.
 Delegated authentication does not require trusted IP ranges at the User Profile level. However, you can use them to restrict access to Salesforce from specific
IP addresses or ranges2.
 Salesforce servers receive but do not validate a user’s credentials. Instead, they pass the credentials to the external authentication service, which validates
them and returns a response to Salesforce2.

From SurePassExam
https://www.surepassexam.com/Identity-and-Access-Management-Architect-exam-dumps.html (246 New Questions)
 Just-in-time provisioning can be configured for new users who log in with delegated authentication. Thi
feature allows Salesforce to create or update user accounts based on the information provided by the external authentication service3.
References:
 Delegated Authentication
 Delegated Authentication Single Sign-On
 Just-in-Time Provisioning for Delegated Authentication

Question 10

Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's
users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend?

Accepted Answer

The action that an architect should recommend to UC is to configure the main Salesforce org as the identity provider. An identity provider is an application that
authenticates users and provides information about them to service providers. A service provider is an application that provides a service to users and relies on an
identity provider for authentication. SAML (Security Assertion Markup Language) is an XML-based standard that allows identity providers and service providers to
exchange authentication and authorization data. SSO (Single Sign-On) is a feature that allows users to access multiple applications with one login. In this scenario,
the main Salesforce org is the identity provider that authenticates users using SAML and provides information about them to the regional Salesforce orgs. The
regional Salesforce orgs are the service providers that provide services to users and rely on the main Salesforce org for authentication. This way, users can
access the regional Salesforce orgs from the main Salesforce org seamlessly using SSO.
References: [Identity Provider Overview], [SAML Single Sign-On Overview], [Single Sign-On Overview], [Salesforce as an Identity Provider]