Identity-and-Access-Management-Architect Exam Dumps - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

These are the mechanisms that the Salesforce REST API uses for authentication. According to the Salesforce documentation1, the REST API requires an access token obtained by authentication. The access token is a session credential that represents the authorization of a specific application to access specific parts of a user’s data2. The access token is valid for a limited time and can be refreshed using a refresh token. A refresh token is a credential that represents the authorization of an application to refresh an expired access token2.

Option A is incorrectbecause an authentication token is not used by the Salesforce REST API. An authentication token is an email security feature that appends a uniquestring of characters to your password when you log in from an unrecognized device or IP address3. Option B is incorrect because a session ID is not used by the Salesforce REST API. A session ID is a unique identifier fora user’s session that can be used for SOAP API calls4.

To optimize license usage and reduce maintenance overhead for customers who use Community to track orders and create inquiries and tend to move across regions frequently, the identity architect should recommend enabling Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users havemoved out of that region. Contactless User is a feature that allows users to access Experience Cloud sites without having a contact record associated with them. External Identity is a license type that enables users to access Experience Cloud sites usingsocial sign-on or single sign-on, but not access Salesforce objects or data. By enabling Contactless User and downgrading users from Experience Cloud license to External Identity license, the identity architect can reduce the number of contacts and licenses needed for each region and avoid data duplication and synchronization issues. References: Contactless User, External Identity License, User Licenses

To track information about devices from which users log in and revoke the device access, the identity architect should use the Activations feature. Activations are records that store information about the devices and browsers that users use to access Salesforce. Administrators can view, manage, and revoke activations for users from the Setup menu. Activations can help monitor and control user access from different devices. References: Activations, Manage Activations for Your Users

Enabling “Allow customers and partners to self-register” allows guests to create their own user accounts in the portal. Selecting the “Configurable Self-Reg Page” option allows the administratorto customize the self-registration page to capture the required fields. Customizing the self-registration Apex handler to create only the user record prevents the automatic creation of a contact record until verification. References: Enable Self-Registration, Customize Self-Registration

The Entity ID is the SAML SSO setting inSalesforce that provides the capability to differentiate Salesforce from other service providers. The Entity ID is a unique identifier for the service provider that is sent in the SAML request and response messages1. The identity provider uses the Entity ID to determine which service provider is requesting or receiving authentication information2. You can customize the Entity ID for your Salesforce org or Experience Cloud site in the SAML Single Sign-On Settings page3. References: 1: SAML SSO Flows 2: Federated Authentication Using SAML to Log in to Salesforce Org 3: Step 2: Create a SAML Single Sign-On Setting in Salesforce

The two capabilities of an identity provider that the architect should detail to help strengthen the business case are that the identity provider can authenticate multiple applications and that the identity provider can centralize enterprise password policy. These capabilities can provide benefits such as reducing login friction, improving user experience, enhancing security, and simplifying administration. Option B is not a good choice because the identity provider can authenticate multiple social media accounts may not be relevant for UC’s business case, as it does not specify how UC will use social media for its identity management. Option C is not a good choice because the identity provider can store credentials for multiple applications may not be desirable or secure for UC’s business case, as it may imply that theidentity provider is using password vaulting or federation rather than single sign-on (SSO) or identity federation. References: Identity Management Concepts, [Single Sign-On Implementation Guide]

Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. This eliminates the need for manual or batch user provisioning in Salesforce. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

To implement social sign-on for customers to register and log in to a portal built on Salesforce Experience Cloud using their Facebook or LinkedIn credentials, the identity architect should take three steps:

Create authentication providers for both Facebook and LinkedIn. Authentication providers are configurations that enable users to authenticatewith an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and LinkedIn, which can be easily configured with minimal customization.

Check“Facebook” and “LinkedIn” under Login Page Setup. Login Page Setup is a setting that allows administrators to customize the login page for Experience Cloud sites. By checking “Facebook” and “LinkedIn”, the identity architect can enable social sign-on buttons for these identity providers on the login page.

Update the default registration handlers to create and update users. Registration handlers are classes that implement the Auth.RegistrationHandler interface and define how to create or update users in Salesforce based on the information from the external identity provider. The identity architect can update the default registration handlers to link the user’s social identity with their Salesforce identity and prevent duplicate accounts. References: Authentication Providers, Social Sign-On with Authentication Providers, Login Page Setup, Create a Custom Registration Handler