Identity-and-Access-Management-Architect Exam Dumps - Salesforce Certified Identity andAccess Management Architect (SP25)

Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or CA-signed. A self-signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two-way SSL between Salesforce and an external system, two valid choices fordigital certificates are:

Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other’s self-signed certificates explicitly.

Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system. This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system’s certificate implicitly.

  These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokensto the service providers (SPs). The SPs are the websites that hostapps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ Systemare the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.

Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.

 Identity Connect is a tool that synchronizes user data between Microsoft Active Directory and Salesforce. It allows user provisioning, deprovisioning, and single sign-on (SSO) between multiple Active Directory domains and a single Salesforce org. Oneof the features of Identity Connect is that it can revoke the user’s Salesforce session immediately when the user is deprovisioned in an on-premise Active Directory. This can enhance security and compliance by preventing unauthorized access to Salesforceresources. References: Identity Connect Implementation Guide, Identity Connect Overview

The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.

The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.

If the third-party authentication provider supports only the OAuth protocol and not OpenID Connect,then an identity architect needs to create a custom external authentication provider for it. A custom external authentication provider is a configuration that allows users to log in to Salesforce using an external identity provider that is not predefined by Salesforce. It requires implementing the Auth.AuthProviderPlugin interface and defining the OAuth endpoints and parameters.

My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforcedomain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:

My Domain lets you work in multiple Salesforce orgs in the samebrowser. Without My Domain, you can only log in to one org at a time in the same browser.

My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.

My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.

Enabling “Allow customers and partners to self-register” allows guests to create their own user accounts in the portal. Selecting the “Configurable Self-Reg Page” option allows the administratorto customize the self-registration page to capture the required fields. Customizing the self-registration Apex handler to create only the user record prevents the automatic creation of a contact record until verification. References: Enable Self-Registration, Customize Self-Registration