Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

A is correct because SAML-based Federated authentication requires trust relationships between the IdP and the SP. The IdP issues a SAML assertion that contains information about the user’s identity and attributes. The SP validates the assertion and grants access to the user.

C is correct because web applications that use SAML-based Federatedauthentication do not require passwords for users to log in. Instead, they rely on the IdP to authenticate the users and provide a secure token. This eliminates the risk of password breaches and phishing attacks.

E is correct because centralized federationprovides a single point of access, control, and auditing for web applications that use SAML-based Federated authentication. Users can access multiple applications with one login, administrators can manage user access from one place, and auditors can monitor user activity across applications.

B is incorrect because SAML tokens are always in XML format. They cannot be used interchangeably with JSON tokens, which are used by OAuth or OpenID Connect protocols.

D is incorrect because access tokens are not usedby SAML-based Federated authentication. Access tokens are used by OAuth or OpenID Connect protocols to access resources on the server once the user is authenticated.

 TheOAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopescan be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuthtoken and protect against unauthorized or excessive access.

These are the mechanisms that the Salesforce REST API uses for authentication. According to the Salesforce documentation1, the REST API requires an access token obtained by authentication. The access token is a session credential that represents the authorization of a specific application to access specific parts of a user’s data2. The access token is valid for a limited time and can be refreshed using a refresh token. A refresh token is a credential that represents the authorization of an application to refresh an expired access token2.

Option A is incorrectbecause an authentication token is not used by the Salesforce REST API. An authentication token is an email security feature that appends a uniquestring of characters to your password when you log in from an unrecognized device or IP address3. Option B is incorrect because a session ID is not used by the Salesforce REST API. A session ID is a unique identifier fora user’s session that can be used for SOAP API calls4.

In an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup, Google is the service provider and Salesforce is the identity provider. A service provider is an application that provides a service to users and relies on an identity provider for authentication3. A connected app is a service provider that integrates an application with Salesforce using APIs4. An identity provider is an application that authenticates users and provides information about them to service providers3. The App Launcher is a feature that allows users to access Salesforce, connected, and on-premises apps from one location5. In this scenario, Google Apps are connected apps that provide services to Salesforce users, such as Gmail, Google Drive, and GoogleCalendar. Salesforce isthe identity provider that authenticates users and allows them to access Google Apps with their Salesforce credentials using single sign-on (SSO)6.

The best option for UC to meet the requirements is to add an Apex callout in the registration handler of the authorization provider. An authorization provider is a configuration in Salesforce that allows usersto log in with an external authentication provider, such as Facebook. A registration handler is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating a user account when a user logs in with anexternal authentication provider. An Apex callout is a method that invokes an external web service from Apex code. By adding an Apex callout in the registration handler, UC can create a customer account in their accounting system by calling the web servicethat is accessible to Salesforce. This option enables UC to automate the account creation process and integrate with their existing accounting system. The other options are not optimal for this scenario. Creating a custom application on Heroku that manages the sign-on process from Facebook would require UC to develop and maintain a separate application and infrastructure, which could increase complexity and cost. Using JIT provisioning to automatically create the account in the accounting system would require UC to configure Facebook as a SAML identity provider, which is not supported by Facebook. Using OAuth JWT flow to pass the data from Salesforce to the accounting system would require UC to obtain anOAuth token from the accounting system and use it tomake API calls, which could introduce security and performance issues. References: [Authorization Providers], [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Apex Callouts], [Facebook as SAML Identity Provider], [OAuth 2.0 JWTBearer Flow for Server-to-Server Integration]

To ensure that requests must include a certificate with a trusted certificate chain to access the company’s on-premise application endpoint, the identity architect should generate a certificate authority-signed certificate in Salesforce and upload it to the on-premise application Truststore. A certificate authority-signed certificate is a certificate that is issued by a trusted third-party entity, such as VeriSign or Thawte, that verifies the identity and authenticity of the certificate holder. A Truststore is a repository that stores trusted certificates and public keys. By generating a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore, the identity architect can enable mutual authentication and secure communication between Salesforce and the on-premise application. The other options are not recommended for this scenario, as they either donot provide a trusted certificate chain, do not enable mutual authentication, or do not secure the communication. References: Create Certificate Authority-Signed Certificates, Mutual Authentication

To fulfill the use case of creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agentflow, where users will authenticate using username and password and not be forced to approve API access or reauthenticate for 3 months, the identity architect should configure two connected app options:

Set Permitted Users to “All users may self-authorize”. Permitted Users is a setting that controls how users can access a connected app. By setting it to “All users may self-authorize”, the identity architect can allow users to access the connected app without requiring administrator approval or API access confirmation.

Set the Refresh Token Policy to expire refresh token after 3 months. Refresh Token Policy is a setting that controls how long a refresh token can be used to obtain a new access token without requiring user authentication. By setting it toexpire refresh token after 3 months, the identity architect can allow users to access the connected app for 3 months without reauthenticating, as long as they use the app at least once every 90 days. References: Connected Apps, OAuth 2.0 User-Agent Flow

 The two recommended actions UC can take to achieve the functionality of allowing community users to register and log in with LinkedIn or Facebook credentials are:

Enable Facebook and LinkedIn as login options in the login section of the community configuration. This action allows UC to configure Facebook and LinkedIn as authorization providers in Salesforce, which are external services that authenticate users and provide information about their identity and attributes. Byenabling these login options in the community configuration, UC can display Facebook and LinkedIn icons on the community login page and allow users to log in with their existing credentials from these services.

Create custom registration handlers to linkLinkedIn and Facebook accounts to user records. This action allows UC to create Apex classes that implement the Auth.RegistrationHandler interface and define the logic for creating or updating user accounts in Salesforce when users log in with LinkedIn orFacebook. By creating custom registration handlers, UC can map the information from the authorization providers to the user fields in Salesforce, such as name, email, profile, or contact.

The other options are not recommended actions for this scenario. Storing the LinkedIn or Facebook user IDs in the Federation ID field on the Salesforce user record is not necessary or sufficient for enabling SSO with these services, as the Federation ID is used for SAML-based SSO, not OAuth-based SSO. Creating custom buttons for Facebook and LinkedIn using JavaScript/CSS on a custom Visualforce page is not advisable, as it would require custom code and UI development, which could increase complexity and maintenance efforts. Moreover, it would not leverage the built-in functionality of authorization providers and registration handlers that Salesforce provides. References: [Authorization Providers], [Enable Social Sign-On for Your Community], [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Federation ID]

The best approach to simplify the authentication process and reduce cost and maintenance is to configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs. This way, users can log in to any of thefive orgs using their UC1 credentials, and their user accounts will be automatically created or updated in the other orgs based on the information from UC11. This eliminates the need to purchase a third-party Identity Provider or manually provision users in advance. The other options are not optimal forthis requirement because:

Purchasing a third-party Identity Provider for all five Salesforce orgs would incur additional cost and maintenance, and would not leverage the existing user base in UC1.

Not setting up JIT user provisioning for other orgs would require manually creating or updating user accounts in each org, which would be time-consuming and error-prone. References: Salesforce as an Identity Provider, Identity Providers and Service Providers, Just-in-Time Provisioning for SAML

To optimize license usage and reduce maintenance overhead for customers who use Community to track orders and create inquiries and tend to move across regions frequently, the identity architect should recommend enabling Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users havemoved out of that region. Contactless User is a feature that allows users to access Experience Cloud sites without having a contact record associated with them. External Identity is a license type that enables users to access Experience Cloud sites usingsocial sign-on or single sign-on, but not access Salesforce objects or data. By enabling Contactless User and downgrading users from Experience Cloud license to External Identity license, the identity architect can reduce the number of contacts and licenses needed for each region and avoid data duplication and synchronization issues. References: Contactless User, External Identity License, User Licenses