Question 6 of 60
Universal Containers (UC) has decided to use Identity Connect as its Identity Provider. UC uses Active Directory (AD) and has a team that is very familiar and comfortable with managing AD groups. UC would like to use AD Groups to help configure Salesforce users.
Which three actions can AD Groups control through Identity Connect? (Choose three.)
    Correct Answer: A, B, E

    Identity Connect allows the management of Salesforce users by synchronizing with Active Directory (AD) groups. This includes Public Group Assignment, Role Assignment, and Permission Sets Assignment because these can be mapped and controlled through corresponding AD group configurations. Therefore, the correct actions that AD Groups can control through Identity Connect are Public Group Assignment, Role Assignment, and Permission Sets Assignment.

Question 7 of 60
The CIO of Universal Containers (UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize OAuth 2.0. UC has enlisted an Architect to analyze all of the applications that use OAuth flows to see where refresh tokens can be applied.
Which two OAuth flows should the Architect consider in their evaluation? (Choose two.)
    Correct Answer: B, D

    The Web Server and User-Agent OAuth flows both allow for the use of refresh tokens. The Web Server flow is designed for server-side applications and provides long-lived access by obtaining a refresh token, which can be used to get a new access token without user intervention. The User-Agent flow, typically used for single-page or mobile applications, also supports the issuance of a refresh token to maintain the user session without repeated logins. The JWT Bearer Token flow does not utilize refresh tokens, as it directly uses JWTs for authentication, and the Username-Password flow is deprecated and should be avoided.

Question 8 of 60
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers.
What SAML SSO setting in Salesforce provides this capability?
    Correct Answer: C

    To differentiate Salesforce from other Service Providers in a SAML SSO setting, the Entity Id is used. The Entity Id uniquely identifies the Service Provider, which in this case is Salesforce. This identification is essential for managing multiple Service Providers within the Identity Provider.

Question 9 of 60
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system.
How can UC's middleware authenticate to Salesforce while adhering to this requirement?
    Correct Answer: B

    To meet the requirement that usernames and passwords cannot be stored, UC should use the JWT Bearer Token OAuth Flow. This flow allows systems to authenticate without needing to store or send user credentials. Instead, it uses a digitally signed JSON Web Token (JWT) that authenticates the identity of the system making the request.

Question 10 of 60
Customer Service Representatives at Universal Containers (UC) are complaining that whenever they click on links to case records and are asked to log in with SAML SSO, they are being redirected to the Salesforce Home tab and not the specific case record.
What item should an Architect advise the identity team at UC to investigate first?
    Correct Answer: D

    When Customer Service Representatives are being redirected to the Salesforce Home tab instead of the specific case record after logging in with SAML SSO, the issue likely lies with the handling of the RelayState parameter. RelayState is used in SAML SSO to maintain the state of the user's session, including the URL they were trying to access before being redirected to the identity provider. If the Identity Provider is not correctly preserving the RelayState, users will not be redirected to the intended record after successfully logging in, but rather to a default location such as the Home tab. Therefore, ensuring that the Identity Provider is correctly preserving the RelayState is crucial in this scenario.