Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers

• A.Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
• B.Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
• C.Use Login Flow in User Context to update role and permission sets.
• D.Use Login Flow in System Context to update role and permission sets.

Comment: *

Name: *

Email: *

Verification: *

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

• A.Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.
• B.Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
• C.Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system
• D.Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

Comment: *

Name: *

Email: *

Verification: *

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

• A.Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
• B.Identity Connect will only support SP-initiated SAML flows in UC's current environment.
• C.Identity connect is not compatible with UC's current identity environment.
• D.Identity Connect will not support user provisioning in UC's current environment.

Comment: *

Name: *

Email: *

Verification: *

Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

• A.Use Active Directory Federation Services to sync users from active directory to salesforce.
• B.Use an app exchange product to sync users from Active Directory to salesforce.
• C.Use the salesforce REST API to sync users from active directory to salesforce
• D.Use Identity connect to sync users from Active Directory to salesforce

Comment: *

Name: *

Email: *

Verification: *

Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

• A.Use a digital certificate signed by the employee portal Server.
• B.Add the employee portals IP address to the login IP range on the user profile.
• C.Use a dedicated profile for the user the Employee portal uses.
• D.Add the Employee portals IP address to the Trusted IP range for the connected App

Comment: *

Name: *

Email: *

Verification: *