Sample Questions and Answers
How can Salesforce admins customize the login experience when integrating with external IdPs?
A) Use My Domain with custom login pages and branding, and configure SSO settings.
B) Disable My Domain.
C) Use default Salesforce login only.
D) Remove user profiles.
Answer: A
Explanation: My Domain enables custom branding and login flows.
What is a potential limitation of using Username-Password OAuth flow?
A) It requires storing user credentials in the client, which is less secure.
B) It supports MFA natively.
C) It cannot generate access tokens.
D) It is recommended for mobile apps.
Answer: A
Explanation: Storing passwords in clients poses security risks.
What must be included in the SAML assertion for Just-in-Time provisioning to work correctly?
A) User attributes such as username, email, and profile mapping fields.
B) Only the user’s password.
C) The OAuth token.
D) Refresh token.
Answer: A
Explanation: Required user attributes must be present for user creation or update.
How can Salesforce Identity Connect simplify user provisioning?
A) It automates user creation, updates, and deactivation by syncing from AD to Salesforce.
B) It requires manual user provisioning.
C) It disables external authentication.
D) It only manages passwords.
Answer: A
Explanation: Identity Connect automates lifecycle management via synchronization.
When architecting Salesforce Identity for an enterprise, what is a key benefit of using an external Identity Provider (IdP) instead of Salesforce as the IdP?
A) Centralized user authentication and single source of truth across multiple apps.
B) Eliminates the need for user provisioning.
C) Salesforce cannot act as an IdP.
D) Salesforce disables MFA with external IdP.
Answer: A
Explanation: Using an external IdP centralizes authentication and management across systems.
Which Salesforce feature allows administrators to delegate user authentication to a third-party web service via SOAP?
A) Delegated Authentication
B) Just-in-Time Provisioning
C) OAuth Authorization Code Flow
D) Identity Connect
Answer: A
Explanation: Delegated Authentication calls an external SOAP service to validate credentials.
How does the OpenID Connect protocol differ from plain OAuth 2.0 in Salesforce authentication scenarios?
A) OpenID Connect adds an identity layer that returns user info claims, OAuth is authorization only.
B) OAuth supports user identity info, OpenID Connect does not.
C) OpenID Connect is legacy, replaced by OAuth.
D) They are identical protocols.
Answer: A
Explanation: OpenID Connect builds on OAuth 2.0 adding identity claims in ID tokens.
What Salesforce object or feature tracks the external identity provider used for a federated user?
A) Federation ID field on the user record.
B) Permission Set
C) Profile
D) OAuth Client
Answer: A
Explanation: Federation ID maps Salesforce user records to external identities.
You want to allow external partners to log into your Salesforce org using their corporate credentials without creating individual Salesforce users. Which Salesforce feature supports this?
A) External Identity with Partner Communities and SSO integration.
B) Delegated Authentication.
C) Password policies.
D) Salesforce internal login only.
Answer: A
Explanation: External Identity plus Communities enables external users via SSO without full user licenses.
How can you prevent phishing attacks in Salesforce SSO scenarios?
A) Use signed SAML assertions with certificates and validate issuer URLs.
B) Disable MFA.
C) Use anonymous login URLs.
D) Allow all IP ranges.
Answer: A
Explanation: Signed assertions and issuer validation protect against tampering.
When designing OAuth scopes for a connected app, what is the risk of granting the “full” scope unnecessarily?
A) It grants broad access to all APIs and user data, increasing risk if compromised.
B) It limits user access too much.
C) It disables token refresh.
D) It prevents users from logging in.
Answer: A
Explanation: Broad scopes increase attack surface and risk data exposure.
What is the primary function of the Salesforce “Auth Provider” setup?
A) It configures Salesforce to authenticate users via external OAuth providers like Google or Facebook.
B) It manages user profiles.
C) It resets passwords.
D) It stores login hours.
Answer: A
Explanation: Auth Provider enables social or external OAuth logins.
How do you configure Salesforce to accept SAML responses only from trusted Identity Providers?
A) Upload and configure the IdP certificate in Salesforce SSO settings.
B) Disable SSO.
C) Use a connected app without certificates.
D) Use username-password login only.
Answer: A
Explanation: Salesforce verifies SAML signatures using the configured IdP certificate.
Which Salesforce setting helps mitigate session hijacking risks for connected apps?
A) Enforce IP restrictions and refresh token policies in connected app settings.
B) Disable sessions.
C) Allow unlimited concurrent logins.
D) Store passwords in cookies.
Answer: A
Explanation: IP restrictions and token expiration reduce session hijacking.
What is the use of the “Subject Confirmation” element in a SAML assertion?
A) To confirm how the identity assertion is bound to the user, e.g., via bearer token.
B) To provide user’s email.
C) To encrypt the assertion.
D) To specify the encryption algorithm.
Answer: A
Explanation: It defines how the assertion can be confirmed or validated by the SP.
What are key advantages of using Salesforce Identity Connect with Active Directory?
A) Automated user provisioning, attribute synchronization, and password sync.
B) Password resets only.
C) No user sync is supported.
D) It replaces SSO.
Answer: A
Explanation: Identity Connect syncs users, attributes, and passwords from AD to Salesforce.
What best practice should be followed for securing the private key used in SAML assertion signing?
A) Store the private key securely with restricted access and rotate regularly.
B) Share it with all admins.
C) Use the same key for multiple environments indefinitely.
D) Embed it in public URLs.
Answer: A
Explanation: Secure key management protects signature integrity and security.
How can Salesforce enforce multi-factor authentication (MFA) for users authenticating via SAML SSO?
A) The external IdP must enforce MFA before sending the SAML assertion.
B) Salesforce enforces MFA regardless of IdP.
C) MFA is not supported with SAML.
D) MFA is enforced via password policies.
Answer: A
Explanation: Salesforce trusts the IdP’s authentication, so MFA must be handled there.
When integrating Salesforce with multiple Identity Providers, how does Salesforce distinguish between them?
A) By using unique SAML issuer URLs and My Domain configurations for each IdP.
B) It does not support multiple IdPs.
C) By user profile names.
D) By connected app names.
Answer: A
Explanation: Unique issuer URLs and domain setups enable multi-IdP configurations.
What is the effect of enabling “Require Secret for Web Server Flow” in a connected app?
A) The OAuth client secret is required for token exchange in Authorization Code flow.
B) Disables token refresh.
C) Requires password for every API call.
D) Removes all security.
Answer: A
Explanation: Client secret enhances security by requiring client authentication during token exchange.
How does Just-in-Time provisioning handle attribute updates when a user logs in via SAML?
A) Salesforce updates user attributes based on the SAML assertion mapping each login.
B) Attributes are never updated after user creation.
C) Only the password is updated.
D) JIT does not update users.
Answer: A
Explanation: JIT updates user fields dynamically from assertion attributes on login.
What is the role of the “Error URL” in Salesforce SSO settings?
A) It redirects users to a custom page when SSO authentication fails.
B) It stores the password reset link.
C) It defines login hours.
D) It disables login.
Answer: A
Explanation: Custom error URLs improve user experience on login failure.
What is a key consideration when designing connected apps for mobile devices?
A) Use OAuth flows that do not expose client secrets, like PKCE.
B) Use username-password flow exclusively.
C) Allow unlimited access tokens.
D) Disable token expiration.
Answer: A
Explanation: PKCE secures public clients like mobile apps without client secrets.
Which Salesforce feature allows delegated administration of user identity and access management without granting full system admin permissions?
A) Delegated Authentication Admin permission and delegated groups.
B) Profile assignment.
C) Full System Administrator profile.
D) Password policies.
Answer: A
Explanation: Delegated Admins can manage authentication settings securely.
How do you audit and monitor user authentications via SAML in Salesforce?
A) Use Login History and Event Monitoring logs filtered by SAML events.
B) Audit is not possible.
C) Use password reset logs only.
D) Monitor user permissions.
Answer: A
Explanation: Salesforce logs SAML login events in Login History and Event Monitoring.
When a user authenticates via OpenID Connect in Salesforce, which token contains user identity claims?
A) ID Token (JWT)
B) Access Token
C) Refresh Token
D) Session ID
Answer: A
Explanation: The ID Token contains user info like email and name claims.
Which of the following is true about Salesforce OAuth “JWT Bearer Token Flow”?
A) It allows server-to-server integration without user interaction by exchanging a signed JWT.
B) It requires user password.
C) It is deprecated.
D) It only works for mobile apps.
Answer: A
Explanation: JWT Bearer flow enables headless OAuth with signed assertions.
What is the significance of the “Relay State” parameter in the SAML SSO login flow?
A) It carries the URL or context the user requested before authentication.
B) It contains the user’s password.
C) It encrypts the assertion.
D) It disables session timeout.
Answer: A
Explanation: Relay State preserves user navigation context post-authentication.
In Salesforce Identity Connect, what happens when an AD user is disabled?
A) The corresponding Salesforce user is deactivated or frozen based on sync settings.
B) Nothing happens automatically.
C) The Salesforce user is deleted.
D) Passwords are reset.
Answer: A
Explanation: Identity Connect sync can deactivate Salesforce users when AD accounts are disabled.
What is the purpose of the “Force Logout on Session Timeout” setting in connected apps?
A) It forces users to log in again after session timeout, enhancing security.
B) It extends session timeout indefinitely.
C) It disables session timeout.
D) It only works for delegated authentication.
Answer: A
Explanation: Enforcing logout prevents token reuse after inactivity.
What is a critical design consideration when implementing Single Logout (SLO) in Salesforce?
A) Coordinating logout across all federated services to prevent stale sessions.
B) Disabling logout functionality.
C) It only works for internal users.
D) It disables MFA.
Answer: A
Explanation: SLO requires careful coordination to end sessions across IdP and SPs.
How does Salesforce secure OAuth tokens at rest?
A) Tokens are encrypted in Salesforce’s secure database storage.
B) Tokens are stored as plain text.
C) Tokens are stored in cookies.
D) Tokens are not stored.
Answer: A
Explanation: Salesforce encrypts tokens to prevent unauthorized access.
When designing a multi-org Salesforce Identity solution, what approach helps unify user access and provisioning?
A) Use Salesforce Identity with My Domain and External Identity licenses connected via Identity Connect or SCIM.
B) Manage each org separately without integration.
C) Use separate usernames per org.
D) Avoid SSO.
Answer: A
Explanation: Salesforce Identity supports centralized user management across orgs.
What Salesforce technology supports SCIM (System for Cross-domain Identity Management) for user provisioning?
A) Identity Connect and some third-party apps support SCIM APIs.
B) Delegated Authentication.
C) SAML only.
D) OAuth Client.
Answer: A
Explanation: SCIM automates user provisioning/de-provisioning with supported connectors.
Reviews
There are no reviews yet.