Salesforce Updated Identity-and-Access-Management-Architect Exam Questions and Answers by marcel

 To enable a trusted connection between the login service and Salesforce, an architect should enforce mutual authentication between systems using SSL. Mutual authentication, also known as two-way SSL or client certificate authentication, is a process in whichboth parties in a communication exchange certificates to verify their identities7. This mechanism ensures that only authorized systems can access each other’s resources and prevents unauthorized access or spoofing attacks8. To use mutual authentication with delegated authentication, you need to do the following steps9:

Generate a self-signed certificate in Salesforce and download it.

Import the certificate into your login service’s truststore.

Configure your login service to require client certificates for incoming requests.

Generate a certificate for your login service and export it.

Import the certificate into Salesforce’s certificate and key management tool.

Enable mutual authentication for your login service’s endpoint URL in Salesforce.

 Enabling “MFA for User Interface Logins” for the organization is the simplest way to ensure that all user logins include a single MFA prompt. This setting applies to both direct logins and SSO logins, and overrides any other MFA settings at the profile or permission set level. References: Enable MFA for Direct User Logins, Everything You Need to Know About MFA Auto-Enablement and Enforcement

JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT)instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework thatenables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:

The Use Digital Signature option, which enables the connected app to verifythe signature of the JWT using a certificate.

The “api” OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user. References: JWT OAuth Flow, Connected Apps, OAuth Scopes

Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service of your choice1. When implementing delegated authentication, you shouldconsider the following aspects2:

The authentication web service can include custom attributes, such as user roles or permissions, in the response to Salesforce. These attributes can be used to update user records or trigger workflows in Salesforce2.

Delegated authentication can be used to authenticate API clients and mobile apps that use the SOAP API or REST API login() methods. However,it does not support OAuth 2.0 flows or other authentication methods2.

Delegated authentication does not require trusted IP ranges at the User Profile level. However, you can use them to restrict access to Salesforce from specific IP addresses orranges2.

Salesforce servers receive but do not validate a user’s credentials. Instead, they pass the credentials to the external authentication service, which validates them and returns a response to Salesforce2.

Just-in-time provisioning can be configured for new users who log in with delegated authentication. This feature allows Salesforce to create or update user accounts based on the information provided bythe external authentication service3.