Salesforce Exam Identity-and-Access-Management-Architect Topic 2 Question 42 Discussion

Actual exam question for Salesforce's Salesforce Certified Identity and Access Management Architect exam

Question #: 42
Topic #: 2

[All Salesforce Certified Identity and Access Management Architect Questions]

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

ACreate a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.

BConfigure an authentication provider to delegate authentication to the LDAP directory.

Cuse a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.

DSetup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Show Suggested Answer

Suggested Answer: B

by Tarra at Jul 02, 2024, 10:00 PM

Limited Time Offer

25%

Off

Get Premium Identity-and-Access-Management-Architect Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Annmarie

27 days ago

Option B is a solid choice. Delegating authentication to the LDAP directory is a common and reliable approach.

upvoted 0 times

...

Vallie

1 months ago

Ha! This reminds me of the time my uncle got fired and still managed to log into the company server for a whole week. Good times.

upvoted 0 times

...

Chun

1 months ago

I like Option C. Making a callout to LDAP before authentication is a good way to verify the user's status before letting them in.

upvoted 0 times

Yuonne

12 days ago

Definitely, verifying the user's status before authentication is key to preventing unauthorized access.

upvoted 0 times

...

Edward

24 days ago

I agree, using a login flow to check with LDAP before allowing access seems like a solid plan.

upvoted 0 times

...

Gayla

26 days ago

Option C sounds like a good solution to prevent this from happening again.

upvoted 0 times

...

Ulysses

1 months ago

Option D is interesting, but it might be overkill for this scenario. Do we really need to set up an entire identity provider just for this?

upvoted 0 times

Alline

21 days ago

Option D is interesting, but it might be overkill for this scenario. Do we really need to set up an entire identity provider just for this?

upvoted 0 times

...

Leigha

25 days ago

A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.

upvoted 0 times

...

Gladys

2 months ago

I think using a login flow to make a callout to the LDAP directory is the most secure option.

upvoted 0 times

...

Leota

2 months ago

I'm not sure, I think option D could also work well.

upvoted 0 times

...

Marshall

2 months ago

Option A seems like the most straightforward solution. It ensures that the user is deactivated in all systems as soon as they are terminated.

upvoted 0 times

Hyman

5 days ago

D) Setting up an identity provider (IdP) to authenticate users using LDAP and enabling single sign-on to Salesforce seems like a comprehensive solution.

upvoted 0 times

...