Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Salesforce Exam Identity and Access Management Architect Topic 2 Question 42 Discussion

Actual exam question for Salesforce's Identity and Access Management Architect exam
Question #: 42
Topic #: 2
[All Identity and Access Management Architect Questions]

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Annmarie
4 months ago
Option B is a solid choice. Delegating authentication to the LDAP directory is a common and reliable approach.
upvoted 0 times
Nelida
3 months ago
It's important to have a secure off-boarding process in place to protect sensitive data.
upvoted 0 times
...
Omega
3 months ago
That sounds like a good solution to prevent unauthorized access to company systems.
upvoted 0 times
...
Allene
3 months ago
I agree, it would help ensure that terminated employees can't access Salesforce after being disabled in LDAP.
upvoted 0 times
...
Carole
4 months ago
Option B is a solid choice. Delegating authentication to the LDAP directory is a common and reliable approach.
upvoted 0 times
...
...
Vallie
5 months ago
Ha! This reminds me of the time my uncle got fired and still managed to log into the company server for a whole week. Good times.
upvoted 0 times
...
Chun
5 months ago
I like Option C. Making a callout to LDAP before authentication is a good way to verify the user's status before letting them in.
upvoted 0 times
Ming
3 months ago
Definitely, it's important to verify the user's status before granting access to sensitive systems.
upvoted 0 times
...
Jacqueline
3 months ago
I agree, it adds an extra layer of security by checking the user's status before allowing access.
upvoted 0 times
...
Laurena
3 months ago
Option C sounds like a good solution to prevent this from happening again.
upvoted 0 times
...
Yuonne
4 months ago
Definitely, verifying the user's status before authentication is key to preventing unauthorized access.
upvoted 0 times
...
Edward
4 months ago
I agree, using a login flow to check with LDAP before allowing access seems like a solid plan.
upvoted 0 times
...
Gayla
4 months ago
Option C sounds like a good solution to prevent this from happening again.
upvoted 0 times
...
...
Ulysses
5 months ago
Option D is interesting, but it might be overkill for this scenario. Do we really need to set up an entire identity provider just for this?
upvoted 0 times
Alline
4 months ago
Option D is interesting, but it might be overkill for this scenario. Do we really need to set up an entire identity provider just for this?
upvoted 0 times
...
Leigha
4 months ago
A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
upvoted 0 times
...
...
Gladys
5 months ago
I think using a login flow to make a callout to the LDAP directory is the most secure option.
upvoted 0 times
...
Leota
5 months ago
I'm not sure, I think option D could also work well.
upvoted 0 times
...
Marshall
5 months ago
Option A seems like the most straightforward solution. It ensures that the user is deactivated in all systems as soon as they are terminated.
upvoted 0 times
Hyman
4 months ago
D) Setting up an identity provider (IdP) to authenticate users using LDAP and enabling single sign-on to Salesforce seems like a comprehensive solution.
upvoted 0 times
...
Yen
4 months ago
C) I think using a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce could be a good additional step.
upvoted 0 times
...
Christene
4 months ago
B) But wouldn't configuring an authentication provider to delegate authentication to the LDAP directory also help prevent this issue?
upvoted 0 times
...
Demetra
5 months ago
I agree, having a Just-in-Time provisioning registration handler would definitely help prevent this issue from happening again.
upvoted 0 times
...
Vi
5 months ago
A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
upvoted 0 times
...
Nickolas
5 months ago
Option A seems like the most straightforward solution. It ensures that the user is deactivated in all systems as soon as they are terminated.
upvoted 0 times
...
...
Anthony
5 months ago
I agree with Curt, Just-in-Time provisioning sounds like the way to go.
upvoted 0 times
...
Curt
5 months ago
I think option A is the best solution.
upvoted 0 times
...

Save Cancel