BlackFriday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Salesforce Exam Identity and Access Management Architect Topic 2 Question 46 Discussion

Actual exam question for Salesforce's Identity and Access Management Architect exam
Question #: 46
Topic #: 2
[All Identity and Access Management Architect Questions]

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Latrice
1 months ago
Haha, looks like the terminated employee found a loophole! Option A is the way to go - close that gap before anyone else tries to slip through.
upvoted 0 times
...
Lemuel
1 months ago
Option C with a login flow to check LDAP seems like a good compromise. It verifies the user's status before letting them in without needing a full IdP setup.
upvoted 0 times
Lawanda
8 days ago
Option C with a login flow to check LDAP seems like a good compromise.
upvoted 0 times
...
...
Twila
2 months ago
I'd go with Option D. Setting up an identity provider and using LDAP authentication is a more robust and secure long-term solution. Single sign-on is the way to go!
upvoted 0 times
Thurman
1 months ago
I agree, setting up an identity provider with LDAP authentication is a good long-term solution for security.
upvoted 0 times
...
Felice
1 months ago
Using an identity provider for authentication and setting up single sign-on seems like the most secure option.
upvoted 0 times
...
Yan
1 months ago
Option D sounds like the best solution. Single sign-on would definitely help prevent this issue.
upvoted 0 times
...
...
Pedro
2 months ago
I see your point, Javier. But I think option C could also work. Making a callout to the LDAP directory before authenticating the user seems like a good extra layer of security.
upvoted 0 times
...
Javier
2 months ago
I disagree, I believe option D is more secure. Setting up an identity provider with single sign-on to Salesforce would prevent unauthorized access.
upvoted 0 times
...
Frederica
3 months ago
Option A seems like the most straightforward solution to sync user deactivation between LDAP and Salesforce. It's a Just-in-Time fix that could prevent this issue from happening again.
upvoted 0 times
Alona
2 months ago
Option A seems like the most straightforward solution to sync user deactivation between LDAP and Salesforce. It's a Just-in-Time fix that could prevent this issue from happening again.
upvoted 0 times
...
Darell
2 months ago
A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
upvoted 0 times
...
...
Oretha
3 months ago
I think option A is the best choice. It ensures users are deactivated in Salesforce as soon as they are disabled in LDAP.
upvoted 0 times
...

Save Cancel