Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Salesforce Exam Identity and Access Management Architect Topic 7 Question 35 Discussion

Actual exam question for Salesforce's Identity and Access Management Architect exam
Question #: 35
Topic #: 7
[All Identity and Access Management Architect Questions]

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Show Suggested Answer Hide Answer
Suggested Answer: B

by Glen at Apr 10, 2024, 05:57 AM

Limited Time Offer

25%

Off

Get Premium Identity and Access Management Architect Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Anna
8 months ago
I wonder if the terminated employee was able to login because they had a crystal ball that told them when they'd be disabled in LDAP. Spooky!
upvoted 0 times
...
Izetta
8 months ago
Just-in-time provisioning, eh? Sounds like someone's been watching too many sci-fi movies!
upvoted 0 times
Brynn
7 months ago
C) use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
upvoted 0 times
...
Hyman
8 months ago
A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
upvoted 0 times
...
...
Luann
8 months ago
I'm leaning towards option C. Making a direct callout to LDAP before authentication is a nice way to verify the user's status.
upvoted 0 times
...
Darnell
8 months ago
Option D looks good to me. Delegating authentication to the LDAP directory and setting up SSO seems like a more comprehensive approach.
upvoted 0 times
Melodie
8 months ago
It's important to have a secure authentication process in place to avoid any security breaches.
upvoted 0 times
...
Mammie
8 months ago
I agree, having a single sign-on setup would definitely help prevent unauthorized access.
upvoted 0 times
...
Shakira
8 months ago
Option D looks good to me. Delegating authentication to the LDAP directory and setting up SSO seems like a more comprehensive approach.
upvoted 0 times
...
...
Karrie
9 months ago
That's a good point. Option C could help in preventing such incidents in the future.
upvoted 0 times
...
Karl
10 months ago
Hmm, I think option A is the way to go. Automating the deactivation process across systems seems like the most robust solution.
upvoted 0 times
...
Craig
10 months ago
I believe option C would be more efficient, as it involves making a callout to the LDAP directory before authenticating the user.
upvoted 0 times
...
Augustine
10 months ago
But wouldn't option A also ensure users are deactivated in Salesforce as soon as they are disabled in LDAP?
upvoted 0 times
...
Karrie
10 months ago
I think we should go with option D.
upvoted 0 times
...
Donette
11 months ago
Jokes aside, I think option B is the simplest solution. Delegating authentication to the LDAP directory seems like the most straightforward way to ensure user deactivation is in sync.
upvoted 0 times
Emogene
9 months ago
Using a login flow with Option C might be more secure.
upvoted 0 times
...
Karl
9 months ago
I think Option A could also work if implemented correctly.
upvoted 0 times
...
Suzan
10 months ago
Option B sounds like the way to go.
upvoted 0 times
...
...
Xochitl
11 months ago
Haha, imagine if the terminated employee tried to log in and the system was like, 'Sorry, your LDAP card has been declined. Try again never!'
upvoted 0 times
...
Jina
11 months ago
Hmm, I'm not too sure about that. Doesn't that mean we need to maintain two separate authentication systems? Feels like a lot of overhead.
upvoted 0 times
...
Filiberto
11 months ago
Hold up, option C with the login flow sounds good too. We can make a callout to LDAP and check the user's status before they even get to the Salesforce login page.
upvoted 0 times
...
Jess
11 months ago
Yeah, definitely a security concern we need to address. I'm leaning towards option D, setting up an identity provider to handle the LDAP authentication. That way, we can have a more centralized control over user access.
upvoted 0 times
...
Edna
11 months ago
Woah, this question is a tricky one! It's like a puzzle we need to solve to prevent that terminated employee from logging in again.
upvoted 0 times
...

Save Cancel