New Year Sale ! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Salesforce Exam Identity and Access Management Architect Topic 7 Question 35 Discussion

Actual exam question for Salesforce's Identity and Access Management Architect exam
Question #: 35
Topic #: 7
[All Identity and Access Management Architect Questions]

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Show Suggested Answer Hide Answer
Suggested Answer: B

Contribute your Thoughts:

Anna
6 months ago
I wonder if the terminated employee was able to login because they had a crystal ball that told them when they'd be disabled in LDAP. Spooky!
upvoted 0 times
...
Izetta
6 months ago
Just-in-time provisioning, eh? Sounds like someone's been watching too many sci-fi movies!
upvoted 0 times
Brynn
5 months ago
C) use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
upvoted 0 times
...
Hyman
5 months ago
A) Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
upvoted 0 times
...
...
Luann
6 months ago
I'm leaning towards option C. Making a direct callout to LDAP before authentication is a nice way to verify the user's status.
upvoted 0 times
...
Darnell
6 months ago
Option D looks good to me. Delegating authentication to the LDAP directory and setting up SSO seems like a more comprehensive approach.
upvoted 0 times
Melodie
5 months ago
It's important to have a secure authentication process in place to avoid any security breaches.
upvoted 0 times
...
Mammie
5 months ago
I agree, having a single sign-on setup would definitely help prevent unauthorized access.
upvoted 0 times
...
Shakira
6 months ago
Option D looks good to me. Delegating authentication to the LDAP directory and setting up SSO seems like a more comprehensive approach.
upvoted 0 times
...
...
Karrie
7 months ago
That's a good point. Option C could help in preventing such incidents in the future.
upvoted 0 times
...
Karl
7 months ago
Hmm, I think option A is the way to go. Automating the deactivation process across systems seems like the most robust solution.
upvoted 0 times
...
Craig
7 months ago
I believe option C would be more efficient, as it involves making a callout to the LDAP directory before authenticating the user.
upvoted 0 times
...
Augustine
7 months ago
But wouldn't option A also ensure users are deactivated in Salesforce as soon as they are disabled in LDAP?
upvoted 0 times
...
Karrie
7 months ago
I think we should go with option D.
upvoted 0 times
...
Donette
8 months ago
Jokes aside, I think option B is the simplest solution. Delegating authentication to the LDAP directory seems like the most straightforward way to ensure user deactivation is in sync.
upvoted 0 times
Emogene
7 months ago
Using a login flow with Option C might be more secure.
upvoted 0 times
...
Karl
7 months ago
I think Option A could also work if implemented correctly.
upvoted 0 times
...
Suzan
7 months ago
Option B sounds like the way to go.
upvoted 0 times
...
...
Xochitl
8 months ago
Haha, imagine if the terminated employee tried to log in and the system was like, 'Sorry, your LDAP card has been declined. Try again never!'
upvoted 0 times
...
Jina
8 months ago
Hmm, I'm not too sure about that. Doesn't that mean we need to maintain two separate authentication systems? Feels like a lot of overhead.
upvoted 0 times
...
Filiberto
8 months ago
Hold up, option C with the login flow sounds good too. We can make a callout to LDAP and check the user's status before they even get to the Salesforce login page.
upvoted 0 times
...
Jess
8 months ago
Yeah, definitely a security concern we need to address. I'm leaning towards option D, setting up an identity provider to handle the LDAP authentication. That way, we can have a more centralized control over user access.
upvoted 0 times
...
Edna
8 months ago
Woah, this question is a tricky one! It's like a puzzle we need to solve to prevent that terminated employee from logging in again.
upvoted 0 times
...

Save Cancel