How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?
Correct Answer: C
Explanation:
In an SP-initiated SAML SSO flow in Salesforce, when a user tries to access Salesforce (Service Provider), the system must automatically redirect the user to the external Identity Provider for authentication. This behavior is enabled through the My Domain authentication configuration, specifically by turning on the “Redirect to the Identity Provider” setting under Authentication Services. This ensures that instead of showing the Salesforce login page, users are seamlessly redirected to the IdP login page. Option A is incorrect because Visualforce pages are not required for SSO routing. Option C is incorrect because removing the login page does not control IdP redirection behavior. Option D is incorrect because marking an IdP as default is not what triggers automatic redirection in SP-initiated flows.
Question 2
How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?
Correct Answer: C
Explanation:
In an SP-initiated SAML SSO flow in Salesforce, when a user tries to access Salesforce (Service Provider), the system must automatically redirect the user to the external Identity Provider for authentication. This behavior is enabled through the My Domain authentication configuration, specifically by turning on the “Redirect to the Identity Provider” setting under Authentication Services. This ensures that instead of showing the Salesforce login page, users are seamlessly redirected to the IdP login page. Option A is incorrect because Visualforce pages are not required for SSO routing. Option C is incorrect because removing the login page does not control IdP redirection behavior. Option D is incorrect because marking an IdP as default is not what triggers automatic redirection in SP-initiated flows.
Question 3
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified" . They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?
Correct Answer: D
Explanation:
C is correct because Custom SAML Just-In-Time (JIT) provisioning allows Salesforce (as the Identity Provider) to make real-time decisions during the SSO login process by evaluating user attributes and business logic at authentication time. In this scenario, it can dynamically check whether the user currently owns an open “Classified” case and then include that logic in the SAML assertion to either grant or deny access to the external system immediately during login, which makes it the only option capable of enforcing access based on live record data at the moment of authentication.
Demo Practice Mode
You are viewing only the questions marked as Demo.