How Many Questions Of Identity-and-Access-Management-Architect Test Questions

NEW QUESTION 1
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?

• A. Web
• B. Full
• C. API
• D. Visualforce

Answer: A

Explanation:
The web scope should be requested when using the OAuth token to meet this requirement. The web scope
allows the user to log in to Salesforce and access the web UI. This is suitable for scenarios where the user is redirected from an external portal to Salesforce and needs to see the relevant pages. Option B is not a good choice because the full scope allows access to all data accessible by the user, including the web UI and the API. This may be unnecessary or insecure for this requirement. Option C is not a good choice because the API scope allows access to the Salesforce API only, not the web UI. This may not meet the requirement of presenting the user with relevant pages. Option D is not a good choice because the visualforce scope allows access to Visualforce pages only, not the entire web UI. This may limit the user’s experience and functionality.
References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com

NEW QUESTION 2
An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?

• A. Ensure the Callback URL is correctly set in the Connected Apps settings.
• B. Use a browser that has an add-on/extension that can inspect SAML.
• C. Paste the SAML Assertion Validator in Salesforce.
• D. Use the browser's Development tools to view the Salesforce page's markup.

Answer: BC

Explanation:
these are the optimal actions to troubleshoot a SAML error. According to the Salesforce documentation1, yo can use the following methods to debug a SAML error:
Use a browser that has an add-on/extension that can inspect SAML. This will allow you to see the SAML request and response messages and identify any issues with the SAML assertion or the SAML response2.
Paste the SAML Assertion Validator in Salesforce. This is a tool that helps you validate the last SAML operation on your organization and shows you any errors or warnings with the SAML assertion or the SAML response1.
Option A is incorrect because the Callback URL is not related to SAML SSO. The Callback URL is used for OAuth SSO, which is a different protocol3. Option D is incorrect because using the browser’s Development tools to view the Salesforce page’s markup will not help you debug a SAML error. The page’s markup does not contain any information about the SAML request or response4.
References: 1: SAML Login Errors - Salesforce 2: How to Troubleshoot a Single Sign-On Error | Salesfo Ben 3: Identity Providers and Service Providers - Salesforce 4: Single Sign-On - Salesforce

NEW QUESTION 3
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

• A. Google is the service provider and Facebook is the identity provider
• B. Salesforce is the service provider and Google is the identity provider
• C. Facebook is the service provider and salesforce is the identity provider
• D. Salesforce is the service provider and Facebook is the identity provider

Answer: BD

Explanation:
The two role combinations that are represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies on Google or Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.
References: Salesforce as Service Provider and Identity Provider for SSO

NEW QUESTION 4
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

• A. Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.
• B. Remove existing restrictions on IP ranges for all types of user access.
• C. Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
• D. Use Login Flow to bypass IP range restriction for the mobile app.

Answer: AC

Explanation:
The two options that an architect should recommend for UC to roll out the Salesforce1 mobile app and make it accessible from any location are:
Relax the IP restriction with a second factor in the Connected App settings for Salesforce1 mobile app.
This option allows UC to enable two-factor authentication (2FA) for the Salesforce1 mobile app, which requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. By enabling 2FA in the Connected App settings, UC can relax the IP restriction for the Salesforce1 mobile app, as users can access it from any location as long as they provide the second factor.
Relax the IP restrictions in the Connected App settings for the Salesforce1 mobile app. This option allows UC to disable or modify the IP restriction for the Salesforce1 mobile app in the Connected App settings, which control how users can access a connected app, such as Salesforce1. By relaxing the IP restrictions, UC can allow users to access the Salesforce1 mobile app from any location without requiring 2FA.
The other options are not recommended for this scenario. Removing existing restrictions on IP ranges for all types of user access would compromise security and compliance, as it would expose Salesforce to unauthorized access from any location. Using Login Flow to bypass IP range restriction for the mobile app would require custom code and logic, which could introduce complexity and errors. References: [Connected Apps], [Two-Factor Authentication], [Require a Second Factor of Authentication for Connected Apps], [IP Restrictions for Connected Apps], [Login Flows]

NEW QUESTION 5
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprint as a form of identification for salesforce Authentication?

• A. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
• B. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
• C. Use an AppExchange product that does fingerprint scanning with native salesforce identity confirmation.
• D. Use custom login flows with callouts to a third-party fingerprint scanning application.

Answer: D

Explanation:
D is correct because using custom login flows with callouts to a third-party fingerprint scanning application allows UC to support fingerprints as a form of identification for Salesforce authentication. Custom login flows allow UC to implement custom logic and UI elements for authentication, such as calling an external web service that performs fingerprint scanning and verification. A is incorrect because using Salesforce two-factor authentication with callouts to a third-party fingerprint scanning application does not support fingerprints as a form of identification for Salesforce authentication. Salesforce two-factor authentication requires users to enter a verification code or use an app like Salesforce Authenticator, not a fingerprint. B is incorrect because using delegated authentication with callouts to a third-party fingerprint scanning application does not support fingerprints as a form of identification for Salesforce authentication. Delegated authentication requires users to enter their username and password, not a fingerprint. C is incorrect because using an AppExchange product that does fingerprint scanning with native Salesforce identity confirmation does not support fingerprints as a form of identification for Salesforce authentication. AppExchange products are third-party applications that integrate with Salesforce, not native Salesforce features. Verified References: [Custom Login Flows],
[Two-Factor Authentication], [Delegated Authentication], [AppExchange]

NEW QUESTION 6
A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: " Failed: Not approved for access." What is the most likely cause of this issue?

• A. The Connected App settings "All users may self-authorize" is enabled.
• B. The Salesforce Administrators have revoked the OAuth authorization.
• C. The Users do not have the correct permission set assigned to them.
• D. The User of High Assurance sessions are required for the Connected App.

Answer: C

Explanation:
The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioning is a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning or deprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning.
References: Just-in-Time Provisioning for SAML, [Just-in-Time Deprovisioning], [SOAP API Developer

NEW QUESTION 7
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

• A. Invoke the revocation URL and pass the refresh token.
• B. Clear out the client Id to stop auto session refresh.
• C. Invoke the revocation URL and pass the access token.
• D. Clear out all the tokens to stop auto session refresh.

Answer: A

Explanation:
The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.
References:
Certification Exam Guide
Revoke OAuth Tokens

NEW QUESTION 8
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

• A. The Oauth authorizations are being revoked by a nightly batch job.
• B. The refresh token expiration policy is set incorrectly in salesforce
• C. The app is requesting too many access Tokens in a 24-hour period
• D. The users forget to check the box to remember their credentials.

Answer: B

Explanation:
The most likely cause of the issue is that the refresh token expiration policy is set incorrectly in Salesforce. A refresh token is a credential that allows a connected app to obtain a new access token when the previous one expires1. The refresh token expiration policy determines how long a refresh token is valid for2. If the policy is set to a short duration, such as 24 hours, the users have to enter their credentials once a day to get a new refresh token. To prevent this, the policy should be set to a longer duration, such as “Refresh token is valid until revoked” or "Refresh token expires after 90 days of inactivity"2.
References: OAuth 2.0 Refresh Token Flow, Manage OAuth Access Policies for a Connected App

NEW QUESTION 9
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?

• A. OAuth 2.0 Asset Token Flow
• B. OAuth 2.0 Device Authentication Row
• C. OAuth 2.0 JWT Bearer Token Flow
• D. OAuth 2.0 SAML Bearer Assertion Flow

Answer: A

Explanation:
To generate sensor information in Salesforce, the architect should recommend OAuth 2.0 Asset Token Flow. OAuth 2.0 Asset Token Flow is a protocol that allows devices, such as sensors, to obtain an access token from Salesforce by using a certificate instead of an authorization code. The access token can be used to access Salesforce APIs and send data to Salesforce. OAuth 2.0 Asset Token Flow is designed for devices that do not have a user interface or a web browser. References: OAuth 2.0 Asset Token Flow, Authorize Apps with OAuth

NEW QUESTION 10
Under which scenario Web Server flow will be used?

• A. Used for web applications when server-side code needs to interact with APIS.
• B. Used for server-side components when page needs to be rendered.
• C. Used for mobile applications and testing legacy Integrations.
• D. Used for verifying Access protected resources.

Answer: A

Explanation:
The web server flow is used for web applications when server-side code needs to interact with APIs. This flow implements the OAuth 2.0 authorization code grant type, which allows the web app to obtain an access token and a refresh token from Salesforce after the user grants permission1. The web app can then use the access token to call the Salesforce APIs and use the refresh token to obtain a new access token when the previous one expires2. The other options are not valid scenarios for using the web server flow. The web server flow is not used for server-side components when page needs to be rendered, as this does not involve API calls. The web server flow is not used for mobile applications and testing legacy integrations, as these scenarios are better suited for other OAuth flows, such as the user-agent flow or the password flow3. The web server flow is not used for verifying access protected resources, as this is a general purpose of OAuth, not a specific scenario for the web server flow. References: OAuth 2.0 Web Server Flow for Web App Integration, Mastering Salesforc Canvas Apps, OAuth Authorization Flows

NEW QUESTION 11
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers

• A. Public Groups
• B. Field-Level Security
• C. Roles
• D. Sharing Rules
• E. Profiles and Permission Sets

Answer: ACE

Explanation:
Salesforce Identity Connect can map AD groups to Salesforce public groups, roles, profiles, and permission sets. These permissions control the access and visibility of data and features in Salesforce. References:
Salesforce Identity Connect Implementation Guide

NEW QUESTION 12
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?

• A. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.
• B. Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.
• C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.
• D. Allow partners to register through the IdP and create partner users in Salesforce through an API.

Answer: B

Explanation:
To create partners using an external identity provider (IdP) and avoid duplicate accounts with Salesforce, the identity architect should recommend creating a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store. Ping is an IdP that supports OpenID Connect protocol, which allows users to sign in with an external identity provider and access Salesforce resources. By creating a custom page in Experience Cloud, the identity architect can use a custom registration handler to link the partner’s Ping identity with their Salesforce identity and prevent duplicate accounts. The custom page can also provide a seamless user experience for the partners. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler

NEW QUESTION 13
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
* 1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
* 2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
* 3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
* 3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce.
Which two options allow the Identity Architect to fulfill the requirements? Choose 2 answers

• A. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
• B. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.
• C. Redirect the user to a custom page that allows the user to select an existing social identity for login.
• D. Use the custom registration handler to link social identities to Salesforce identities.

Answer: BD

Explanation:
To allow customers to log in to the community with any of their social identities, such as Facebook, Google, or Twitter, the identity architect needs to use authentication providers for social sign-on. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. To ensure that Salesforce has only one user per customer, regardless of how many social identities they have, the identity architect needs to use the custom registration handler to link social identities to Salesforce identities. The custom registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The custom registration handler can also be used to insert or update personal details of the customers when they log in to Salesforce using their social identity.
References: Authentication Providers, Social Sign-On with Authentication Providers, Create a Custom Registration Handler

NEW QUESTION 14
What are three capabilities of Delegated Authentication? Choose 3 answers

• A. It can be assigned by Custom Permissions.
• B. It can connect to SOAP services.
• C. It can be assigned by Permission Sets.
• D. It can be assigned by Profiles.
• E. It can connect to REST services.

Answer: BCE

Explanation:
The three capabilities of delegated authentication are:
It can connect to SOAP services. Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service by making a SOAP callout to a web service that verifies the user’s credentials. This feature enables Salesforce to integrate with existing identity stores or authentication methods that support SOAP services.
It can be assigned by permission sets. Permission sets are collections of settings and permissions that give users access to various tools and functions in Salesforce. Permission sets can be used to assign delegated authentication to users by enabling the “Is Single Sign-on Enabled” permission. This permission allows users to log in with delegated authentication instead of their Salesforce username and password.
It can connect to REST services. REST services are web services that use HTTP methods to access or manipulate resources on a server. REST services can be used for delegated authentication by creating a custom login page that makes a REST callout to an external service that verifies the user’s credentials. This approach requires custom code and configuration, but it provides more flexibility and control over the authentication process.
The other options are not capabilities of delegated authentication. Delegated authentication cannot be assigned by custom permissions or profiles. Custom permissions are settings that can be used in Apex code or validation rules to check whether a user has access to a custom feature or functionality. Custom permissions cannot be used to enable delegated authentication for users. Profiles are collections of settings and permissions that determine what users can do in Salesforce. Profiles cannot be used to enable delegated authentication for users, as this feature is controlled by permission sets. References: [Delegated Authentication], [Permission Sets], [Enable ‘Delegated Authentication’], [REST Services], [Custom Login Page for Delegated Authentication], [Custom Permissions], [Profiles]

NEW QUESTION 15
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?

• A. Web Server flow
• B. JWT Bearer Token flow
• C. Username-Password flow
• D. User Agent flow

Answer: B

Explanation:
The JWT Bearer Token flow is an OAuth flow in which an external app (also called client or consumer app) sends a signed JSON string to Salesforce called JWT to obtain an access token. The access token can then be used by the external app to read & write data in Salesforce1. This flow does not require storing credentials, client secret or refresh tokens, as the JWT is self-contained and includes information about the app and the user2. The other flows require either user interaction (Web Server flow and User Agent flow) or storing credentials (Username-Password flow)3.
References: Salesforce OAuth : JWT Bearer Flow, Accessing Salesforce with JWT OAuth Flow, OAuth Authorization Flows - Salesforce

NEW QUESTION 16
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a
Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

• A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
• B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
• C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
• D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Answer: D

Explanation:
The recommended solution for UC to enable a two-factor login process for Salesforce and their existing
on-premise applications is to replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. Salesforce 2FA is a feature that requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. Salesforce 2FA can be enabled for both Salesforce and on-premise applications by using one of the following methods:
Use Salesforce Authenticator, a mobile app that generates verification codes or sends push notifications to users’ devices.
Use a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, that generates verification codes based on a shared secret key.
Use a verification code sent by email or SMS to users’ registered email address or phone number.
Use a U2F security key, such as YubiKey, that plugs into users’ devices and provides a physical token. By replacing the custom 2FA system with Salesforce 2FA, UC can benefit from the following advantages:
Improved security and compliance by using a standard and proven 2FA solution that protects against
phishing, credential theft, and brute force attacks.
Reduced complexity and cost by eliminating the need to maintain a custom 2FA system and integrating it with Salesforce.
Enhanced user experience and convenience by providing multiple options for verifying identity and allowing users to remember trusted devices or browsers.
The other options are not recommended solutions for this scenario. Using the custom 2FA system for
on-premise applications and native 2FA for Salesforce would create inconsistency and confusion for users who have to use different methods of verification for different applications. Replacing the custom 2FA system with an AppExchange app that supports on-premise applications and Salesforce would require UC to find an app that meets their specific needs and pay for its license and maintenance. Using custom login flows to connect to the existing custom 2FA system for use in Salesforce would require UC to write custom code and logic to invoke the custom 2FA system from Salesforce, which could introduce security and performance issues. References: [Two-Factor Authentication], [Salesforce Authenticator], [Third-Party Authenticator Apps], [Verification Code via Email or SMS], [U2F Security Keys], [Custom Login Flows]

NEW QUESTION 17
Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend?

• A. Configure the main salesforce org as an authentication provider.
• B. Configure the main salesforce org as the Identity provider.
• C. Configure the regional salesforce orgs as Identity Providers.
• D. Configure the main Salesforce org as a service provider.

Answer: B

Explanation:
The action that an architect should recommend to UC is to configure the main Salesforce org as the identity provider. An identity provider is an application that authenticates users and provides information about them to service providers. A service provider is an application that provides a service to users and relies on an identity provider for authentication. SAML (Security Assertion Markup Language) is an XML-based standard that allows identity providers and service providers to exchange authentication and authorization data. SSO (Single Sign-On) is a feature that allows users to access multiple applications with one login. In this scenario, the main Salesforce org is the identity provider that authenticates users using SAML and provides information about them to the regional Salesforce orgs. The regional Salesforce orgs are the service providers that provide services to users and rely on the main Salesforce org for authentication. This way, users can access the regional Salesforce orgs from the main Salesforce org seamlessly using SSO.
References: [Identity Provider Overview], [SAML Single Sign-On Overview], [Single Sign-On Overview], [Salesforce as an Identity Provider]

NEW QUESTION 18
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.
The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.
Which two solutions should the IAM specialist recommend? Choose 2 answers

• A. Use Experience Builder to build branded Reset and Forgot Password pages.
• B. Build custom pages for branding requirements in Experience Cloud.
• C. Build custom site pages for reset and forgot password features.
• D. Login & Registration pages can be branded in the Community Administration settings.

Answer: AD

Explanation:
Experience Builder and Community Administration settings are the tools that allow branding the login and registration pages in Experience Cloud. Custom pages are not necessary for this use case.
References: Architect Journey: Identity and Access Management Trailmix - Trailhead

NEW QUESTION 19
Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers

• A. Activate My Domain to Brand each org to the specific business use case.
• B. Implement SP-Initiated Single Sign-on flows to allow deep linking.
• C. Implement IdP-Initiated Single Sign-on flows to allow deep linking.
• D. Implement Delegated Authentication from each org to the LDAP provider.

Answer: AB

Explanation:
Activating My Domain allows each org to have a unique domain name that can be branded to the specific business use case2. This can help users identify which org they are logging into and avoid confusion. Implementing SP-Initiated Single Sign-on flows enables users to start from a service provider (such as Salesforce) and be redirected to an identity provider (such as Active Directory) for authentication3. This can also allow deep linking, which means users can access specific resources within the service provider after logging in4. These two recommendations can address the complaints of the users who have licenses across multiple orgs.

NEW QUESTION 20
......