Salesforce Certified Identity and Access Management Designer — Question 33

The security team at Universal Containers has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other uses of Salesforce, users should be allowed to use AD credentials or Salesforce credentials.
What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

Answer options

• A. Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically add or remove a Permission Set that grants the Export Reports permission.
• B. Use SAML Federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission.
• D. Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.

Correct answer: B

Explanation

The correct answer, B, is appropriate because it ensures that only sessions classified as High Assurance, which requires AD credentials, are allowed to export reports. The other options either do not adequately enforce the security requirement for exporting reports (A and C) or do not allow report viewing with Salesforce credentials (D).