Explanation
D is correct because using a self-signed certificate leads to higher maintenance for the trusting party, which is the client or browser that connects to the server. The trusting party needs to add the self-signed certificate to their truststore, which is a repository of trusted certificates, in order to establish a secure connection with the server. Otherwise, the trusting party will see a warning message or an error when accessing the server.
A is incorrect because using a self-signed certificate leads to higher maintenance for the trusted party, not lower. The trusted party needs to maintain multiple self-signed certificates from different servers in their truststore.
B is incorrect because using a self-signed certificate does not make the trusted party act as the trusted CA (Certificate Authority). The trusted CA is the entity that issues and validates certificates for servers. The trusted party only needs to trust the CA's root certificate, which is usually pre-installed in their truststore.
C is incorrect because using a self-signed certificate leads to higher maintenance for the trusting party, not lower. The trusting party still needs to maintain a trusted CA cert in their truststore, which is the self-signed certificate itself.
References: 1: SSL Certificate Installation Instructions & Tutorials - DigiCert 2: How To Install an SSL Certificate from a Commercial ... - DigitalOcean 3: Setup SSL CSR Creation and SSL Certificate Installation
- DigiCert

Explanation
The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider

Explanation
To enable a trusted connection between the login service and Salesforce, an architect should enforce mutual authentication between systems using SSL. Mutual authentication, also known as two-way SSL or client certificate authentication, is a process in which both parties in a communication exchange certificates to verify their identities7. This mechanism ensures that only authorized systems can access each other's resources and prevents unauthorized access or spoofing attacks8. To use mutual authentication with delegated authentication, you need to do the following steps9:
Generate a self-signed certificate in Salesforce and download it.
Import the certificate into your login service's truststore.
Configure your login service to require client certificates for incoming requests.
Generate a certificate for your login service and export it.
Import the certificate into Salesforce's certificate and key management tool.
Enable mutual authentication for your login service's endpoint URL in Salesforce.
References:
Mutual Authentication
Mutual Authentication Overview
Set Up Mutual Authentication

Explanation
High assurance sessions are sessions that require a stronger level of identity verification, such as two-factor authentication or SAML assertions1. Google Authenticator is an app that generates verification codes on your mobile device that you can use as a second factor of authentication2. These measures can help prevent unauthorized access to the connected app by ensuring that the user is who they claim to be and that they have access to their mobile device. Disallowing the use of single sign-on (SSO) for the mobile app is not a recommendation because SSO can provide a seamless and secure user experience across multiple applications3. Setting login IP ranges to the internal network for the app users profiles is not a recommendation because it can limit the mobility and flexibility of the users who are commonly out of the office. References: 1: Session Security Levels 2: Google Authenticator 3: Connected Apps : [Restrict Login Access by IP Address]

Explanation
Using the App Launcher with SSO and using a connected app are two features that can be utilized to provide users with login and identity services for the third-party application. The App Launcher allows users to access multiple apps from one location with SSO. The connected app allows users to authorize access to the third-party application using OAuth 2.0. The other options are either not relevant or not applicable for this use case. References: App Launcher, Connected Apps