Which security feature must be in place for a Canvas app?

A canvas app must be registered as a connected app to ensure proper authentication and authorization for users accessing the app. This registration process involves defining key settings such as OAuth configuration, which enables secure communication between Salesforce and the external application. By being registered as a connected app, the canvas app can leverage Salesforce's security model, providing mechanisms for single sign-on, access control, and other critical security features necessary for maintaining compliance with organization security policies.

Inadequate security measures, as suggested by other options, are not applicable since canvas apps require established protocols to protect data and user information. For instance, operating without any security measures would expose significant risks, including unauthorized access and data breaches. Additionally, shared credentials are not mandatory—a practice that would undermine security by allowing multiple users to access the app using the same credentials, thus eliminating accountability. Lastly, limiting canvas app access solely to admin users does not support the intended use of these applications, which is often broader and designed to be accessible to a wider range of users based on defined permissions and roles.