New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

Identity-and-Access-Management-Architect Questions and Answers

Question # 6

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regionalleads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identityprovider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

A.

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

B.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

C.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

D.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

Full Access
Question # 7

Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. Inthis scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

A.

Configure SAML SSO settings.

B.

Configure Delegated Authentication

C.

Create a connected App

D.

Set up my domain

Full Access
Question # 8

An architect has successfully configured SAML-BASED SSO for universal containers. SSO has been working for 3 months when Universal containers manually adds a batch of new users to salesforce. The new users receive an error from salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access salesforce. What is the probable cause of this behaviour?

A.

The administrator forgot to reset the new user's salesforce password.

B.

The Federation ID field on the new user records is not correctly set

C.

The my domain capability is not enabled on the new user's profile.

D.

The new users do not have the SSO permission enabled on their profiles.

Full Access
Question # 9

Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

A.

Include client ID and client secret in the login header callout.

B.

Set up a proxy server for the login service in the DMZ.

C.

Require the useof Salesforce security Tokens on password.

D.

Enforce mutual Authentication between systems using SSL.

Full Access
Question # 10

An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user?

A.

Consumer key and consumer secret

B.

Federation ID

C.

User info endpoint URL

D.

Apex registration handler

Full Access
Question # 11

Universal Containerswants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

A.

SP-initiated SSO will not work.

B.

Neither SP- nor IdP-initiated SSO will work.

C.

Either SP- or IdP-initiated SSO will work.

D.

IdP-initiated SSO will not work.

Full Access
Question # 12

Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers

A.

Activate MyDomain to Brand each org to the specific business use case.

B.

Implement SP-Initiated Single Sign-on flows to allow deep linking.

C.

Implement IdP-Initiated Single Sign-on flows to allow deep linking.

D.

Implement Delegated Authentication from each org tothe LDAP provider.

Full Access
Question # 13

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs asthe Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

A.

The Federation ID must be a valid Salesforce Username

B.

The Federation ID must is case sensitive

C.

The Federation ID must be in the form of an email address.

D.

The Federation ID must be populated on the user record.

Full Access
Question # 14

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message?

A.

The Self-signed Certificates from the Certificate & Key Management menu.

B.

The default client Certificate from the Develop--> API menu.

C.

The default client Certificate or the Certificate and Key Management menu.

D.

The CA-signed Certificate from the Certificate and Key Management Menu.

Full Access
Question # 15

Aglobal fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:

1) Customer purchases the device.

2) Customer registers the device using their mobile app.

3) A case should automatically be created inSalesforce and associated with the customers account in cases where the device registers issues with tracking.

Which OAuth flow should be used to meet these requirements?

A.

OAuth 2.0 Asset Token Flow

B.

OAuth 2.0 Username-Password Flow

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 SAML Bearer Assertion Flow

Full Access
Question # 16

The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except whenlogged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

A.

Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

B.

Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

C.

Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.

D.

Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Full Access
Question # 17

Which two considerations should be made when implementing Delegated Authentication?

Choose 2 answers

A.

The authentication web service can include custom attributes.

B.

It can be used to authenticate API clients and mobile apps.

C.

It requires trusted IP ranges at the User Profile level.

D.

Salesforce servers receive but do not validate a user’s credentials.

E.

Just-in-time Provisioning can be configured for new users.

Full Access
Question # 18

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.

Which two issues would cause these errors?

Choose 2 answers

A.

The subject element is missing from the assertion sent to salesforce.

B.

The certificateloaded into SSO configuration does not match the certificate used by the IdP.

C.

The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

D.

The assertion sent to 5alesforcecontains an assertion ID previously used.

Full Access
Question # 19

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants toleverage Salesforce Identity to control access to the custom app.

At a minimum, which Salesforce license is required to support this requirement?

A.

Identity Verification

B.

Identity Connect

C.

Identity Only

D.

External Identity

Full Access
Question # 20

Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle theDelegated Authentication request? Choose 3 answers

A.

The web service needs to include Source IP as a method parameter.

B.

UC should whitelist all salesforce ip ranges on their corporate firewall.

C.

The web service can be written using either the soap orrest protocol.

D.

Delegated Authentication is enabled for the system administrator profile.

E.

The return type of the Web service method should be a Boolean value

Full Access
Question # 21

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.

The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.

Which two solutions should the IAM specialist recommend?

Choose 2 answers

A.

Use Experience Builder to build branded Reset and Forgot Password pages.

B.

Build custom pages for branding requirements in Experience Cloud.

C.

Build custom site pages for reset and forgot password features.

D.

Login & Registration pages can be branded in the Community Administration settings.

Full Access
Question # 22

Apublic sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used foridentity verification.

Which feature should an identity architect recommend to meet the requirements?

A.

Integrate with social websites (Facebook, Linkedin. Twitter)

B.

Use an external Identity Provider

C.

Create a custom Lightning Web Component

D.

Use Login Discovery

Full Access
Question # 23

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:

1. They plan toimplement Partner communities to provide access to their partner network .

2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.

3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.

4. They would like to provide a single login for their partners.

How should an Identity Architect solution this requirement with limited custom development?

A.

Create a partner login for the country of theiroperation and use SAML federation to provide access to other orgs.

B.

Consolidate Partner related information in a single org and provide access through Salesforce community.

C.

Allow partners to choose the Salesforce org they need information from and uselogin flows to authenticate access.

D.

Register partners in one org and access information from other orgs using APIs.

Full Access
Question # 24

Under which scenario Web Server flow will be used?

A.

Used for web applications when server-side code needs to interact with APIS.

B.

Used for server-side components when page needs to be rendered.

C.

Used for mobile applications and testing legacy Integrations.

D.

Used for verifying Access protected resources.

Full Access
Question # 25

Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirementthat usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

A.

Create a Connected App that supports the JWT Bearer Token OAuth Flow.

B.

Create a Connected App that supports the Refresh Token OAuth Flow

C.

Create a Connected App that supports the Web Server OAuth Flow.

D.

Create a Connected App that supports the User-Agent OAuth Flow.

Full Access
Question # 26

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.

What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

A.

Ensure that there is an HTTPS connection between IDP and SP.

B.

Ensure thaton the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.

C.

Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

D.

Encrypt the SAML Request using certificationauthority (CA) signed certificate and decrypt on IdP.

Full Access
Question # 27

Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.

How can the Architect meet these requirements?

A.

Use a Salesforce Login Flow to call out to a web service and create the user on the fly.

B.

Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.

C.

Implement Just-In-Time Provisioningon the mainframe to create the user on the fly.

D.

Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

Full Access
Question # 28

Which three are features of federated Single sign-on solutions? Choose 3 Answers

A.

It establishes trust between Identity Store and Service Provider.

B.

It federates credentials control to authorized applications.

C.

It solves all identity and access management problems.

D.

It improves affiliated applications adoption rates.

E.

It enables quick and easy provisioning and deactivating of users.

Full Access
Question # 29

Universal containers (UC) employees have salesforceaccess from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location. Which two options should an architect recommend? Choose 2 answers

A.

Relax the ip restriction in the connect app settings for the salesforce1 mobile app

B.

Use login flow to bypass ip range restriction for the mobile app.

C.

Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app

D.

Remove existingrestrictions on ip ranges for all types of user access.

Full Access
Question # 30

A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

A.

Login Forensics

B.

Login Report

C.

Login Inspector

D.

Login History

Full Access
Question # 31

Universal containers (UC) is setting up their customer Communityself-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

A.

The self-registration process will produce an error to the user.

B.

Theself-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Full Access
Question # 32

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.

NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.

What should an Identity architect do to fulfill the requirement?

A.

Configure an authentication provider for Social Login using Google and a custom registration handler.

B.

Implement a Just-in-Time handler class that has logic to create cases upon first login.

C.

Create an authentication provider for Social Login using Google and leverage standard registration handler.

D.

Implement a login flow with a record create component for Case.

Full Access
Question # 33

Universal Containers is usingOpenID Connect to enable a connection from their new mobile app to its production Salesforce org.

What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

A.

Query using OpenID Connect discovery endpoint.

B.

A Leverage OpenID Connect Token Introspection.

C.

Create a custom OAuth scope.

D.

Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Full Access
Question # 34

A company wants to provide its employees with a custom mobile app that accessesSalesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The appsself-authorize, and users are permitted to use the apps once they have logged into Salesforce.

How should an identity architect meet the above requirements with the privately distributed mobile app?

A.

Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.

B.

Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.

C.

Use Salesforce as an identity provider (IdP) to access the mobileapp and use the external IdP for other non-Salesforce internal apps.

D.

Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

Full Access
Question # 35

Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?

A.

SP-Initiated with Deep Linking

B.

SP-Initiated

C.

IdP-Initiated

D.

User-Agent

Full Access
Question # 36

Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways canthe IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

A.

Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.

B.

Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

C.

Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

D.

Use Salesforceas the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

Full Access