Weekend Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Salesforce Identity-and-Access-Management-Architect Salesforce Certified Identity andAccess Management Architect (SP25) Exam Practice Test

Page: 1 / 24
Total 243 questions

Salesforce Certified Identity andAccess Management Architect (SP25) Questions and Answers

Question 1

Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers

Options:

A.

OAuth Refresh Token FLow

B.

OAuth Username-Password Flow

C.

OAuth SAML Bearer Assertion FLow

D.

OAuth JWT Bearer Token FLow

Question 2

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one ofthe the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

Options:

A.

The Federation ID must be a valid Salesforce Username

B.

The Federation ID must is case sensitive

C.

The Federation ID must be in the form of an email address.

D.

The Federation ID must be populated on the user record.

Question 3

Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly,including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

Options:

A.

Use the salesforce REST API to sync users from active directory to salesforce

B.

Use an app exchange product to sync users from Active Directory to salesforce.

C.

Use Active Directory Federation Services to sync users from active directory to salesforce.

D.

Use Identity connect to sync users from Active Directory to salesforce

Question 4

Universal containers (UC) has a classifiedinformation system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at allother times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

Options:

A.

Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

B.

Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

C.

Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system

D.

Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Question 5

UESTION NO: 154

Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.

Which Salesforce license should UC utilize to implement this use case?

Options:

A.

Identity Only

B.

Salesforce Platform

C.

External Identity

D.

Partner Community

Question 6

Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers

Options:

A.

Activate My Domain to Brand each org to the specific business use case.

B.

Implement SP-Initiated Single Sign-on flows to allow deep linking.

C.

ImplementIdP-Initiated Single Sign-on flows to allow deep linking.

D.

Implement Delegated Authentication from each org to the LDAP provider.

Question 7

Which three are capabilities of SAML-based Federated authentication? Choose 3 answers

Options:

A.

Trust relationships between Identity Provider and Service Provider are required.

B.

SAML tokens can be in XML or JSON format and can be used interchangeably.

C.

Web applications with no passwords are more secure and stronger against attacks.

D.

Access tokens areused to access resources on the server once the user is authenticated.

E.

Centralized federation provides single point of access, control and auditing.

Question 8

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The labelgenerator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?

Options:

A.

Customer Community license

B.

Identity license

C.

Customer Community Plus license

D.

External Identity license

Question 9

Containers (UC) uses an internal system for recruiting and would like to have thecandidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows shouldbe considered to meet the requirement? Choose 2 answers

Options:

A.

JWT Bearer Token flow

B.

Refresh Token flow

C.

SAML Bearer Assertion flow

D.

Web Service flow

Question 10

Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

Options:

A.

Identity store

B.

Authentication store

C.

Identity provider

D.

Service provider

Question 11

Universal containers (UC) has built a custom based Two-factorAuthentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

Options:

A.

Replace thecustom 2fa system with salesforce 2fa for on-premise application and salesforce.

B.

Use the custom 2fa system for on-premise applications and native 2fa for salesforce.

C.

Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.

D.

Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Question 12

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

Options:

A.

Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

B.

Remove existing restrictions on IP ranges for all types of user access.

C.

Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.

D.

Use Login Flow to bypass IP range restriction for the mobile app.

Question 13

Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properlysecure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of single Sign-on for any users of the mobile app.

B.

Require high assurance sessions in order to use the connected App

C.

Use Google Authenticator as an additional part of the logical processes.

D.

Set login IP ranges to the internal network for all of the app users profiles.

Question 14

Which tool should be used to track login data, such as the average number of logins, who logged in more thanthe average number of times and who logged in during non-business hours?

Options:

A.

Login Inspector

B.

Login History

C.

Login Report

D.

Login Forensics

Question 15

Universal Containers (UC) rollingout a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.

Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.

Which two steps should be done on the platform to satisfy the requirement?

Choose 2 answers

Options:

A.

Manage which connected apps a user has access to byassigning authentication providers to the user’s profile.

B.

Assign the connected app to the customer community, and enable the users profile in the Community settings.

C.

Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.

D.

Set each of the Connected App access settings to Admin Pre-Approved.

Question 16

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured asa connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of Single Sign-on for anyusers of the mobile app.

B.

Require High Assurance sessions in order to use the Connected App.

C.

Set Login IP Ranges to the internal network for all of the app users Profiles.

D.

Use Google Authenticator as an additional part of the login process

Question 17

Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.

What should be done to fulfill the requirement?

Choose 2 answers

Options:

A.

Setup Salesforce as an identity provider (IdP) for order Tracking.

B.

Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,

C.

Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.

D.

Setup Order Tracking as a Canvas app in Salesforce to POST IdPinitiated SAML assertion.

Question 18

Which two capabilities does My Domain enable in the context of a SAML SSOconfiguration? Choose 2 answers

Options:

A.

App Launcher

B.

Resource deep linking

C.

SSO from Salesforce Mobile App

D.

Login Forensics

Question 19

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce andthe billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverageSalesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce.A redirect is acceptable.

Which two Salesforce tools should an identity architect recommend to satisfy the requirements?

Choose 2 answers

Options:

A.

salesforce Canvas

B.

Identity Connect

C.

Connected Apps

D.

App Launcher

Question 20

What item should an Architect consider when designing a Delegated Authentication implementation?

Options:

A.

The Web service should be secured with TLS using Salesforce trusted certificates.

B.

The Web service should be able to accept one to four input method parameters.

C.

The web service should use the Salesforce Federation ID toidentify the user.

D.

The Web service should implement a custom password decryption method.

Question 21

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the communitysite (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.

The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).

Which two recommendations should the Salesforce IAM architect make to the IT Lead?

Choose 2 answers

Options:

A.

Use declarative registration handler process builder/flow to create, update users and contacts.

B.

Authentication provider configuration is required each social sign-on providers; and enable Authentication providers incommunity.

C.

For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.

D.

Apex coding skills are needed for registration handler to create and update users.

Question 22

Which three types of attacks would a 2-Factor Authentication solution help garden against?

Options:

A.

Key logging attacks

B.

Network perimeter attacks

C.

Phishing attacks

D.

Dictionary attacks

E.

Man-in-the-middle attacks

Question 23

N NO: 161

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:

1. Users should not have to login every time they use the app.

2. The app should be able to make calls to the Salesforce REST API.

3. End users should NOT see the OAuth approval page.

How should the identity architect configure the Salesforce connected app to meet the requirements?

Options:

A.

Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".

B.

Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".

C.

Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

D.

Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".

Question 24

Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user,and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

Options:

A.

Modify the communitiesselfregcontroller to assign the profile and account.

B.

Modify the selfregistration trigger to assign profile and account.

C.

Configure registration for communities to use a custom visualforce page.

D.

Configure registration for communities to use a custom apex controller.

Question 25

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.

What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

Options:

A.

Query using OpenIDConnect discovery endpoint.

B.

A Leverage OpenID Connect Token Introspection.

C.

Create a custom OAuth scope.

D.

Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Question 26

A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.

Which action will accomplish this?

Options:

A.

Use a HTTP POST to request the refresh token for the current user.

B.

Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.

C.

Use a HTTP POST to make a call to the revoke token endpoint.

D.

Enable Single Logout with a secure logout URL.

Question 27

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.

Which two issues would cause these errors?

Choose 2 answers

Options:

A.

The subject element ismissing from the assertion sent to salesforce.

B.

The certificate loaded into SSO configuration does not match the certificate used by the IdP.

C.

The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

D.

The assertion sent to 5alesforce contains an assertion ID previously used.

Question 28

Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

Options:

A.

The Oauth authorizations are being revoked by a nightly batch job.

B.

The refresh token expiration policy is set incorrectly in salesforce

C.

The app is requesting too many access Tokens in a 24-hour period

D.

The users forget to check the box to remember their credentials.

Question 29

Users logging into Salesforce are frequently prompted to verify their identity.

The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced.

What should the identity architect recommend to meet the requirement?

Options:

A.

Implement 2FA authentication for the Salesforce org.

B.

Set trusted IP ranges for the organization.

C.

Implement a single sign-on for Salesforce using an externalidentity provider.

D.

Implement multi-factor authentication for the Salesforce org.

Question 30

A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:

1. User Authenticates and Authorizes Access

2. Request an Access Token

3. Salesforce Grantsan Access Token

4. Request an Authorization Code

5. Salesforce Grants Authorization Code

What is the correct sequence for the authorization flow?

Options:

A.

1, 4, 5, 2, 3

B.

4, 1, 5, 2, 3

C.

2, 1, 3, 4, 5

D.

4,5,2, 3, 1

Question 31

Universal Containers (UC) has decided to replace the homegrown customer portalwith Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.

The first time a customer logs in to the Experience Cloud site through SSO, a user record needsto be created automatically.

Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

Options:

A.

Just-in-Time (JIT) provisioning

B.

Custom middleware and web services

C.

Custom login flow and Apex handler

D.

Third-party AppExchange solution

Question 32

A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:

1) Customer purchases the device.

2) Customer registers the device using their mobile app.

3) A case should automatically be createdin Salesforce and associated with the customer’s account in cases where the device registers issues with tracking.

Which OAuth flow should be used to meet these requirements?

Options:

A.

OAuth 2.0 Asset Token Flow

B.

OAuth 2.0 Username-Password Flow

C.

OAuth 2.0User-Agent Flow

D.

OAuth 2.0 SAML Bearer Assertion Flow

Question 33

How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?

Options:

A.

Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.

B.

Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.

C.

Remove the Login page from the list of Authentication Services on the My Domain configuration.

D.

Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.

Question 34

Northern Trail Outfitters mar ages functional group permissions in a custom security application supported by a relational database and a REST service layer. Group permissions are mapped as permission sets in Salesforce.

Which action should an identity architect use to ensure functional group permissionsare reflected as permission set assignments?

Options:

A.

Use a Login Flow to query SAML attributes and set permission sets.

B.

Use a Login Flow with invocable Apex to callout to the security application and set permission sets.

C.

Use the Apex Just-in-Time (JIT) handler to query the Security Assertion markup Language (SAML) attributes and set permission sets.

D.

Use the Apex JIT handler to callout to the security application and set permission sets

Question 35

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs.

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2-0 SAML Bearer Assertion Flow

B.

OAuth 2.0 JWT Bearer Flow

C.

SAML Assertion Flow

D.

OAuth 2.0 User-Agent Flow

Question 36

A financial services company uses Salesforce and has a compliance requirement to track information about devices from whichusers log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.

What should be used to fulfill this requirement?

Options:

A.

Use multi-factor authentication (MFA) to meet the compliance requirement totrack device information.

B.

Use the Activations feature to meet the compliance requirement to track device information.

C.

Use the Login History object to track information about devices from which users log in.

D.

Use Login Flows to capture device fromwhich users log in and store device and user information in a custom object.

Question 37

Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

Options:

A.

Configure SAML SSO settings.

B.

Configure Delegated Authentication

C.

Create a connected App

D.

Set up my domain

Question 38

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an externalidentity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.

What should a identity architect recommend to create partners?

Options:

A.

On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.

B.

Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.

C.

Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.

D.

Allow partners to register through the IdP and create partner users in Salesforce through an API.

Question 39

Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.

Which two settings need to be configured in the connect app to support this requirement?

Choose 2 answers

Options:

A.

The Use Digital Signature option in the connected app.

B.

The "web" OAuth scope in theconnected app,

C.

The "api" OAuth scope in the connected app.

D.

The "edair_api" OAuth scope m the connected app.

Question 40

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.

Which two actions should an identity architect recommend to meet these requirements?

Choose 2 answers

Options:

A.

Create a custom external authentication provider for Facebook.

B.

Configure a predefined authentication provider for Facebook.

C.

Create a custom external authentication provider for Twitter.

D.

Configure a predefined authentication provider for Twitter.

Question 41

Which twosecurity risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers

Options:

A.

Users leaving laptops unattended and not logging out of Salesforce.

B.

Users accessing Salesforce from a public Wi-Fi access point.

C.

Users choosing passwords that are the same as their Facebook password.

D.

Users creating simple-to-guess password reset questions.

Question 42

Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization.Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?

Options:

A.

Redirect_uri

B.

State

C.

Scope

D.

Callback_uri

Question 43

Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using Facebook, UC would like acustomer account created automatically in their accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?

Options:

A.

Create a custom application on Heroku that manages the sign-on process from Facebook.

B.

Use JIT Provisioning to automatically create the account in the accounting system.

C.

Add an Apex callout in the registration handler of the authorization provider.

D.

Use OAuth JWT flow to pass the data fromSalesforce to the Accounting System.

Question 44

An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.

Which two licenses are needed to meet this requirement?

Choose 2 answers

Options:

A.

External Identity Licenses

B.

Identity Connect Licenses

C.

Email Verification Credits

D.

SMS verification Credits

Question 45

Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform willbe written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?

Options:

A.

Identity Licence.

B.

Salesforce Licence.

C.

External Identity Licence.

D.

Salesforce Platform Licence.

Question 46

Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentialsstored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

Options:

A.

Use Delegated Authentication to call the Twitter login API to authenticate users.

B.

Configure an Authentication Provider for LinkedIn Social Media Accounts.

C.

Create a Custom Apex Registration Handler to handle new and existing users.

D.

Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Question 47

Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

Options:

A.

Set up the corporate portal as a ConnectedApp in Salesforce and use the Web server OAuth flow.

B.

Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.

C.

Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.

D.

Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Question 48

Under which scenario Web Server flow will be used?

Options:

A.

Used for web applications when server-side code needs to interact with APIS.

B.

Used for server-side components when page needs to be rendered.

C.

Used for mobile applications and testing legacy Integrations.

D.

Used for verifying Access protected resources.

Question 49

Universal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.

How should an identity architect configure AWS to authenticate and authorize Salesforce users?

Options:

A.

Configure the custom employee app as a connected app.

B.

Configure AWS as an OpenID Connect Provider.

C.

Create a custom external authentication provider.

D.

Develop a customAuth server in AWS.

Question 50

Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers

Options:

A.

Resource deep linking

B.

App launcher

C.

SSO from salesforce1 mobile app.

D.

Login forensics

Question 51

Universal Containerswants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.

What type of authentication flow is required to support deep linking'

Options:

A.

Web Server OAuth SSO flow

B.

Service-Provider-Initiated SSO

C.

C. Identity-Provider-initiated SSO

D.

StartURL on Identity Provider

Question 52

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.

The chief security officer is rolling out an org wide compliance policy to enforcere-verification of devices if an employee has not logged in from that device in the last week.

Which connected app setting should be leveraged to comply with this policy change?

Options:

A.

Scope - Deny refresh_token scope for this connected app.

B.

Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.

C.

Session Policy - Set timeout value of the connected app to 7 days.

D.

Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Question 53

Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.

How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

Options:

A.

Configure unique MyDomains for each company and have generated links use the appropriate MyDomam in the URL.

B.

Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to the appropriate IdP.

C.

Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion Markup Language flow when clicked.

D.

Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click onthe appropriate IdP button.

Question 54

Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.

Which Salesforce license is required to fulfill this requirement?

Options:

A.

External Identity

B.

IdentityVerification

C.

Identity Connect

D.

Identity Only

Question 55

An architect needs to advise the team that manages the identity provider howto differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

Options:

A.

Entity id

B.

Issuer

C.

Identity provider login URL

D.

SAML identity location

Question 56

Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers

Options:

A.

Federation ID

B.

Salesforce User ID

C.

User Full Name

D.

User Email Address

E.

Salesforce Username

Question 57

Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record?

Options:

A.

Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.

B.

Create an apex scheduled job in one org that will synchronize the other orgsprofile.

C.

Implement Delegated Authentication that will update the user profiles as necessary.

D.

Implement an Oauthjwt flow to pass the profile credentials between systems.

Question 58

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementingSalesforce and would like to enable a Two-factor login processfor it, as well. What is the recommended solution as Architect should consider?

Options:

A.

Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

B.

Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

C.

Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

D.

Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Question 59

Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using PingFederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

Options:

A.

Sp-Initiated

B.

IDP-initiated with deep linking

C.

IDP-initiated

D.

Web server flow.

Question 60

A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.

WhichSalesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2.0 JWT Bearer How

B.

OAuth 2.0 Device Flow

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 Asset Token Flow

Question 61

Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users toprovide a fingerprint in addition to username/Password to authenticate to this application.How can an architect support fingerprint as a form of identification for salesforce Authentication?

Options:

A.

Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.

B.

Use Delegated Authentication with callouts to a third-party fingerprint scanning application.

C.

Use an AppExchange product that does fingerprint scanning with native salesforce identity confirmation.

D.

Use custom login flows with callouts to a third-party fingerprint scanning application.

Question 62

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

Which feature of Identity Connect is applicable for this scenario?

Options:

A.

When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.

B.

If the number of provisioned users exceeds Salesforce license allowances, identity Connect will start disabling the existingSalesforce users in First-in, First-out (FIFO) fashion.

C.

Identity Connect can be deployed as amanaged package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.

D.

When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

Question 63

Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

Options:

A.

Google is the service provider and Facebook is the identity provider

B.

Salesforceis the service provider and Google is the identity provider

C.

Facebook is the service provider and salesforce is the identity provider

D.

Salesforce is the service provider and Facebook is the identity provider

Question 64

A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.

Which authentication mechanism should an identity architect recommend to meet therequirements?

Options:

A.

OpenID Connect

B.

User Agent Flow

C.

JWT Bearer Token Flow

D.

Web Server Flow

Question 65

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind?

Choose 2 answers

Options:

A.

AMR field shows the authentication methods used at IdP.

B.

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

C.

High-assurance sessions must be configured under Session Security Level Policies.

D.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Question 66

An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into.

Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150sub-brands?

Options:

A.

Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience.

B.

Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuthand Security Assertion Markup Language (SAML) flows.

C.

Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand.

D.

Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience.

Question 67

A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated fornew and existing users.

Which two steps should an identity architect recommend?

Choose 2 answers

Options:

A.

Implement Auth.SamlJitHandler Interface.

B.

Create and update methods.

C.

Implement RegistrationHandler Interface.

D.

Implement SesslonManagement Class.

Question 68

Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.

What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?

Options:

A.

Require the use of Salesforce security tokens on passwords.

B.

Enforce mutual authentication between systems using SSL.

C.

Include Client Id andClient Secret in the login header callout.

D.

Set up a proxy service for the login service in the DMZ.

Question 69

Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

Options:

A.

Oauth refresh token flow

B.

Oauth SAML bearer assertion flow

C.

Oauthjwt bearer token flow

D.

Oauth Username-password flow

Question 70

Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the loginservice and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

Options:

A.

Include client ID and client secret in the login header callout.

B.

Set up a proxy server for the login service in the DMZ.

C.

Require the use of Salesforce security Tokens on password.

D.

Enforce mutual Authentication between systems using SSL.

Question 71

Universal Containers (UC) has an e-commerce website where customers can buy products, make payments, and manage their accounts. UC decides tobuild a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is theService Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

Options:

A.

Configure SAML SSO settings.

B.

Create a Connected App.

C.

Configure Delegated Authentication.

D.

Set up My Domain.

Question 72

ON NO: 126

Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful andwritten in. NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers

Options:

A.

Delegated Authentication will not work with a.net service.

B.

Delegated Authentication will continue to work with rest services.

C.

Delegated Authentication will continue to work with a.net service.

D.

Delegated Authentication will not work with rest services.

Page: 1 / 24
Total 243 questions