New Year Biggest Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

DumpsWrap Logo

Salesforce Identity-and-Access-Management-Architect Dumps

Page: 1 / 24
Total 243 questions
Get Identity-and-Access-Management-Architect Full Access Download Identity-and-Access-Management-Architect PDF

Salesforce Certified Identity andAccess Management Architect (SU24) Questions and Answers

Question 1

Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.

What type of authentication flow is required to support deep linking'

Options:

A.

Web Server OAuth SSO flow

B.

Service-Provider-Initiated SSO

C.

Identity-Provider-initiated SSO

D.

StartURL on Identity Provider

Question 2

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.

What should be used to fulfill this requirement?

Options:

A.

Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.

B.

Use the Activations feature to meet the compliance requirement to track device information.

C.

Use the Login History object to track information about devices from which users log in.

D.

Use Login Flows to capture device from which users log in and store device and user information in a custom object.

Question 3

Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of single Sign-on for any users of the mobile app.

B.

Require high assurance sessions in order to use the connected App

C.

Use Google Authenticator as an additional part of the logical processes.

D.

Set login IP ranges to the internal network for all of the app users profiles.

Question 4

A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).

When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

Options:

A.

OIDC is more secure than SAML and therefore is the obvious choice.

B.

The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.

C.

If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.

D.

They are equivalent protocols and there is no real reason to choose one over the other.

Question 5

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce,

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2.0 SAML Bearer Assertion Flow

B.

A SAML Assertion Row

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 JWT Bearer Flow

Question 6

Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.

What should an identity architect use to show which part of the login assertion is fading?

Options:

A.

SAML Metadata file importer

B.

Identity Provider Metadata download

C.

Connected App Manager

D.

Security Assertion Markup Language Validator

Question 7

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.

At a minimum, which Salesforce license is required to support this requirement?

Options:

A.

Identity Verification

B.

Identity Connect

C.

Identity Only

D.

External Identity

Question 8

Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

Options:

A.

Configure SAML SSO settings.

B.

Configure Delegated Authentication

C.

Create a connected App

D.

Set up my domain

Question 9

Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

Options:

A.

Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.

B.

Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.

C.

Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.

D.

Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Question 10

Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?

Options:

A.

JWT Bearer Token flow

B.

Web Server Authentication Flow

C.

User Agent Flow

D.

Username and Password Flow

Question 11

Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

Options:

A.

The web application should be hosted on a secure server.

B.

The web server must be able to protect consumer privacy

C.

The flow involves passing the user credentials back and forth.

D.

The flow will not provide an Oauth refresh token back to the server.

Question 12

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.

Which approach will meet this requirement?

Options:

A.

Create tasks for users who need to update their data or accept the new community rules.

B.

Create a custom landing page and email campaign asking all community members to login and verify their data.

C.

Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.

D.

Add a banner to the community Home page asking users to update their profile and accept the new community rules.

Question 13

Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers

Options:

A.

Authentication Token

B.

Session ID

C.

Refresh Token

D.

Access Token

Question 14

A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:

1. The development team has decided to use a Canvas app to expose the pricing application to agents.

2. Agents should be able to access the Canvas app without needing to log in to the pricing application.

Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?

Choose 2 answers

Options:

A.

Select "Enable as a Canvas Personal App" in the connected app settings.

B.

Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.

C.

Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.

D.

Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

Question 15

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.

The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).

Which two recommendations should the Salesforce IAM architect make to the IT Lead?

Choose 2 answers

Options:

A.

Use declarative registration handler process builder/flow to create, update users and contacts.

B.

Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in

community.

C.

For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.

D.

Apex coding skills are needed for registration handler to create and update users.

Question 16

Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community. What SSO flow should an architect recommend?

Options:

A.

User-Agent

B.

IDP-initiated

C.

Sp-Initiated

D.

Web server

Question 17

Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers

Options:

A.

The web service needs to include Source IP as a method parameter.

B.

UC should whitelist all salesforce ip ranges on their corporate firewall.

C.

The web service can be written using either the soap or rest protocol.

D.

Delegated Authentication is enabled for the system administrator profile.

E.

The return type of the Web service method should be a Boolean value

Question 18

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.

Which OAuth flow should the architect recommend?

Options:

A.

OAuth 2.0 Asset Token Flow

B.

OAuth 2.0 Device Authentication Row

C.

OAuth 2.0 JWT Bearer Token Flow

D.

OAuth 2.0 SAML Bearer Assertion Flow

Question 19

Refer to the exhibit.

as

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.

A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.

NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.

what should an identity architect do to fulfill the above requirements?

Options:

A.

For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.

B.

Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.

C.

Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.

D.

Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.

Question 20

Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

Options:

A.

Financial System

B.

Pingfederate

C.

Salesforce Org 2

D.

Salesforce Org 1

Question 21

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.

How should an identity architect implement this requirement?

Options:

A.

Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

B.

Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

C.

Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time

(JIT) provisioning.

D.

Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

Question 22

Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.

Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?

Options:

A.

Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.

B.

Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.

C.

Use a login flow to query custom SAML attributes and set permission sets.

D.

Use a login flow to query standard SAML attributes and set permission sets.

Question 23

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

Options:

A.

Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

B.

Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

C.

Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system

D.

Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Question 24

Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers

Options:

A.

Use the existing SAML SSO flow along with user agent flow.

B.

Configure the embedded Web browser to use my domain URL.

C.

Use the existing SAML SSO flow along with Web server flow

D.

Configure the salesforce1 app to use the my domain URL

Question 25

Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

Options:

A.

Delegated Authentication is enabled or disabled for the entire Salesforce org.

B.

UC will be required to develop and support a custom SOAP web service.

C.

Salesforce users will be locked out of Salesforce if the web service goes down.

D.

The web service must reside on a public cloud service, such as Heroku.

Question 26

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.

What should an identity architect do to fulfill this requirement?

Options:

A.

Contact Salesforce Support and enable delegate single sign-on.

B.

Create a custom external authentication provider.

C.

Use certificate-based authentication.

D.

Configure OpenID Connect authentication provider.

Question 27

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2-0 SAML Bearer Assertion Flow

B.

OAuth 2.0 JWT Bearer Flow

C.

SAML Assertion Flow

D.

OAuth 2.0 User-Agent Flow

Question 28

Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-BASED SSO to get into the company portal and would like to leverage it to access salesforce. Most of the users don't exist in salesforce and they would like the user records created in salesforce communities the first time they try to access salesforce. What recommendation should an architect make to meet this requirement?

Options:

A.

Use on-the-fly provisioning

B.

Use just-in-time provisioning

C.

Use salesforce APIs to create users on the fly

D.

Use Identity connect to sync users

Question 29

What are three capabilities of Delegated Authentication? Choose 3 answers

Options:

A.

It can be assigned by Custom Permissions.

B.

It can connect to SOAP services.

C.

It can be assigned by Permission Sets.

D.

It can be assigned by Profiles.

E.

It can connect to REST services.

Question 30

Under which scenario Web Server flow will be used?

Options:

A.

Used for web applications when server-side code needs to interact with APIS.

B.

Used for server-side components when page needs to be rendered.

C.

Used for mobile applications and testing legacy Integrations.

D.

Used for verifying Access protected resources.

Question 31

A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.

How should an identity architect meet the above requirements with the privately distributed mobile app?

Options:

A.

Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.

B.

Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.

C.

Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.

D.

Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

Question 32

Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.

How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID Connect?

Options:

A.

Configure an authentication provider and a registration handler for each social sign-on provider.

B.

Configure a single sign-on setting and a registration handler for each social sign-on provider.

C.

Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.

D.

Configure a single sign-on setting and a JIT handler for each social sign-on provider.

Question 33

Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

Options:

A.

User-Agent Oauth flow

B.

SAML assertion Oauth flow

C.

User-Token Oauth flow

D.

Web server Oauth flow

Question 34

Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.

How should the quantity of required Identity Verification Credits be estimated?

Options:

A.

Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.

B.

Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.

C.

Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins

that will incur a verification challenge.

D.

Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

Question 35

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

Options:

A.

The Federation ID must be a valid Salesforce Username

B.

The Federation ID must is case sensitive

C.

The Federation ID must be in the form of an email address.

D.

The Federation ID must be populated on the user record.

Question 36

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:

1. Users should not have to login every time they use the app.

2. The app should be able to make calls to the Salesforce REST API.

3. End users should NOT see the OAuth approval page.

How should the identity architect configure the Salesforce connected app to meet the requirements?

Options:

A.

Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".

B.

Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".

C.

Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

D.

Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".

Question 37

Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

Options:

A.

Oauth refresh token flow

B.

Oauth SAML bearer assertion flow

C.

Oauthjwt bearer token flow

D.

Oauth Username-password flow

Load More Identity-and-Access-Management-Architect Questions
Page: 1 / 24
Total 243 questions
Get Identity-and-Access-Management-Architect Full Access Download Identity-and-Access-Management-Architect PDF