Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netbudy65

Identity-and-Access-Management-Architect Salesforce Certified Identity and Access Management Architect (SP23) Questions and Answers

Questions 4

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Options:

A.

Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.

B.

Configure an authentication provider to delegate authentication to the LDAP directory.

C.

use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.

D.

Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Buy Now
Questions 5

An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.

What is recommended to fulfill this requirement with the least amount of customization?

Options:

A.

Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.

B.

Use Login Flows to add a screen that shows personalized alerts.

C.

Build a Lightning web Component (LWC) for a homepage that shows custom alerts.

D.

Create custom metadata that stores user alerts and use a LWC to display alerts.

Buy Now
Questions 6

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

Options:

A.

Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.

B.

Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.

C.

Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.

D.

Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

Buy Now
Questions 7

Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

Options:

A.

Use Delegated Authentication to call the Twitter login API to authenticate users.

B.

Configure an Authentication Provider for LinkedIn Social Media Accounts.

C.

Create a Custom Apex Registration Handler to handle new and existing users.

D.

Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Buy Now
Questions 8

Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.

How should the quantity of required Identity Verification Credits be estimated?

Options:

A.

Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.

B.

Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.

C.

Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins

that will incur a verification challenge.

D.

Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

Buy Now
Questions 9

Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

Options:

A.

Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.

B.

Use the custom 2fa system for on-premise applications and native 2fa for salesforce.

C.

Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.

D.

Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Buy Now
Questions 10

Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

Options:

A.

Custom_permissions

B.

Api

C.

Refresh_token

D.

Full

Buy Now
Questions 11

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers

Options:

A.

App Launcher

B.

Resource deep linking

C.

SSO from Salesforce Mobile App

D.

Login Forensics

Buy Now
Questions 12

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.

Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.

Which two steps should be done on the platform to satisfy the requirement?

Choose 2 answers

Options:

A.

Manage which connected apps a user has access to by assigning authentication providers to the users profile.

B.

Assign the connected app to the customer community, and enable the users profile in the Community settings.

C.

Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.

D.

Set each of the Connected App access settings to Admin Pre-Approved.

Buy Now
Questions 13

An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.

Which two reasons are the source of the issue?

Choose 2 answers

StartURL for the connected app is not set in Connected App settings.

B. OAuth scope does not include "openid*.

C. Session Policy is set as 'High Assurance Session required' for this connected app.

D. The connected app is not set in the App menu as 'Visible in App Launcher".

Options:

Buy Now
Questions 14

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind?

Choose 2 answers

Options:

A.

AMR field shows the authentication methods used at IdP.

B.

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

C.

High-assurance sessions must be configured under Session Security Level Policies.

D.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Buy Now
Questions 15

A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:

1) Customer purchases the device.

2) Customer registers the device using their mobile app.

3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.

Which OAuth flow should be used to meet these requirements?

Options:

A.

OAuth 2.0 Asset Token Flow

B.

OAuth 2.0 Username-Password Flow

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 SAML Bearer Assertion Flow

Buy Now
Questions 16

universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users?

Options:

A.

Use a custom attribute on the user object to control access to the mobile app

B.

Use connected apps Oauth policies to restrict mobile app access to authorized users.

C.

Use the permission set license to assign the mobile app permission to sales users

D.

Add a new identity provider to authenticate and authorize mobile users.

Buy Now
Questions 17

Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

Options:

A.

User-Agent Oauth flow

B.

SAML assertion Oauth flow

C.

User-Token Oauth flow

D.

Web server Oauth flow

Buy Now
Questions 18

Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in . NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers

Options:

A.

Delegated Authentication will not work with a.net service.

B.

Delegated Authentication will continue to work with rest services.

C.

Delegated Authentication will continue to work with a.net service.

D.

Delegated Authentication will not work with rest services.

Buy Now
Questions 19

Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.

A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.

NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.

what should an identity architect do to fulfill the above requirements?

Options:

A.

For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.

B.

Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.

C.

Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.

D.

Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.

Buy Now
Questions 20

Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

Options:

A.

The self-registration process will produce an error to the user.

B.

The self-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Buy Now
Questions 21

Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.

What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?

Options:

A.

Require the use of Salesforce security tokens on passwords.

B.

Enforce mutual authentication between systems using SSL.

C.

Include Client Id and Client Secret in the login header callout.

D.

Set up a proxy service for the login service in the DMZ.

Buy Now
Questions 22

Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

Options:

A.

Include client ID and client secret in the login header callout.

B.

Set up a proxy server for the login service in the DMZ.

C.

Require the use of Salesforce security Tokens on password.

D.

Enforce mutual Authentication between systems using SSL.

Buy Now
Questions 23

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.

Which two options should be utilized in creating an authentication provider?

Choose 2 answers

Options:

A.

A custom registration handier can be set.

B.

A custom error URL can be set.

C.

The default login user can be set.

D.

The default authentication provider certificate can be set.

Buy Now
Questions 24

architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

Options:

A.

The Identity Provider is also used to SSO into five other applications.

B.

The clock on the Identity Provider server is twenty minutes behind Salesforce.

C.

The Issuer Certificate from the Identity Provider expired two weeks ago.

D.

The default language for the Identity Provider and Salesforce are Different.

Buy Now
Questions 25

Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

Options:

A.

Google is the identity provider

B.

Salesforce is the identity provider

C.

Google is the service provider

D.

Salesforce is the service provider

Buy Now
Questions 26

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project.

After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.

Which three steps should an identity architect follow to implement the outlined requirements?

Choose 3 answers

Options:

A.

Enable "Allow customers and partners to self-register".

B.

Select the "Configurable Self-Reg Page" option under Login & Registration.

C.

Set jp an external login page and call Salesforce APIs for user creation.

D.

Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

E.

Customize me self-registration Apex handler to create only the user record.

Buy Now
Questions 27

Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.

NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.

Which three Salesforce permissions are available to map to AD permissions?

Choose 3 answers

Options:

A.

Public Groups

B.

Field-Level Security

C.

Roles

D.

Sharing Rules

E.

Profiles and Permission Sets

Buy Now
Questions 28

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

Options:

A.

IdP-initiated SSO will NOT work.

B.

Neither SP- nor IdP-initiated SSO will work.

C.

Either SP- or IdP-initiated SSO will work.

D.

SP-initiated SSO will NOT work

Buy Now
Questions 29

A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.

What should be done to improve security?

Options:

A.

Select "Admin approved users are pre-authonzed" and assign specific profiles.

B.

Create custom scopes and assign to the connected app.

C.

Define a permission set that grants access to the app and assign to authorized users.

D.

Leverage external objects and data classification policies.

Buy Now
Questions 30

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

Options:

A.

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

B.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

C.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

D.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

Buy Now
Questions 31

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.

Which configuration will meet this requirement?

Options:

A.

Create and assign a permission set to all employees that includes "MFA for User Interface Logins."

B.

Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.

C.

Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.

D.

For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

Buy Now
Questions 32

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?

Options:

A.

Web Application flow

B.

SAML Bearer Assertion flow

C.

User-Agent flow

D.

Web Server flow

Buy Now
Questions 33

Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?

Options:

A.

Access Tokens

B.

Mobile pins

C.

Refresh Tokens

D.

Scopes

Buy Now
Questions 34

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2-0 SAML Bearer Assertion Flow

B.

OAuth 2.0 JWT Bearer Flow

C.

SAML Assertion Flow

D.

OAuth 2.0 User-Agent Flow

Buy Now
Questions 35

Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

Options:

A.

Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.

B.

Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.

C.

Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.

D.

Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Buy Now
Questions 36

Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose 2 answers

Options:

A.

Use open-ended security questions and complex password requirements

B.

Primarily use lookup and picklist fields on the self registration page.

C.

Require a captcha at the end of the self-registration process.

D.

Use hidden fields populated via java script events in the self-registration page.

Buy Now
Questions 37

Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

Options:

A.

Modify the communitiesselfregcontroller to assign the profile and account.

B.

Modify the selfregistration trigger to assign profile and account.

C.

Configure registration for communities to use a custom visualforce page.

D.

Configure registration for communities to use a custom apex controller.

Buy Now
Exam Name: Salesforce Certified Identity and Access Management Architect (SP23)
Last Update: May 24, 2024
Questions: 245

PDF + Testing Engine

$140

Testing Engine

$105

PDF (Q&A)

$90