11.11 Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Salesforce Identity-and-Access-Management-Architect Dumps Questions Answers

Salesforce Certified Identity andAccess Management Architect (SU24) Questions and Answers

Question 1

Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?

Options:

A.

Access Tokens

B.

Mobile pins

C.

Refresh Tokens

D.

Scopes

Buy Now
Question 2

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.

Which two options should be utilized in creating an authentication provider?

Choose 2 answers

Options:

A.

A custom registration handier can be set.

B.

A custom error URL can be set.

C.

The default login user can be set.

D.

The default authentication provider certificate can be set.

Question 3

Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the appropnate approval in the Salesforce org.

Which three steps should the identity architect use to implement this requirement?

Choose 3 answers

Options:

A.

Create an approval process for a custom object associated with the provisioning flow.

B.

Create a connected app for Concur in Salesforce.

C.

Enable User Provisioning for the connected app.

D.

Create an approval process for user object associated with the provisioning flow.

E.

Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.

Question 4

Uwversal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.

How should an identity architect configure AWS to authenticate and authorize Salesforce users?

Options:

A.

Configure the custom employee app as a connected app.

B.

Configure AWS as an OpenID Connect Provider.

C.

Create a custom external authentication provider.

D.

Develop a custom Auth server in AWS.

Question 5

Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

Options:

A.

The self-registration process will produce an error to the user.

B.

The self-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Question 6

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.

NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.

What should an Identity architect do to fulfill the requirement?

Options:

A.

Configure an authentication provider for Social Login using Google and a custom registration handler.

B.

Implement a Just-in-Time handler class that has logic to create cases upon first login.

C.

Create an authentication provider for Social Login using Google and leverage standard registration handler.

D.

Implement a login flow with a record create component for Case.

Question 7

The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

Options:

A.

Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

B.

Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

C.

Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.

D.

Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Question 8

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.

What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

Options:

A.

Ensure that there is an HTTPS connection between IDP and SP.

B.

Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.

C.

Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

D.

Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

Question 9

Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?

Options:

A.

Identity Licence.

B.

Salesforce Licence.

C.

External Identity Licence.

D.

Salesforce Platform Licence.

Question 10

Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and corporate identity store. What type of Authentication flow is required to support deep linking?

Options:

A.

Web server Oauth SSO flow.

B.

Identity-provider-initiated SSO

C.

Service-provider-initiated SSO

D.

Start URL on identity provider

Question 11

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.

Which OAuth flow should the identity architect recommend to meet the requirement?

Options:

A.

OAuth 2.0 Asset Token Flow for Securing Connected Devices

B.

OAuth 2.0 Username-Password Flow for Special Scenarios

C.

OAuth 2.0 Web Server Flow for Web App Integration

D.

OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration

Question 12

The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

Options:

A.

Web server

B.

Jwt bearer token

C.

User-Agent

D.

Username-password

Question 13

Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.

How should the quantity of required Identity Verification Credits be estimated?

Options:

A.

Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.

B.

Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.

C.

Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins

that will incur a verification challenge.

D.

Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

Question 14

Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

Options:

A.

Sp-Initiated

B.

IDP-initiated with deep linking

C.

IDP-initiated

D.

Web server flow.

Question 15

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.

Mow can a guest register using data previously collected during order placement?

Options:

A.

Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.

B.

Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.

C.

Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.

D.

Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.

Question 16

Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

Options:

A.

The Identity Provider can authenticate multiple applications.

B.

The Identity Provider can authenticate multiple social media accounts.

C.

The Identity provider can store credentials for multiple applications.

D.

The Identity Provider can centralize enterprise password policy.

Question 17

Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login. What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers

Options:

A.

Enable Facebook and Linkedin as Login options in the login section of the Community configuration.

B.

Create custom Registration Handlers to link Linkedin and facebook accounts to user records.

C.

Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.

D.

Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.

Question 18

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

Which feature of Identity Connect is applicable for this scenano?

Options:

A.

When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.

B.

If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing

Salesforce users in First-in, First-out (FIFO) fashion.

C.

Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.

D.

When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

Question 19

Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers

Options:

A.

Use the existing SAML SSO flow along with user agent flow.

B.

Configure the embedded Web browser to use my domain URL.

C.

Use the existing SAML SSO flow along with Web server flow

D.

Configure the salesforce1 app to use the my domain URL

Question 20

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of Single Sign-on for any users of the mobile app.

B.

Require High Assurance sessions in order to use the Connected App.

C.

Set Login IP Ranges to the internal network for all of the app users Profiles.

D.

Use Google Authenticator as an additional part of the login process

Question 21

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

Options:

A.

Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

B.

Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

C.

Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

D.

Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Question 22

Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.

Which two options should an identity architect recommend to meet the requirement?

Choose 2 answers

Options:

A.

Active Directory Password Sync Plugin

B.

Configure Cloud Provider Load Balancer

C.

Salesforce Trigger & Field on Contact Object

D.

Salesforce Identity Connect

Question 23

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

Options:

A.

Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.

B.

Add the list of company's network IP addresses to the Login Range list under 2FA Setup.

C.

Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.

D.

Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

Question 24

Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?

Options:

A.

Use the updateUser method on the registration Handler Class.

B.

Develop a scheduled job that calls out to Facebook on a nightly basis.

C.

Use information in the signed Request that is received from facebook.

D.

Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Question 25

Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend?

Options:

A.

Configure the main salesforce org as an Authentication provider.

B.

Configure the main salesforce org as the Identity provider.

C.

Configure the regional salesforce orgs as Identity Providers.

D.

Configure the main Salesforce org as a service provider.

Question 26

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

What role combination is represented by the systems in this scenario''

Options:

A.

Financial System and CPQ System are the only Service Providers.

B.

Salesforce Org1 and Salesforce Org2 are the only Service Providers.

C.

Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.

D.

Salesforce Org1 and PingFederate are acting as Identity Providers.

Question 27

A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.

Which two steps should an identity architect recommend?

Choose 2 answers

Options:

A.

Implement Auth.SamlJitHandler Interface.

B.

Create and update methods.

C.

Implement RegistrationHandler Interface.

D.

Implement SesslonManagement Class.

Question 28

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.

Which two issues would cause these errors?

Choose 2 answers

Options:

A.

The subject element is missing from the assertion sent to salesforce.

B.

The certificate loaded into SSO configuration does not match the certificate used by the IdP.

C.

The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

D.

The assertion sent to 5alesforce contains an assertion ID previously used.

Question 29

Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.

Which two actions should the Architect recommend to UC1

Choose 2 answers

Options:

A.

Configure Registration for Communities to use a custom Visualforce Page.

B.

Modify the SelfRegistration trigger to assign Profile and Account.

C.

Modify the CommunitiesSelfRegController to assign the Profile and Account.

D.

Configure Registration for Communities to use a custom Apex Controller.

Question 30

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.

At a minimum, which Salesforce license is required to support this requirement?

Options:

A.

Identity Verification

B.

Identity Connect

C.

Identity Only

D.

External Identity

Question 31

Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.

NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.

What role does identity Connect play in the outlined requirements?

Options:

A.

Service Provider

B.

Single Sign-On

C.

Identity Provider

D.

User Management

Question 32

An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows:

1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated cloud applications.

2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service).

Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

Options:

A.

A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.

B.

Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.

C.

Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users.

D.

Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO.

Question 33

Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.

How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?

Options:

A.

Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.

B.

Use a login flow to query the helpdesk to validate user status.

C.

Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow.

D.

Use Salesforce Connect to integrate with the helpdesk application.

Question 34

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.

Which OAuth flow should the architect recommend?

Options:

A.

OAuth 2.0 Asset Token Flow

B.

OAuth 2.0 Device Authentication Row

C.

OAuth 2.0 JWT Bearer Token Flow

D.

OAuth 2.0 SAML Bearer Assertion Flow

Question 35

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.

What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

Options:

A.

Query using OpenID Connect discovery endpoint.

B.

A Leverage OpenID Connect Token Introspection.

C.

Create a custom OAuth scope.

D.

Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Question 36

Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

Options:

A.

Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.

B.

Use the custom 2fa system for on-premise applications and native 2fa for salesforce.

C.

Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.

D.

Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Question 37

Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?

Options:

A.

SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.

B.

Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.

C.

Provisioning API for both Provisioning and Deprovisioning.

D.

Just-in-Time (JIT) for both Provisioning and Deprovisioning.