Top Tips Of Up To The Minute Identity-and-Access-Management-Designer Practice

NEW QUESTION 1
Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

• A. Use the salesforce REST API to sync users from active directory to salesforce
• B. Use an app exchange product to sync users from Active Directory to salesforce.
• C. Use Active Directory Federation Services to sync users from active directory to salesforce.
• D. Use Identity connect to sync users from Active Directory to salesforce

Answer: BD

NEW QUESTION 2
Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?

• A. Ensure that users have the same email value in their user records in all of UC's salesforce orgs.
• B. Ensure the same username is allowed in multiple orgs by contacting salesforce support.
• C. Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.
• D. Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

Answer: C

NEW QUESTION 3
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message?

• A. The Self-signed Certificates from the Certificate & Key Management menu.
• B. The default client Certificate from the Develop--> API menu.
• C. The default client Certificate or the Certificate and Key Management menu.
• D. The CA-signed Certificate from the Certificate and Key Management Menu.

Answer: B

NEW QUESTION 4
What are three capabilities of Delegated Authentication? Choose 3 answers

• A. It can be assigned by Custom Permissions.
• B. It can connect to SOAP services.
• C. It can be assigned by Permission Sets.
• D. It can be assigned by Profiles.
• E. It can connect to REST services.

Answer: BCE

NEW QUESTION 5
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement? Choose 2 answers

• A. Setup Salesforce as an identity provider (IdP) for order Tracking.
• B. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
• C. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
• D. Setup Order Tracking as a Canvas app in 5alesforce to POST IdP initiated SAML assertion.

Answer: AB

NEW QUESTION 6
Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?

• A. Customer Community license
• B. Identity license
• C. Customer Community Plus license
• D. External Identity license

Answer: B

NEW QUESTION 7
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used7

• A. OAuth 2-0 SAML Bearer Assertion Flow
• B. OAuth 2.0 JWT Bearer Flow
• C. SAML Assertion Flow
• D. OAuth 2.0 User-Agent Flow

Answer: C

NEW QUESTION 8
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of Single Sign-on for any users of the mobile app.
• B. Require High Assurance sessions in order to use the Connected App.
• C. Set Login IP Ranges to the internal network for all of the app users Profiles.
• D. Use Google Authenticator as an additional part of the login process

Answer: BD

NEW QUESTION 9
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

• A. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
• B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
• D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Answer: C

NEW QUESTION 10
Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers

• A. The web service needs to include Source IP as a method parameter.
• B. UC should whitelist all salesforce ip ranges on their corporate firewall.
• C. The web service can be written using either the soap or rest protocol.
• D. Delegated Authentication is enabled for the system administrator profile.
• E. The return type of the Web service method should be a Boolean value

Answer: ABE

NEW QUESTION 11
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?

• A. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.
• B. Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.
• C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.
• D. Allow partners to register through the IdP and create partner users in Salesforce through an API.

Answer: B

NEW QUESTION 12
What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

• A. Reference to a URL redirect parameter at the identity provider.
• B. Reference to a URL redirect parameter at the service provider.
• C. Reference to the login address URL of the service provider.
• D. Reference to the login address URL of the identity Provider.

Answer: B

NEW QUESTION 13
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?

• A. External Identity
• B. Identity Verification
• C. Identity Connect
• D. Identity Only

Answer: D

NEW QUESTION 14
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?

• A. Select "Admin approved users are pre-authonzed" and assign specific profiles.
• B. Create custom scopes and assign to the connected app.
• C. Define a permission set that grants access to the app and assign to authorized users.
• D. Leverage external objects and data classification policies.

Answer: B

NEW QUESTION 15
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
* 1. The development team has decided to use a Canvas app to expose the pricing application to agents.
* 2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers

• A. Select "Enable as a Canvas Personal App" in the connected app settings.
• B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
• C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
• D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

Answer: CD

NEW QUESTION 16
Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

• A. The Identity Provider can authenticate multiple applications.
• B. The Identity Provider can authenticate multiple social media accounts.
• C. The Identity provider can store credentials for multiple applications.
• D. The Identity Provider can centralize enterprise password policy.

Answer: AD

NEW QUESTION 17
Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of single Sign-on for any users of the mobile app.
• B. Require high assurance sessions in order to use the connected App
• C. Use Google Authenticator as an additional part of the logical processes.
• D. Set login IP ranges to the internal network for all of the app users profiles.

Answer: BC

NEW QUESTION 18
......