All About High Quality Identity-and-Access-Management-Designer Preparation Labs

NEW QUESTION 1
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

• A. Entity id
• B. Issuer
• C. Identity provider login URL
• D. SAML identity location

Answer: A

NEW QUESTION 2
Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

• A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
• B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself againstSalesforce as the Idp.
• C. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.
• D. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Answer: AC

NEW QUESTION 3
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

• A. Oauth refresh token flow
• B. Oauth SAML bearer assertion flow
• C. Oauthjwt bearer token flow
• D. Oauth Username-password flow

Answer: BC

NEW QUESTION 4
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?

• A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.
• B. The user has not configured the salesforce1 mobile app to use my domain for login
• C. The "Redirect to identity provider" option has not been selected the SAML configuration.
• D. The user has not been granted the "Enable single Sign-on" permission

Answer: B

NEW QUESTION 5
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?

• A. Use a HTTP POST to request the refresh token for the current user.
• B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
• C. Use a HTTP POST to make a call to the revoke token endpoint.
• D. Enable Single Logout with a secure logout URL.

Answer: C

NEW QUESTION 6
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

• A. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
• B. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
• C. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
• D. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Answer: B

NEW QUESTION 7
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?

• A. Contact Salesforce Support and enable delegate single sign-on.
• B. Create a custom external authentication provider.
• C. Use certificate-based authentication.
• D. Configure OpenID Connect authentication provider.

Answer: B

NEW QUESTION 8
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?

• A. SAML Metadata file importer
• B. Identity Provider Metadata download
• C. Connected App Manager
• D. Security Assertion Markup Language Validator

Answer: D

NEW QUESTION 9
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company’s internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?

• A. Service Provider, because Salesforce is the application for managing ideas.
• B. Connected App, because Salesforce is connected with Employee portal via API.
• C. Identity Provider, because the API calls are authenticated by Salesforce.
• D. An independent system, because Salesforce is not part of the SSO setup.

Answer: D

NEW QUESTION 10
Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC?

• A. Create a Canvas app and use Signed Requests to authenticate the users.
• B. Rewrite the web application as a set of Visualforce pages and Apex code.
• C. Configure the web application as an item in the Salesforce App Launcher.
• D. Add the web application as a ConnectedApp using OAuth User-Agent flow.

Answer: A

NEW QUESTION 11
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider? Choose 2 answers

• A. A custom registration handier can be set.
• B. A custom error URL can be set.
• C. The default login user can be set.
• D. The default authentication provider certificate can be set.

Answer: AB

NEW QUESTION 12
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

• A. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
• B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
• C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.
• D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Answer: D

NEW QUESTION 13
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

• A. My domain is configured and active within salesforce.
• B. The salesforce SSO settings are using http post
• C. The identity provider is correctly preserving the Relay state
• D. The users have the correct Federation ID within salesforce.

Answer: C

NEW QUESTION 14
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

• A. IdP-initiated SSO will NOT work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. SP-initiated SSO will NOT work

Answer: B

NEW QUESTION 15
Northern Trail Outfitters is implementing a busmess-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Expenence Cloud site to allow the partners to administer their users' access.
How should a partner identity be provisioned in Salesforce for this solution?

• A. Create only a contact.
• B. Create a contactless user.
• C. Create a user and a related contact.
• D. Create a person account.

Answer: C

NEW QUESTION 16
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?

• A. The CA-Signed Certificate from the Certificate and Key Management menu.
• B. The default Client Certificate from the Develop--> API Menu.
• C. The default Client Certificate or a Certificate from Certificate and Key Management menu.
• D. The Self-Signed Certificates from the Certificate & Key Management menu.

Answer: B

NEW QUESTION 17
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

• A. Require users to provide their RSA token along with their credentials.
• B. Require users to supply their email and phone number, which gets validated.
• C. Require users to enter a second password after the first Authentication
• D. Require users to use a biometric reader as well as their password

Answer: AD

NEW QUESTION 18
......