Salesforce Salesforce Certifications IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Questions & Answers

• Question 31:

  Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts.

  How can the Architect meet these requirements?

  A. Create a custom application on Heroku that manages the sign-on process from Facebook.

  B. Use JIT Provisioning to automatically create the account in the accounting system.

  C. Add an Apex callout in the registration handler of the authorization provider.

  D. Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.

  Correct Answer: C

• Question 32:

  An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization flow should be used?

  A. OAuth 2-0 SAML Bearer Assertion Flow

  B. OAuth 2.0 JWT Bearer Flow

  C. SAML Assertion Flow

  D. OAuth 2.0 User-Agent Flow

  Correct Answer: C

• Question 33:

  Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled "User Provisioning" on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system.

  What is the most likely reason for this behaviour?

  A. User Provisioning for Connected Apps does not support role sync.

  B. Required operation(s) was not mapped in User Provisioning Settings.

  C. The Approval queue for User Provisioning Requests is unmonitored.

  D. Salesforce roles have more than three levels in the role hierarchy.

  Correct Answer: A

• Question 34:

  Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:

  1.

  Enter a phone number and/or email address

  2.

  Enter a verification code that is to be sent via email or text. What is the recommended approach to fulfill this requirement?

  A. Create a Login Discovery page and provide a Login Discovery Handler Apex class.

  B. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.

  C. Create an Authentication provider and implement a self-registration handler class.

  D. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service.

  Correct Answer: A

• Question 35:

  A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

  

  What is recommended to ensure these requirements are met ?

  A. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.

  B. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

  C. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.

  D. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-

  Correct Answer: B

• Question 36:

  Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose.

  Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication? Choose 2 answers

  A. Salesforce license for sales users and Identity license for Marketing users

  B. Salesforce license for sales users and External Identity license for Marketing users

  C. Identity license for sales users and Identity connect license for Marketing users D. Salesforce license for sales users and platform license for Marketing users.

  Correct Answer: AD

• Question 37:

  A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

  A. OIDC is more secure than SAML and therefore is the obvious choice.

  B. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.

  C. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.

  D. They are equivalent protocols and there is no real reason to choose one over the other.

  Correct Answer: B

• Question 38:

  Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.

  NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.

  Which three Salesforce permissions are available to map to AD permissions?

  Choose 3 answers

  A. Public Groups

  B. Field-Level Security

  C. Roles

  D. Sharing Rules

  E. Profiles and Permission Sets

  Correct Answer: ACE

• Question 39:

  Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce, Which Salesforce OAuth authorization flow should be used?

  A. OAuth 2.0 SAML Bearer Assertion Flow

  B. A SAML Assertion Row

  C. OAuth 2.0 User-Agent Flow

  D. OAuth 2.0 JWT Bearer Flow

  Correct Answer: B

• Question 40:

  Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department. How should an identity architect implement this requirement?

  A. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

  B. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

  C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.

  D. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

  Correct Answer: B