IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Online Practice Questions and Answers

Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

A. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system

B. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system

C. Use a self-signed certificate for salesforce and a self-signed cert for the external system

D. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite?

A. My Domain

B. External Identity

C. Identity Provider

D. Multi-Factor Authentication

Which two statements are capable of Identity Connect? Choose 2 answers

A. Synchronization of Salesforce Permission Set Licence Assignments.

B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.

C. Support multiple orgs connecting to multiple Active Directory servers.

D. Automated user synchronization and de-activation.

Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.

What should the logout function perform in this scenario, where user sessions are refreshed automatically?

A. Invoke the revocation URL and pass the refresh token.

B. Clear out the client Id to stop auto session refresh.

C. Invoke the revocation URL and pass the access token.

D. Clear out all the tokens to stop auto session refresh.

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

A. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.

B. Add the list of company's network IP addresses to the Login Range list under 2FA Setup.

C. Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.

D. Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

A. My domain is configured and active within salesforce.

B. The salesforce SSO settings are using http post

C. The identity provider is correctly preserving the Relay state

D. The users have the correct Federation ID within salesforce.

Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

A. Sp-Initiated

B. IDP-initiated with deep linking

C. IDP-initiated

D. Web server flow.

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified.

External Identity licenses have bee purchased for the project.

After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.

Which three steps should an identity architect follow to implement the outlined requirements?

Choose 3 answers

A. Enable "Allow customers and partners to self-register".

B. Select the "Configurable Self-Reg Page" option under Login and Registration.

C. Set jp an external login page and call Salesforce APIs for user creation.

D. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

E. Customize me self-registration Apex handler to create only the user record.

A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as passwords as possible.

What should an identity architect recommend?

A. Setup Salesforce as a Service Provider to the existing IdP.

B. Setup Salesforce as an IdP to authenticate against the LDAP directory.

C. Use Salesforce connect to synchronize LDAP passwords to Salesforce.

D. Setup Salesforce as an Authentication Provider to the existing IdP.

Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it contributes ato successful Customer 360 Truth project.

What are two are key benefits of Customer 360 Identity as it relates to Customer 360?

Choose 2 answers

A. Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data.

B. Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an understanding of the user's login activity across all its digital properties and applications.

C. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity, even if it spans multiple corporate brands and user experiences.

D. Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves.

Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.

B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.

C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.

D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Which three are features of federated Single sign-on solutions? Choose 3 Answers

A. It establishes trust between Identity Store and Service Provider.

B. It federates credentials control to authorized applications.

C. It solves all identity and access management problems.

D. It improves affiliated applications adoption rates.

E. It enables quick and easy provisioning and deactivating of users.

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.

Which two connected app options need to be configured to fulfill this use case?

Choose 2 answers

A. Set Permitted Users to "Admin approved users are pre-authorized".

B. Set Permitted Users to "All users may self-authorize".

C. Set the Session Timeout value to 3 months.

D. Set the Refresh Token Policy to expire refresh token after 3 months.

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.

What should be used to fulfill this requirement?

A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.

B. Use the Activations feature to meet the compliance requirement to track device information.

C. Use the Login History object to track information about devices from which users log in.

D. Use Login Flows to capture device from which users log in and store device and user information in a custom object.

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?

A. Customer Community license

B. Identity license

C. Customer Community Plus license

D. External Identity license