Feb 20, 2024 Newest Identity-and-Access-Management-Architect Exam Dumps – Achieve Success in Actual Identity-and-Access-Management-Architect Exam [Q14-Q33]

Share

Feb 20, 2024 Newest Identity-and-Access-Management-Architect Exam Dumps – Achieve Success in Actual Identity-and-Access-Management-Architect Exam

Updated Salesforce Identity-and-Access-Management-Architect Dumps – Check Free Identity-and-Access-Management-Architect Exam Dumps (2024)

NEW QUESTION # 14
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

  • A. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
  • B. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
  • C. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
  • D. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.

Answer: A


NEW QUESTION # 15
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers

  • A. Require users to provide their RSA token along with their credentials.
  • B. Require users to use a biometric reader as well as their password
  • C. Require users to enter a second password after the first Authentication
  • D. Require users to supply their email and phone number, which gets validated.

Answer: A,B

Explanation:
Explanation
A is correct because requiring users to provide their RSA token along with their credentials is a form of two-factor authentication. An RSA token is a hardware device that generates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.
D is correct because requiring users to use a biometric reader as well as their password is another form of two-factor authentication. A biometric reader is a device that scans a user's fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.
B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.
C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.
References: 4: Multi-Factor Authentication - Salesforce 5: Salesforce Multi-Factor Authentication 6: Two Factor Authentication - Salesforce India 7: Customer 360 | Increase Productivity - Salesforce UK 8: Secure Salesforce Login Using Two-Factor Authentication and Salesforce ...


NEW QUESTION # 16
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud . Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement?
Choose 2 answers

  • A. Use Login Flows to allow users to reset password in Experience Cloud site.
  • B. Enable Welcome emails while configuring the Experience Cloud site.
  • C. Add customers as contacts and add them to Experience Cloud site.
  • D. Allow Password reset using the API to update Experience Cloud site membership.

Answer: A,D


NEW QUESTION # 17
What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML?

  • A. Revoke token
  • B. Create token
  • C. Consume token
  • D. Validate token

Answer: B

Explanation:
Explanation
Creating a token is one of the roles of an Identity Provider in a Single Sign-on setup using SAML. SAML is a standard protocol that allows users to access multiple applications with a single login. In SAML, an Identity Provider (IdP) is a system that authenticates users and issues a security token that contains information about the user's identity and permissions. A Service Provider (SP) is a system that consumes the token and grants access to the user based on the token's attributes. The other options are not roles of an IdP, but rather functions of the SAML protocol or the SP.


NEW QUESTION # 18
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

  • A. The web service must reside on a public cloud service, such as Heroku.
  • B. Delegated Authentication is enabled or disabled for the entire Salesforce org.
  • C. Salesforce users will be locked out of Salesforce if the web service goes down.
  • D. UC will be required to develop and support a custom SOAP web service.

Answer: C,D

Explanation:
Explanation
The two risks that the architect should point out for using delegated authentication as the sole means of authenticating Salesforce users are:
UC will be required to develop and support a custom SOAP web service. Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service by making a SOAP callout to a web service that verifies the user's credentials. This feature requires UC to develop and support a custom SOAP web service that can accept and validate the user's username and password, and return a boolean value to indicate whether the authentication is successful or not. This could increase complexity and cost for UC, as they need to write custom code and maintain the web service.
Salesforce users will be locked out of Salesforce if the web service goes down. Delegated authentication relies on the availability and performance of the external web service that handles the authentication requests from Salesforce. If the web service goes down or becomes slow, Salesforce users will not be able to log in or access Salesforce, as they will receive an error message or a timeout response. This could cause disruption and frustration for UC's business operations and user satisfaction.
The other options are not valid risks for using delegated authentication. Delegated authentication can be enabled or disabled for individual users or groups of users by using permission sets or profiles, not for the entire Salesforce org. The web service does not need to reside on a public cloud service, such as Heroku, as it can be hosted on any platform that supports SOAP services and can communicate with Salesforce. References:
[Delegated Authentication], [Enable 'Delegated Authentication'], [Troubleshoot Delegated Authentication]


NEW QUESTION # 19
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

  • A. Assign user "is Single Sign-on Enabled" permission via profile or permission set.
  • B. Once SSO is enabled, users are only able to login using Salesforce credentials.
  • C. Enable My Domain and select "Prevent login from https://login.salesforce.com".
  • D. Request Salesforce Support to enable delegated authentication.

Answer: A,C


NEW QUESTION # 20
Northern Trail Outfitters mar ages functional group permissions in a custom security application supported by a relational database and a REST service layer. Group permissions are mapped as permission sets in Salesforce.
Which action should an identity architect use to ensure functional group permissions are reflected as permission set assignments?

  • A. Use the Apex Just-in-Time (JIT) handler to query the Security Assertion markup Language (SAML) attributes and set permission sets.
  • B. Use a Login Flow with invocable Apex to callout to the security application and set permission sets.
  • C. Use the Apex JIT handler to callout to the security application and set permission sets
  • D. Use a Login Flow to query SAML attributes and set permission sets.

Answer: B

Explanation:
Explanation
Using a Login Flow with invocable Apex to callout to the security application and set permission sets allows the identity architect to dynamically assign or remove permission sets based on the functional group permissions in the custom security application. This ensures that the permission set assignments are consistent with the group permissions. References: Login Flows, Invocable Apex


NEW QUESTION # 21
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

  • A. Identity Connect will not support user provisioning in UC's current environment.
  • B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
  • C. Identity connect is not compatible with UC's current identity environment.
  • D. Identity Connect will only support SP-initiated SAML flows in UC's current environment.

Answer: A


NEW QUESTION # 22
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

  • A. The app is requesting too many access Tokens in a 24-hour period
  • B. The users forget to check the box to remember their credentials.
  • C. The Oauth authorizations are being revoked by a nightly batch job.
  • D. The refresh token expiration policy is set incorrectly in salesforce

Answer: D

Explanation:
Explanation
The most likely cause of the issue is that the refresh token expiration policy is set incorrectly in Salesforce. A refresh token is a credential that allows a connected app to obtain a new access token when the previous one expires1. The refresh token expiration policy determines how long a refresh token is valid for2. If the policy is set to a short duration, such as 24 hours, the users have to enter their credentials once a day to get a new refresh token. To prevent this, the policy should be set to a longer duration, such as "Refresh token is valid until revoked" or "Refresh token expires after 90 days of inactivity"2.
References: OAuth 2.0 Refresh Token Flow, Manage OAuth Access Policies for a Connected App


NEW QUESTION # 23
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

  • A. User-Agent
  • B. Jwt bearer token
  • C. Web server
  • D. Username-password

Answer: A,C

Explanation:
Explanation
The two OAuth flows that support refresh tokens are Web server and User-Agent. According to the Salesforce documentation2, "The web server authentication flow and user-agent flow both provide a refresh token that can be used to get a new access token." Therefore, option A and C are the correct answers.
References: Salesforce Documentation


NEW QUESTION # 24
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.
Which two actions should an identity architect recommend to meet these requirements?
Choose 2 answers

  • A. Configure a predefined authentication provider for Twitter.
  • B. Create a custom external authentication provider for Facebook.
  • C. Configure a predefined authentication provider for Facebook.
  • D. Create a custom external authentication provider for Twitter.

Answer: A,C

Explanation:
Explanation
To give customers the ability to login with their Facebook and Twitter credentials, the identity architect should configure a predefined authentication provider for Facebook and a predefined authentication provider for Twitter. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and Twitter, which can be easily configured with minimal customization. Creating a custom external authentication provider is not necessary for this scenario.
References: Authentication Providers, Social Sign-On with Authentication Providers


NEW QUESTION # 25
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers

  • A. Contact Salesforce Support to enable person accounts.
  • B. Enable access to person and business account record types under Public Access Settings.
  • C. Set organization-wide default sharing for Contact to Public Read Only.
  • D. Under Login and Registration settings, ensure that the default account field is empty.
  • E. Contact Salesforce Support to enable business accounts.

Answer: A,B,D


NEW QUESTION # 26
Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

What role combination is represented by the systems in this scenario''

  • A. Financial System and CPQ System are the only Service Providers.
  • B. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.
  • C. Salesforce Org1 and Salesforce Org2 are the only Service Providers.
  • D. Salesforce Org1 and PingFederate are acting as Identity Providers.

Answer: D


NEW QUESTION # 27
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth
2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers

  • A. Scopes
  • B. Access Token
  • C. Client Secret
  • D. Verification URL

Answer: A,B,C

Explanation:
Explanation
The OAuth 2.0 Web Server Flow requires the client secret to authenticate the web application to Salesforce.
The access token is used to access the Salesforce resources on behalf of the user. The scopes define the permissions and access levels for the web application. References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com


NEW QUESTION # 28
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

  • A. Identity Connect will not support user provisioning in UC's current environment.
  • B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
  • C. Identity connect is not compatible with UC's current identity environment.
  • D. Identity Connect will only support SP-initiated SAML flows in UC's current environment.

Answer: A

Explanation:
Explanation
Identity Connect will not support user provisioning in UC's current environment. Identity Connect is a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.
Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC's current identity environment. Identity Connect supports both Idp-initiated and SP-initiated SAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.
References: 5: Identity Connect - Salesforce 6: SAML SSO Flows - Salesforce 7: Salesforce Connect:
Integration, Benefits, and Limitations


NEW QUESTION # 29
which three are features of federated Single Sign-on solutions? Choose 3 answers

  • A. It solves all identity and access management problems.
  • B. It federates credentials control to authorized applications.
  • C. It improves affiliated applications adoption rates.
  • D. It establishes trust between Identity store and service provider.
  • E. It enables quick and easy provisioning and deactivating of users.

Answer: B,C,D

Explanation:
Explanation
It federates credentials control to authorized applications. This means that users can access multiple applications across different domains or organizations using one set of credentials, without having to share their passwords with each application1. The applications rely on a trusted identity provider (IdP) to authenticate the users and grant them access.
It establishes trust between Identity store and service provider. This means that the IdP and the service provider (SP) have a mutual agreement to exchange identity information using standard protocols, such as SAML, OpenID Connect, or OAuth2. The IdP and the SP also share metadata and certificates to ensure secure communication and verification.
It improves affiliated applications adoption rates. This means that users are more likely to use applications that are connected to their existing identity provider, as they do not have to create or remember multiple passwords3. This also reduces the friction and frustration of logging in to different applications, and enhances the user experience.
The other options are not features of federated single sign-on solutions because:
It solves all identity and access management problems. This is false, as federated single sign-on solutions only address the authentication aspect of identity and access management, not the authorization, provisioning, governance, or auditing aspects. Federated single sign-on solutions also have some challenges, such as complexity, interoperability, and security risks.
It enables quick and easy provisioning and deactivating of users. This is not necessarily true, as federated single sign-on solutions do not automatically create or delete user accounts in the service provider applications. Users still need to be provisioned and deprovisioned manually or through other mechanisms, such as just-in-time provisioning or SCIM.
References: Federated Identity Management vs. Single Sign-On: What's the Difference?, What is single sign-on?, Single Sign-On (SSO) Solution, [Identity Management vs. Access Management: What's the Difference?], [Federated Identity Management Challenges], [Just-in-Time Provisioning for SAML], [SCIM User Provisioning]


NEW QUESTION # 30
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

  • A. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
  • B. Use a self-signed certificate for salesforce and a self-signed cert for the external system
  • C. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
  • D. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system

Answer: A,B

Explanation:
Explanation
Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or CA-signed. A self-signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two-way SSL between Salesforce and an external system, two valid choices for digital certificates are:
Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other's self-signed certificates explicitly.
Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system.
This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system's certificate implicitly.
References: Know more about all the SSL certificates that are supported by Salesforce, two way ssl. How to?


NEW QUESTION # 31
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

  • A. Create a connected App
  • B. Configure SAML SSO settings.
  • C. Configure Delegated Authentication
  • D. Set up my domain

Answer: B,D


NEW QUESTION # 32
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

  • A. Use Delegated Authentication to call the Twitter login API to authenticate users.
  • B. Create a Custom Apex Registration Handler to handle new and existing users.
  • C. Configure an Authentication Provider for LinkedIn Social Media Accounts.
  • D. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Answer: B,C


NEW QUESTION # 33
......

Actual Identity-and-Access-Management-Architect Exam Recently Updated Questions with Free Demo: https://www.examtorrent.com/Identity-and-Access-Management-Architect-valid-vce-dumps.html

Valid Identity-and-Access-Management-Architect exam with Salesforce Real Exam Questions: https://drive.google.com/open?id=1T6dgSzwp5k9ph3uEMIykhwbPffVXKVIe