Latest Sep 03, 2024 Real Identity-and-Access-Management-Architect Exam Dumps Questions Valid Identity-and-Access-Management-Architect Dumps PDF [Q117-Q134]

Share

Latest Sep 03, 2024 Real Identity-and-Access-Management-Architect Exam Dumps Questions Valid Identity-and-Access-Management-Architect Dumps PDF

Salesforce Identity-and-Access-Management-Architect Exam Dumps - PDF Questions and Testing Engine

NEW QUESTION # 117
Universal containers (UC) would like to enable self - registration for their salesforce partner community users.
UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

  • A. Modify the selfregistration trigger to assign profile and account.
  • B. Configure registration for communities to use a custom visualforce page.
  • C. Configure registration for communities to use a custom apex controller.
  • D. Modify the communitiesselfregcontroller to assign the profile and account.

Answer: B,D

Explanation:
Explanation
To enable self-registration for their Salesforce partner community users, UC should modify the communities' self-registration controller to assign the profile and account based on the custom data elements from the partner user1. UC should also configure registration for communities to use a custom Visualforce page to capture the custom data elements from the partner user2. Therefore, option A and C are the correct answers.
References: Salesforce Partner Community, Partner Community Registration Guide


NEW QUESTION # 118
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'

  • A. Service-Provider-Initiated SSO
  • B. Web Server OAuth SSO flow
  • C. StartURL on Identity Provider
  • D. Identity-Provider-initiated SSO

Answer: A

Explanation:
Explanation
Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials4. There are two types of SSO flows that can be used with Salesforce as the service provider (SP) and an external identity provider (IdP)5:
Service-provider-initiated SSO: The user requests a resource from the SP, such as a Salesforce URL.
The SP redirects the user to the IdP for authentication. The IdP authenticates the user and sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow supports deep linking, which means that the user can access a specific page within Salesforce without logging in again6.
Identity-provider-initiated SSO: The user logs in to the IdP and selects an app from a list of available apps. The IdP sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow does not support deep linking, which means that the user can only access the default landing page of Salesforce6.
References:
Single Sign-On
SAML SSO Flows
Deep Linking


NEW QUESTION # 119
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?

  • A. Passwordless authentication cannot be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.
  • B. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user.
  • C. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
  • D. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.

Answer: C

Explanation:
Explanation
According to the Salesforce documentation3, contactless user feature allows creating users without contact information, such as email address or phone number. This reduces the overhead of managing customers and partners who don't need or want to provide their contact information. However, if a contactless user is upgraded to a Community license, a contact record is automatically created and linked to the user record, but not associated with an account. This can impact the architecture of NTO's Customer 360 Platform, as they may need to associate contacts with accounts for reporting or other purposes.


NEW QUESTION # 120
Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.
At a minimum, which Salesforce license is required to support this requirement?

  • A. External Identity
  • B. Identity Connect
  • C. Identity Only
  • D. Identity Verification

Answer: C


NEW QUESTION # 121
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers

  • A. The subject element is missing from the assertion sent to salesforce.
  • B. The assertion sent to 5alesforce contains an assertion ID previously used.
  • C. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
  • D. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

Answer: B,D

Explanation:
Explanation
A SAML SSO 'Replay Detected and Assertion Invalid' error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected. References: SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On


NEW QUESTION # 122
Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

  • A. The web application should be hosted on a secure server.
  • B. The flow involves passing the user credentials back and forth.
  • C. The web server must be able to protect consumer privacy
  • D. The flow will not provide an Oauth refresh token back to the server.

Answer: A,C

Explanation:
Explanation
The web application should be hosted on a secure server and the web server must be able to protect consumer privacy are two considerations that an architect should point out to UC. To integrate an external web app with the Salesforce API, UC can use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type4. With this flow, the server hosting the web app must be able to protect the connected app's identity, defined by the client ID and client secret4. The web application should be hosted on a secure server to ensure that the communication between the web app and Salesforce is encrypted and protected from unauthorized access or tampering6. The web server must be able to protect consumer privacy to comply with data protection laws and regulations, such as GDPR or CCPA . The web server should implement best practices for storing and handling user data, such as encryption, hashing, salting, and anonymization. The flow involves passing the user credentials back and forth is not a correct consideration, as the web server flow does not require the user credentials to be passed between the web app and Salesforce. Instead, it uses an authorization code that is exchanged for an access token and a refresh token4. The flow will not provide an OAuth refresh token back to the server is also not a correct consideration, as the web server flow does provide a refresh token that can be used to obtain new access tokens without user interaction4. References: OAuth 2.0 Web Server Flow for Web App Integration, Secure Your Web Application, [General Data Protection Regulation (GDPR)], [California Consumer Privacy Act (CCPA)],
[Data Protection Best Practices]


NEW QUESTION # 123
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?

  • A. External Identity
  • B. Identity Connect
  • C. Identity Only
  • D. Identity Verification

Answer: C


NEW QUESTION # 124
Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.
Which Salesforce license should UC utilize to implement this use case?

  • A. Salesforce Platform
  • B. External Identity
  • C. Identity Only
  • D. Partner Community

Answer: B


NEW QUESTION # 125
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers

  • A. Build a custom Web service that is supported by Delegated Authentication.
  • B. Implement the Openid protocol and configure an authentication provider
  • C. Use a professional social media such as LinkedIn as an Authentication provider
  • D. Build a custom web page that uses the identity store and calls frontdoor.jsp

Answer: A,B

Explanation:
Explanation
The two options that an architect should recommend to UC are to build a custom web service that is supported by delegated authentication and to implement the OpenID protocol and configure an authentication provider. Delegated authentication is a feature that allows Salesforce to delegate user authentication to an external service instead of using Salesforce credentials3. A custom web service can be built to use the credentials stored in the custom identity store and validate them against Salesforce using SOAP or REST API3. OpenID is an open standard protocol that allows users to authenticate with various web services using an existing account4. An authentication provider can be configured in Salesforce to use OpenID and connect with the custom identity store5.
References: Delegated Authentication, OpenID, Authentication Providers


NEW QUESTION # 126
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
  • B. Use the custom registration handler to link social identities to Salesforce identities.
  • C. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.
  • D. Redirect the user to a custom page that allows the user to select an existing social identity for login.

Answer: B,C


NEW QUESTION # 127
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?

  • A. RelayState
  • B. StartURL
  • C. DisplayState
  • D. RedirectURL

Answer: A


NEW QUESTION # 128
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

  • A. Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.
  • B. Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.
  • C. Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.
  • D. Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

Answer: D


NEW QUESTION # 129
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

  • A. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.
  • B. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.
  • C. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.
  • D. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.

Answer: A

Explanation:
Explanation
To optimize license usage and reduce maintenance overhead for customers who use Community to track orders and create inquiries and tend to move across regions frequently, the identity architect should recommend enabling Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. Contactless User is a feature that allows users to access Experience Cloud sites without having a contact record associated with them. External Identity is a license type that enables users to access Experience Cloud sites using social sign-on or single sign-on, but not access Salesforce objects or data. By enabling Contactless User and downgrading users from Experience Cloud license to External Identity license, the identity architect can reduce the number of contacts and licenses needed for each region and avoid data duplication and synchronization issues. References: Contactless User, External Identity License, User Licenses


NEW QUESTION # 130
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

  • A. Enable My Domain and select "Prevent login from https://login.salesforce.com".
  • B. Once SSO is enabled, users are only able to login using Salesforce credentials.
  • C. Request Salesforce Support to enable delegated authentication.
  • D. Assign user "is Single Sign-on Enabled" permission via profile or permission set.

Answer: A,D


NEW QUESTION # 131
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

  • A. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
  • B. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
  • C. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.
  • D. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

Answer: B,C

Explanation:
Explanation
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions ... 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] :
[Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation


NEW QUESTION # 132
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.
What should an identity architect use to fulfill this requirement?

  • A. Connected App and OAuth scopes
  • B. OAuth Tokens
  • C. Canvas App Integration
  • D. Authentication Providers

Answer: A

Explanation:
Explanation
To integrate the order fulfillment app with the Salesforce API using OAuth 2.0 protocol, the identity architect should use a Connected App and OAuth scopes. A Connected App is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as OAuth 2.0. OAuth scopes are permissions that define the specific data that an external application can access or modify in Salesforce. To use OAuth 2.0 protocol, the identity architect needs to configure a Connected App in Salesforce and assign the appropriate OAuth scopes to it, such as "api" or "full". References: Connected Apps, OAuth Scopes


NEW QUESTION # 133
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?

  • A. Identity Provider, because the API calls are authenticated by Salesforce.
  • B. Connected App, because Salesforce is connected with Employee portal via API.
  • C. An independent system, because Salesforce is not part of the SSO setup.
  • D. Service Provider, because Salesforce is the application for managing ideas.

Answer: C


NEW QUESTION # 134
......

Reliable Identity and Access Management Designer Identity-and-Access-Management-Architect Dumps PDF Sep 03, 2024 Recently Updated Questions: https://www.examtorrent.com/Identity-and-Access-Management-Architect-valid-vce-dumps.html

Latest Identity-and-Access-Management-Architect Exam Dumps for Pass Guaranteed: https://drive.google.com/open?id=1ILd76fcTF3Vs1TvdpxmQG4YKBkoJVdip