Spring Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65percent

Welcome To DumpsPedia
  1. Home
  2. Salesforce
  3. Identity and Access Management Designer
  4. Identity-and-Access-Management-Designer
  5. Salesforce Certified Identity and Access Management Architect (WI23) Questions and Answers

Identity-and-Access-Management-Designer Sample Questions Answers

Questions 4

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.

How should an identity architect implement this requirement?

Options:

A.

Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

B.

Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.

C.

Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time

(JIT) provisioning.

D.

Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

Buy Now
Questions 5

An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

Options:

A.

Entity id

B.

Issuer

C.

Identity provider login URL

D.

SAML identity location

Buy Now
Questions 6

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

Options:

A.

Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

B.

Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

C.

Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system

D.

Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Buy Now
Questions 7

Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.

What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?

Options:

A.

Require the use of Salesforce security tokens on passwords.

B.

Enforce mutual authentication between systems using SSL.

C.

Include Client Id and Client Secret in the login header callout.

D.

Set up a proxy service for the login service in the DMZ.

Buy Now
Questions 8

Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.

What type of authentication flow is required to support deep linking'

Options:

A.

Web Server OAuth SSO flow

B.

Service-Provider-Initiated SSO

C.

Identity-Provider-initiated SSO

D.

StartURL on Identity Provider

Buy Now
Questions 9

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.

Which two roles are being performed by Salesforce?

Choose 2 answers

Options:

A.

SAML Identity Provider

B.

OAuth Client

C.

OAuth Resource Server

D.

SAML Service Provider

Buy Now
Questions 10

Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.

At a minimum, which Salesforce license is required to support this requirement?

Options:

A.

Identity Verification

B.

Identity Connect

C.

Identity Only

D.

External Identity

Buy Now
Questions 11

A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.

Which three functions meet the Salesforce criteria for secure mfa?

Choose 3 answers

Options:

A.

username and password + SMS passcode

B.

Username and password + secunty key

C.

Third-party single sign-on with Mobile Authenticator app

D.

Certificate-based Authentication

E.

Lightning Login

Buy Now
Questions 12

Which three types of attacks would a 2-Factor Authentication solution help garden against?

Options:

A.

Key logging attacks

B.

Network perimeter attacks

C.

Phishing attacks

D.

Dictionary attacks

E.

Man-in-the-middle attacks

Buy Now
Questions 13

Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?

Options:

A.

Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

B.

Use information in the Signed Request that is received from Facebook.

C.

Develop a scheduled job that calls out to Facebook on a nightly basis.

D.

Use the updateUser() method on the Registration Handler class.

Buy Now
Questions 14

An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user?

Options:

A.

Consumer key and consumer secret

B.

Federation ID

C.

User info endpoint URL

D.

Apex registration handler

Buy Now
Questions 15

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.

What should an identity architect do to fulfill this requirement?

Options:

A.

Contact Salesforce Support and enable delegate single sign-on.

B.

Create a custom external authentication provider.

C.

Use certificate-based authentication.

D.

Configure OpenID Connect authentication provider.

Buy Now
Questions 16

Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behaviour?

Options:

A.

User Provisioning for Connected Apps does not support role sync.

B.

Required operation(s) was not mapped in User Provisioning Settings.

C.

The Approval queue for User Provisioning Requests is unmonitored.

D.

Salesforce roles have more than three levels in the role hierarchy.

Buy Now
Questions 17

A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.

The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint.

What should an Identity architect do to meet this requirement?

Options:

A.

Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.

B.

Configure the company firewall to allow traffic from Salesforce IP ranges.

C.

Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore.

D.

Upload a third-party certificate from Salesforce into the on-premise server.

Buy Now
Questions 18

A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

Options:

A.

Login Forensics

B.

Login Report

C.

Login Inspector

D.

Login History

Buy Now
Questions 19

An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?

Options:

A.

Ensure the Callback URL is correctly set in the Connected Apps settings.

B.

Use a browser that has an add-on/extension that can inspect SAML.

C.

Paste the SAML Assertion Validator in Salesforce.

D.

Use the browser's Development tools to view the Salesforce page's markup.

Buy Now
Questions 20

Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

Options:

A.

Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.

B.

Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

C.

Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

D.

Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

Buy Now
Questions 21

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project.

After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.

Which three steps should an identity architect follow to implement the outlined requirements?

Choose 3 answers

Options:

A.

Enable "Allow customers and partners to self-register".

B.

Select the "Configurable Self-Reg Page" option under Login & Registration.

C.

Set jp an external login page and call Salesforce APIs for user creation.

D.

Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

E.

Customize me self-registration Apex handler to create only the user record.

Buy Now
Questions 22

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind?

Choose 2 answers

Options:

A.

AMR field shows the authentication methods used at IdP.

B.

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

C.

High-assurance sessions must be configured under Session Security Level Policies.

D.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Buy Now
Questions 23

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site.

Which two page types are valid login page types for the site?

Choose 2 answers

Options:

A.

Experience Builder Page

B.

lightning Experience Page

C.

Login Discovery Page

D.

Embedded Login Page

Buy Now
Questions 24

Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.

Which Salesforce license should UC utilize to implement this use case?

Options:

A.

Identity Only

B.

Salesforce Platform

C.

External Identity

D.

Partner Community

Buy Now
Questions 25

Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to authenticate users.

How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?

Options:

A.

Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.

B.

Use a login flow to query the helpdesk to validate user status.

C.

Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow.

D.

Use Salesforce Connect to integrate with the helpdesk application.

Buy Now
Questions 26

Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

Options:

A.

Create a Connected App that supports the JWT Bearer Token OAuth Flow.

B.

Create a Connected App that supports the Refresh Token OAuth Flow

C.

Create a Connected App that supports the Web Server OAuth Flow.

D.

Create a Connected App that supports the User-Agent OAuth Flow.

Buy Now
Questions 27

Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

Options:

A.

Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.

B.

Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.

C.

Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.

D.

Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Buy Now
Questions 28

Containers (UC) uses an internal system for recruiting and would like to have the candidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows should be considered to meet the requirement? Choose 2 answers

Options:

A.

JWT Bearer Token flow

B.

Refresh Token flow

C.

SAML Bearer Assertion flow

D.

Web Service flow

Buy Now
Questions 29

Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

Options:

A.

Financial System

B.

Pingfederate

C.

Salesforce Org 2

D.

Salesforce Org 1

Buy Now
Questions 30

Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

Options:

A.

SP-initiated SSO will not work.

B.

Neither SP- nor IdP-initiated SSO will work.

C.

Either SP- or IdP-initiated SSO will work.

D.

IdP-initiated SSO will not work.

Buy Now
Questions 31

How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

Options:

A.

Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.

B.

Add the list of company's network IP addresses to the Login Range list under 2FA Setup.

C.

Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.

D.

Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

Buy Now
Questions 32

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

What is recommended to ensure these requirements are met ?

Options:

A.

Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.

B.

Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

C.

Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.

D.

Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-

Buy Now
Questions 33

What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

Options:

A.

Reference to a URL redirect parameter at the identity provider.

B.

Reference to a URL redirect parameter at the service provider.

C.

Reference to the login address URL of the service provider.

D.

Reference to the login address URL of the identity Provider.

Buy Now
Questions 34

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?

Options:

A.

Web Application flow

B.

SAML Bearer Assertion flow

C.

User-Agent flow

D.

Web Server flow

Buy Now
Questions 35

An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).

Mow can end users change their password?

Options:

A.

Users once logged In, can go to the Change Password screen in Salesforce.

B.

Users can click on the "Forgot your Password" link on the Salesforce.com login page.

C.

Users can request the Salesforce Admin to reset their password.

D.

Users can change it on the enterprise LDAP authentication portal.

Buy Now
Questions 36

The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

Options:

A.

Web server

B.

Jwt bearer token

C.

User-Agent

D.

Username-password

Buy Now
Questions 37

Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

Options:

A.

Modify the communitiesselfregcontroller to assign the profile and account.

B.

Modify the selfregistration trigger to assign profile and account.

C.

Configure registration for communities to use a custom visualforce page.

D.

Configure registration for communities to use a custom apex controller.

Buy Now
Status:
Expired , and Replaced By
Exam Code: Identity-and-Access-Management-Designer
Exam Name: Salesforce Certified Identity and Access Management Architect (WI23)
Last Update: Apr 14, 2023
Questions: 1
$57.75  $164.99
$43.75  $124.99
$36.75  $104.99
buy now Identity-and-Access-Management-Designer