New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Salesforce Identity-and-Access-Management-Architect Salesforce Certified Identity andAccess Management Architect (SU24) Exam Practice Test

Salesforce Certified Identity andAccess Management Architect (SU24) Questions and Answers

Question 1

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?

Options:

A.

The CA-Signed Certificate from the Certificate and Key Management menu.

B.

The default Client Certificate from the Develop--> API Menu.

C.

The default Client Certificate or a Certificate from Certificate and Key Management menu.

D.

The Self-Signed Certificates from the Certificate & Key Management menu.

Question 2

Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?

Options:

A.

Ensure that users have the same email value in their user records in all of UC's salesforce orgs.

B.

Ensure the same username is allowed in multiple orgs by contacting salesforce support.

C.

Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.

D.

Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

Question 3

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

Options:

A.

Identity Connect will not support user provisioning in UC's current environment.

B.

Identity Connect will only support Idp-initiated SAML flows in UC's current environment.

C.

Identity Connect will only support SP-initiated SAML flows in UC's current environment.

D.

Identity connect is not compatible with UC's current identity environment.

Question 4

A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.

Which authentication mechanism should an identity architect recommend to meet the requirements?

Options:

A.

OpenID Connect

B.

User Agent Flow

C.

JWT Bearer Token Flow

D.

Web Server Flow

Question 5

What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

Options:

A.

Reference to a URL redirect parameter at the identity provider.

B.

Reference to a URL redirect parameter at the service provider.

C.

Reference to the login address URL of the service provider.

D.

Reference to the login address URL of the identity Provider.

Question 6

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers

Options:

A.

App Launcher

B.

Resource deep linking

C.

SSO from Salesforce Mobile App

D.

Login Forensics

Question 7

A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification.

Which feature should an identity architect recommend to meet the requirements?

Options:

A.

Integrate with social websites (Facebook, Linkedin. Twitter)

B.

Use an external Identity Provider

C.

Create a custom Lightning Web Component

D.

Use Login Discovery

Question 8

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.

Which two options should be utilized in creating an authentication provider?

Choose 2 answers

Options:

A.

A custom registration handier can be set.

B.

A custom error URL can be set.

C.

The default login user can be set.

D.

The default authentication provider certificate can be set.

Question 9

Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers

Options:

A.

Use the existing SAML SSO flow along with user agent flow.

B.

Configure the embedded Web browser to use my domain URL.

C.

Use the existing SAML SSO flow along with Web server flow

D.

Configure the salesforce1 app to use the my domain URL

Question 10

Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.

What type of authentication flow is required to support deep linking'

Options:

A.

Web Server OAuth SSO flow

B.

Service-Provider-Initiated SSO

C.

Identity-Provider-initiated SSO

D.

StartURL on Identity Provider

Question 11

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers

Options:

A.

Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.

B.

Enable the "Enforce Ip restrictions" settings in the connected App.

C.

Enable the "All users may self-authorize" setting in the Connected App.

D.

Enable the "High Assurance session required" setting in the Connected App.

Question 12

Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-BASED SSO to get into the company portal and would like to leverage it to access salesforce. Most of the users don't exist in salesforce and they would like the user records created in salesforce communities the first time they try to access salesforce. What recommendation should an architect make to meet this requirement?

Options:

A.

Use on-the-fly provisioning

B.

Use just-in-time provisioning

C.

Use salesforce APIs to create users on the fly

D.

Use Identity connect to sync users

Question 13

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

Options:

A.

Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

B.

Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

C.

Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

D.

Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Question 14

Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of single Sign-on for any users of the mobile app.

B.

Require high assurance sessions in order to use the connected App

C.

Use Google Authenticator as an additional part of the logical processes.

D.

Set login IP ranges to the internal network for all of the app users profiles.

Question 15

Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats.

NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.

What should an Identity Architect do to provision, deprovision and authenticate users?

Options:

A.

Salesforce Identity is not needed since NTO uses Microsoft AD.

B.

Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

C.

Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.

D.

A Salesforce Identity can be included but NTO will require Identity Connect.

Question 16

Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

Options:

A.

Delegated Authentication is enabled or disabled for the entire Salesforce org.

B.

UC will be required to develop and support a custom SOAP web service.

C.

Salesforce users will be locked out of Salesforce if the web service goes down.

D.

The web service must reside on a public cloud service, such as Heroku.

Question 17

Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

Options:

A.

The Oauth authorizations are being revoked by a nightly batch job.

B.

The refresh token expiration policy is set incorrectly in salesforce

C.

The app is requesting too many access Tokens in a 24-hour period

D.

The users forget to check the box to remember their credentials.

Question 18

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For security purposes, administrators will need to authorize the applications that will be consuming the APIs.

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2-0 SAML Bearer Assertion Flow

B.

OAuth 2.0 JWT Bearer Flow

C.

SAML Assertion Flow

D.

OAuth 2.0 User-Agent Flow

Question 19

Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

Options:

A.

The self-registration process will produce an error to the user.

B.

The self-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Question 20

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third-party authentication provider that supports only the OAuth protocol.

What should an identity architect do to fulfill this requirement?

Options:

A.

Contact Salesforce Support and enable delegate single sign-on.

B.

Create a custom external authentication provider.

C.

Use certificate-based authentication.

D.

Configure OpenID Connect authentication provider.

Question 21

How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

Options:

A.

Call SOAP API upsertQ on user object.

B.

Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.

C.

Run registration handler on incoming OAuth responses.

D.

Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.

Question 22

Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

Options:

A.

The web application should be hosted on a secure server.

B.

The web server must be able to protect consumer privacy

C.

The flow involves passing the user credentials back and forth.

D.

The flow will not provide an Oauth refresh token back to the server.

Question 23

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

Options:

A.

The Federation ID must be a valid Salesforce Username

B.

The Federation ID must is case sensitive

C.

The Federation ID must be in the form of an email address.

D.

The Federation ID must be populated on the user record.

Question 24

Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.

Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.

What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

Options:

A.

Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.

B.

Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.

C.

Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.

D.

Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.

Question 25

Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

Options:

A.

Google is the service provider and Facebook is the identity provider

B.

Salesforce is the service provider and Google is the identity provider

C.

Facebook is the service provider and salesforce is the identity provider

D.

Salesforce is the service provider and Facebook is the identity provider

Question 26

Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?

Options:

A.

Web Application flow

B.

SAML Bearer Assertion flow

C.

User-Agent flow

D.

Web Server flow

Question 27

Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers

Options:

A.

The web service needs to include Source IP as a method parameter.

B.

UC should whitelist all salesforce ip ranges on their corporate firewall.

C.

The web service can be written using either the soap or rest protocol.

D.

Delegated Authentication is enabled for the system administrator profile.

E.

The return type of the Web service method should be a Boolean value

Question 28

Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

Options:

A.

Financial System

B.

Pingfederate

C.

Salesforce Org 2

D.

Salesforce Org 1

Question 29

Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.

Which approach will meet this requirement?

Options:

A.

Create tasks for users who need to update their data or accept the new community rules.

B.

Create a custom landing page and email campaign asking all community members to login and verify their data.

C.

Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.

D.

Add a banner to the community Home page asking users to update their profile and accept the new community rules.

Question 30

A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.

What should an identity architect recommend to configure the requirement with limited changes to the third-party app?

Options:

A.

Use a connected app with user provisioning flow.

B.

Create Canvas app in Salesforce for third-party app to provision users.

C.

Redirect users to the third-party app for registration.

D.

Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

Question 31

A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.

Once enabled, what role will Salesforce play?

Options:

A.

Facebook and Linkedln will be the SPs.

B.

Salesforce will be the service provider (SP).

C.

Salesforce will be the identity provider (IdP).

D.

Facebook and Linkedln will act as the IdPs and SPs.

Question 32

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce,

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2.0 SAML Bearer Assertion Flow

B.

A SAML Assertion Row

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 JWT Bearer Flow

Question 33

Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups. Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

Options:

A.

Use the salesforce REST API to sync users from active directory to salesforce

B.

Use an app exchange product to sync users from Active Directory to salesforce.

C.

Use Active Directory Federation Services to sync users from active directory to salesforce.

D.

Use Identity connect to sync users from Active Directory to salesforce

Question 34

The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

Options:

A.

Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.

B.

Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.

C.

Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.

D.

Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.

Question 35

Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

Options:

A.

User-Agent Oauth flow

B.

SAML assertion Oauth flow

C.

User-Token Oauth flow

D.

Web server Oauth flow

Question 36

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

Options:

A.

Login Inspector

B.

Login History

C.

Login Report

D.

Login Forensics

Question 37

Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.

How can the Architect meet these requirements?

Options:

A.

Use a Salesforce Login Flow to call out to a web service and create the user on the fly.

B.

Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.

C.

Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.

D.

Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

Question 38

Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

Options:

A.

Google is the identity provider

B.

Salesforce is the identity provider

C.

Google is the service provider

D.

Salesforce is the service provider

Question 39

In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

Options:

A.

Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.

B.

Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA

C.

Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.

D.

Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Question 40

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:

1. They plan to implement Partner communities to provide access to their partner network .

2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.

3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.

4. They would like to provide a single login for their partners.

How should an Identity Architect solution this requirement with limited custom development?

Options:

A.

Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.

B.

Consolidate Partner related information in a single org and provide access through Salesforce community.

C.

Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

D.

Register partners in one org and access information from other orgs using APIs.

Question 41

Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

Options:

A.

The Identity Provider can authenticate multiple applications.

B.

The Identity Provider can authenticate multiple social media accounts.

C.

The Identity provider can store credentials for multiple applications.

D.

The Identity Provider can centralize enterprise password policy.

Question 42

What are three capabilities of Delegated Authentication? Choose 3 answers

Options:

A.

It can be assigned by Custom Permissions.

B.

It can connect to SOAP services.

C.

It can be assigned by Permission Sets.

D.

It can be assigned by Profiles.

E.

It can connect to REST services.

Question 43

Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.

NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce.

What role does identity Connect play in the outlined requirements?

Options:

A.

Service Provider

B.

Single Sign-On

C.

Identity Provider

D.

User Management

Question 44

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.

Which three steps should an identity architect take to implement social sign-on?

Choose 3 answers

Options:

A.

Register both Facebook and Linkedln as connected apps.

B.

Create authentication providers for both Facebook and Linkedln.

C.

Check "Facebook" and "Linkedln" under Login Page Setup.

D.

Enable "Federated Single Sign-On Using SAML".

E.

Update the default registration handlers to create and update users.

Question 45

Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.

Which two options should the identity architect recommend to support dynamic branding for the site?

Choose 2 answers

Options:

A.

To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.

B.

To use dynamic branding, the community must be built with the Customer Account Portal template.

C.

An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.

D.

An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.

Question 46

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.

The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week.

Which connected app setting should be leveraged to comply with this policy change?

Options:

A.

Scope - Deny refresh_token scope for this connected app.

B.

Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.

C.

Session Policy - Set timeout value of the connected app to 7 days.

D.

Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Question 47

Universal containers wants to set up SSO for a selected group of users to access external applications from salesforce through App launcher. Which three steps must be completed in salesforce to accomplish the goal?

Options:

A.

Associate user profiles with the connected Apps.

B.

Complete my domain and Identity provider setup.

C.

Create connected apps for the external applications.

D.

Complete single Sign-on settings in security controls.

E.

Create named credentials for each external system.

Question 48

A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as passwords as possible.

What should an identity architect recommend?

Options:

A.

Setup Salesforce as a Service Provider to the existing IdP.

B.

Setup Salesforce as an IdP to authenticate against the LDAP directory.

C.

Use Salesforce connect to synchronize LDAP passwords to Salesforce.

D.

Setup Salesforce as an Authentication Provider to the existing IdP.

Question 49

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site.

Which two page types are valid login page types for the site?

Choose 2 answers

Options:

A.

Experience Builder Page

B.

lightning Experience Page

C.

Login Discovery Page

D.

Embedded Login Page

Question 50

A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.

The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).

Which two recommendations should the Salesforce IAM architect make to the IT Lead?

Choose 2 answers

Options:

A.

Use declarative registration handler process builder/flow to create, update users and contacts.

B.

Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in

community.

C.

For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.

D.

Apex coding skills are needed for registration handler to create and update users.

Question 51

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.

Which two features should be utilized to provide users with login and identity services for the third-party application?

Choose 2 answers

Options:

A.

Use the App Launcher with single sign-on (SSO).

B.

External a Data source with Named Principal identity type.

C.

Use a connected app.

D.

Use Delegated Authentication.

Question 52

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.

What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

Options:

A.

Ensure that there is an HTTPS connection between IDP and SP.

B.

Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.

C.

Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

D.

Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

Question 53

Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.

Which two roles are being performed by Salesforce?

Choose 2 answers

Options:

A.

SAML Identity Provider

B.

OAuth Client

C.

OAuth Resource Server

D.

SAML Service Provider

Question 54

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind?

Choose 2 answers

Options:

A.

AMR field shows the authentication methods used at IdP.

B.

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

C.

High-assurance sessions must be configured under Session Security Level Policies.

D.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Question 55

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:

1. Users should not have to login every time they use the app.

2. The app should be able to make calls to the Salesforce REST API.

3. End users should NOT see the OAuth approval page.

How should the identity architect configure the Salesforce connected app to meet the requirements?

Options:

A.

Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".

B.

Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".

C.

Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

D.

Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".

Question 56

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

Options:

A.

Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.

B.

Configure an authentication provider to delegate authentication to the LDAP directory.

C.

use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.

D.

Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Question 57

Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.

What should the logout function perform in this scenario, where user sessions are refreshed automatically?

Options:

A.

Invoke the revocation URL and pass the refresh token.

B.

Clear out the client Id to stop auto session refresh.

C.

Invoke the revocation URL and pass the access token.

D.

Clear out all the tokens to stop auto session refresh.

Question 58

Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

Options:

A.

As part of the body of a Salesforce Knowledge article.

B.

In the mobile navigation menu on Salesforce for Android.

C.

The sidebar of a Salesforce Console as a console component.

D.

Included in the Call Control Tool that's part of Open CTI.

Question 59

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.

What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

Options:

A.

Query using OpenID Connect discovery endpoint.

B.

A Leverage OpenID Connect Token Introspection.

C.

Create a custom OAuth scope.

D.

Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Question 60

The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

Options:

A.

Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

B.

Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

C.

Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.

D.

Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Question 61

Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforce, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.

Which two Salesforce license types does UC need for its employees'

Choose 2 answers

Options:

A.

Company Community and Identity licenses

B.

Identity and Identity Connect licenses

C.

Chatter Only and Identity licenses

D.

Salesforce and Identity Connect licenses

Question 62

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.

Which two mechanisms are used to provision agents with the appropriate permissions?

Choose 2 answers

Options:

A.

Use Login Flow in User Context to update role and permission sets.

B.

Use Login Flow in System Context to update role and permission sets.

C.

Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.

D.

Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Question 63

An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.

Which two reasons are the source of the issue?

Choose 2 answers

StartURL for the connected app is not set in Connected App settings.

B. OAuth scope does not include "openid*.

C. Session Policy is set as 'High Assurance Session required' for this connected app.

D. The connected app is not set in the App menu as 'Visible in App Launcher".

Options:

Question 64

architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

Options:

A.

The Identity Provider is also used to SSO into five other applications.

B.

The clock on the Identity Provider server is twenty minutes behind Salesforce.

C.

The Issuer Certificate from the Identity Provider expired two weeks ago.

D.

The default language for the Identity Provider and Salesforce are Different.

Question 65

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.

One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.

Which OAuth flow should be used to fulfill the requirement?

Options:

A.

JWT Bearer Flow

B.

Web Server Flow

C.

User Agent Flow

D.

Username-Password Flow

Question 66

Universal Containers (UC) has an e-commerce website where customers can buy products, make payments, and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

Options:

A.

Configure SAML SSO settings.

B.

Create a Connected App.

C.

Configure Delegated Authentication.

D.

Set up My Domain.

Question 67

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project.

After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.

Which three steps should an identity architect follow to implement the outlined requirements?

Choose 3 answers

Options:

A.

Enable "Allow customers and partners to self-register".

B.

Select the "Configurable Self-Reg Page" option under Login & Registration.

C.

Set jp an external login page and call Salesforce APIs for user creation.

D.

Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.

E.

Customize me self-registration Apex handler to create only the user record.

Question 68

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

What role combination is represented by the systems in this scenario''

Options:

A.

Financial System and CPQ System are the only Service Providers.

B.

Salesforce Org1 and Salesforce Org2 are the only Service Providers.

C.

Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.

D.

Salesforce Org1 and PingFederate are acting as Identity Providers.

Question 69

Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.

Which two settings need to be configured in the connect app to support this requirement?

Choose 2 answers

Options:

A.

The Use Digital Signature option in the connected app.

B.

The "web" OAuth scope in the connected app,

C.

The "api" OAuth scope in the connected app.

D.

The "edair_api" OAuth scope m the connected app.

Question 70

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.

Which two Salesforce tools should an identity architect recommend to satisfy the requirements?

Choose 2 answers

Options:

A.

salesforce Canvas

B.

Identity Connect

C.

Connected Apps

D.

App Launcher

Question 71

An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).

Mow can end users change their password?

Options:

A.

Users once logged In, can go to the Change Password screen in Salesforce.

B.

Users can click on the "Forgot your Password" link on the Salesforce.com login page.

C.

Users can request the Salesforce Admin to reset their password.

D.

Users can change it on the enterprise LDAP authentication portal.