New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Salesforce Identity-and-Access-Management-Designer Salesforce Certified Identity and Access Management Architect (WI23) Exam Practice Test

Salesforce Certified Identity and Access Management Architect (WI23) Questions and Answers

Question 1

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers

Options:

A.

Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.

B.

Enable the "Enforce Ip restrictions" settings in the connected App.

C.

Enable the "All users may self-authorize" setting in the Connected App.

D.

Enable the "High Assurance session required" setting in the Connected App.

Question 2

Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats.

NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.

What should an Identity Architect do to provision, deprovision and authenticate users?

Options:

A.

Salesforce Identity is not needed since NTO uses Microsoft AD.

B.

Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

C.

Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.

D.

A Salesforce Identity can be included but NTO will require Identity Connect.

Question 3

Which three are features of federated Single sign-on solutions? Choose 3 Answers

Options:

A.

It establishes trust between Identity Store and Service Provider.

B.

It federates credentials control to authorized applications.

C.

It solves all identity and access management problems.

D.

It improves affiliated applications adoption rates.

E.

It enables quick and easy provisioning and deactivating of users.

Question 4

Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.

Which Salesforce license is required to fulfill this requirement?

Options:

A.

External Identity

B.

Identity Verification

C.

Identity Connect

D.

Identity Only

Question 5

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?

Options:

A.

Customer Community license

B.

Identity license

C.

Customer Community Plus license

D.

External Identity license

Question 6

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.

What should an identity architect recommend to meet these requirements?

Options:

A.

Configure a predefined authentication provider for Amazon.

B.

Create a custom external authentication provider for Amazon.

C.

Configure an OpenID Connect Authentication Provider for Amazon.

D.

Configure Amazon as a connected app.

Question 7

Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.

What should the logout function perform in this scenario, where user sessions are refreshed automatically?

Options:

A.

Invoke the revocation URL and pass the refresh token.

B.

Clear out the client Id to stop auto session refresh.

C.

Invoke the revocation URL and pass the access token.

D.

Clear out all the tokens to stop auto session refresh.

Question 8

Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers

Options:

A.

Users leaving laptops unattended and not logging out of Salesforce.

B.

Users accessing Salesforce from a public Wi-Fi access point.

C.

Users choosing passwords that are the same as their Facebook password.

D.

Users creating simple-to-guess password reset questions.

Question 9

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

What is recommended to ensure these requirements are met ?

Options:

A.

Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.

B.

Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

C.

Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.

D.

Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-

Question 10

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

Options:

A.

Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

B.

Remove existing restrictions on IP ranges for all types of user access.

C.

Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.

D.

Use Login Flow to bypass IP range restriction for the mobile app.

Question 11

Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.

Which two Salesforce tools should an identity architect recommend to satisfy the requirements?

Choose 2 answers

Options:

A.

salesforce Canvas

B.

Identity Connect

C.

Connected Apps

D.

App Launcher

Question 12

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.

What should a identity architect recommend to create partners?

Options:

A.

On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.

B.

Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.

C.

Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.

D.

Allow partners to register through the IdP and create partner users in Salesforce through an API.

Question 13

Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and corporate identity store. What type of Authentication flow is required to support deep linking?

Options:

A.

Web server Oauth SSO flow.

B.

Identity-provider-initiated SSO

C.

Service-provider-initiated SSO

D.

Start URL on identity provider

Question 14

Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers

Options:

A.

Oauth refresh token flow

B.

Oauth SAML bearer assertion flow

C.

Oauthjwt bearer token flow

D.

Oauth Username-password flow

Question 15

Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

Options:

A.

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

B.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

C.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

D.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

Question 16

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.

Which two actions should an identity architect recommend to meet these requirements?

Choose 2 answers

Options:

A.

Create a custom external authentication provider for Facebook.

B.

Configure a predefined authentication provider for Facebook.

C.

Create a custom external authentication provider for Twitter.

D.

Configure a predefined authentication provider for Twitter.

Question 17

Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose 2 answers

Options:

A.

Use open-ended security questions and complex password requirements

B.

Primarily use lookup and picklist fields on the self registration page.

C.

Require a captcha at the end of the self-registration process.

D.

Use hidden fields populated via java script events in the self-registration page.

Question 18

Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

Options:

A.

Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.

B.

Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

C.

Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

D.

Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

Question 19

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

What role combination is represented by the systems in this scenario''

Options:

A.

Financial System and CPQ System are the only Service Providers.

B.

Salesforce Org1 and Salesforce Org2 are the only Service Providers.

C.

Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.

D.

Salesforce Org1 and PingFederate are acting as Identity Providers.

Question 20

Which two considerations should be made when implementing Delegated Authentication?

Choose 2 answers

Options:

A.

The authentication web service can include custom attributes.

B.

It can be used to authenticate API clients and mobile apps.

C.

It requires trusted IP ranges at the User Profile level.

D.

Salesforce servers receive but do not validate a user’s credentials.

E.

Just-in-time Provisioning can be configured for new users.

Question 21

Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

Options:

A.

Disallow the use of single Sign-on for any users of the mobile app.

B.

Require high assurance sessions in order to use the connected App

C.

Use Google Authenticator as an additional part of the logical processes.

D.

Set login IP ranges to the internal network for all of the app users profiles.

Question 22

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

Options:

A.

Login Inspector

B.

Login History

C.

Login Report

D.

Login Forensics

Question 23

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.

The chief security officer is rolling out an org wide compliance policy to enforce re-venfication of devices if an employee has not logged in from that device in the last week.

Which connected app setting should be leveraged to comply with this policy change?

Options:

A.

Scope - Deny refresh_token scope for this connected app.

B.

Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.

C.

Session Policy - Set timeout value of the connected app to 7 days.

D.

Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Question 24

Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?

Options:

A.

SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.

B.

Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.

C.

Provisioning API for both Provisioning and Deprovisioning.

D.

Just-in-Time (JIT) for both Provisioning and Deprovisioning.

Question 25

Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend?

Options:

A.

Configure the main salesforce org as an Authentication provider.

B.

Configure the main salesforce org as the Identity provider.

C.

Configure the regional salesforce orgs as Identity Providers.

D.

Configure the main Salesforce org as a service provider.

Question 26

A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.

What should an identity architect use to fulfill this requirement?

Options:

A.

Canvas App Integration

B.

OAuth Tokens

C.

Authentication Providers

D.

Connected App and OAuth scopes

Question 27

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

Which feature of Identity Connect is applicable for this scenano?

Options:

A.

When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.

B.

If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing

Salesforce users in First-in, First-out (FIFO) fashion.

C.

Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.

D.

When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

Question 28

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

Options:

A.

Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

B.

Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.

C.

Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

D.

Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Question 29

Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?

Options:

A.

Ensure that users have the same email value in their user records in all of UC's salesforce orgs.

B.

Ensure the same username is allowed in multiple orgs by contacting salesforce support.

C.

Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.

D.

Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

Question 30

Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).

Which three OAuth concepts apply to this flow?

Choose 3 answers

Options:

A.

Verification URL

B.

Client Secret

C.

Access Token

D.

Scopes

Question 31

Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

Options:

A.

Sp-Initiated

B.

IDP-initiated with deep linking

C.

IDP-initiated

D.

Web server flow.

Question 32

Universal containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?

Options:

A.

Use the updateuser() method on the registration handler class.

B.

Use SAML just-in-time provisioning between Facebook and Salesforce

C.

Use information in the signed request that is received from Facebook.

D.

Develop a schedule job that calls out to Facebook on a nightly basis.

Question 33

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

Options:

A.

Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.

B.

Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

C.

Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

D.

Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Question 34

Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC? Choose 2 answers

Options:

A.

Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience.

B.

Build a custom visualforce page for both the change password and Forgot password experiences.

C.

Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.

D.

Build a community builder page for both the change password and Forgot password experiences.

Question 35

Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers

Options:

A.

App Launcher

B.

Resource deep linking

C.

SSO from Salesforce Mobile App

D.

Login Forensics

Question 36

Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

Options:

A.

Google is the identity provider

B.

Salesforce is the identity provider

C.

Google is the service provider

D.

Salesforce is the service provider

Question 37

The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

Options:

A.

Web server

B.

Jwt bearer token

C.

User-Agent

D.

Username-password