The Avant-garde Guide To Identity-and-Access-Management-Designer Study Guides

NEW QUESTION 1
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used7

• A. OAuth 2-0 SAML Bearer Assertion Flow
• B. OAuth 2.0 JWT Bearer Flow
• C. SAML Assertion Flow
• D. OAuth 2.0 User-Agent Flow

Answer: C

NEW QUESTION 2
Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC? Choose 2 answers

• A. Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience.
• B. Build a custom visualforce page for both the change password and Forgot password experiences.
• C. Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.
• D. Build a community builder page for both the change password and Forgot password experiences.

Answer: BC

NEW QUESTION 3
Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?

• A. Create a custom application on Heroku that manages the sign-on process from Facebook.
• B. Use JIT Provisioning to automatically create the account in the accounting system.
• C. Add an Apex callout in the registration handler of the authorization provider.
• D. Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.

Answer: C

NEW QUESTION 4
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

• A. My domain is configured and active within salesforce.
• B. The salesforce SSO settings are using http post
• C. The identity provider is correctly preserving the Relay state
• D. The users have the correct Federation ID within salesforce.

Answer: C

NEW QUESTION 5
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?

• A. Use the Salesforce Authenticator mobile app with two-step verification
• B. Lock sessions to the IP address from which they originated.
• C. Increase Password complexity requirements in Salesforce.
• D. Implement Single Sign-on using a corporate Identity store.

Answer: A

NEW QUESTION 6
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'

• A. Web Server OAuth SSO flow
• B. Service-Provider-Initiated SSO
• C. Identity-Provider-initiated SSO
• D. StartURL on Identity Provider

Answer: B

NEW QUESTION 7
A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.
What should an identity architect use to fulfill this requirement?

• A. Canvas App Integration
• B. OAuth Tokens
• C. Authentication Providers
• D. Connected App and OAuth scopes

Answer: D

NEW QUESTION 8
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?

• A. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.
• B. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.
• C. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
• D. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

Answer: C

NEW QUESTION 9
Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community. What SSO flow should an architect recommend?

• A. User-Agent
• B. IDP-initiated
• C. Sp-Initiated
• D. Web server

Answer: B

NEW QUESTION 10
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

• A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.
• B. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA
• C. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.
• D. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Answer: C

NEW QUESTION 11
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

• A. Sp-Initiated
• B. IDP-initiated with deep linking
• C. IDP-initiated
• D. Web server flow.

Answer: A

NEW QUESTION 12
Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

What role combination is represented by the systems in this scenario''

• A. Financial System and CPQ System are the only Service Providers.
• B. Salesforce Org1 and Salesforce Org2 are the only Service Providers.
• C. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.
• D. Salesforce Org1 and PingFederate are acting as Identity Providers.

Answer: D

NEW QUESTION 13
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?

• A. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
• B. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
• C. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
• D. Use custom login flows with callouts to a third-party fingerprint scanning application.

Answer: D

NEW QUESTION 14
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

• A. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
• B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
• D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Answer: C

NEW QUESTION 15
Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.
What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

• A. Query using OpenID Connect discovery endpoint.
• B. A Leverage OpenID Connect Token Introspection.
• C. Create a custom OAuth scope.
• D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Answer: B

NEW QUESTION 16
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

• A. Refresh token
• B. API
• C. full
• D. Web

Answer: AB

NEW QUESTION 17
Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

• A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
• B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself againstSalesforce as the Idp.
• C. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.
• D. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Answer: AC

NEW QUESTION 18
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?

• A. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.
• B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
• C. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloudfunctionality available to the user.
• D. Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs tomatch the number on the contact record.

Answer: C

NEW QUESTION 19
Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in . NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers

• A. Delegated Authentication will not work with a.net service.
• B. Delegated Authentication will continue to work with rest services.
• C. Delegated Authentication will continue to work with a.net service.
• D. Delegated Authentication will not work with rest services.

Answer: CD

NEW QUESTION 20
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

• A. Use the same SAML Identity location as the first org.
• B. Use a different Entity ID than the first org.
• C. Use the same request bindings as the first org.
• D. Use the Salesforce Username as the SAML Identity Type.

Answer: B

NEW QUESTION 21
......