The Secret Of Salesforce Identity-and-Access-Management-Designer Brain Dumps

NEW QUESTION 1
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1 Choose 2 answers

• A. Configure Registration for Communities to use a custom Visualforce Page.
• B. Modify the SelfRegistration trigger to assign Profile and Account.
• C. Modify the CommunitiesSelfRegController to assign the Profile and Account.
• D. Configure Registration for Communities to use a custom Apex Controller.

Answer: AC

NEW QUESTION 2
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?

• A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
• B. Use the Activations feature to meet the compliance requirement to track device information.
• C. Use the Login History object to track information about devices from which users log in.
• D. Use Login Flows to capture device from which users log in and store device and user information in a custom object.

Answer: B

NEW QUESTION 3
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?

• A. My domain is configured and active within salesforce.
• B. The salesforce SSO settings are using http post
• C. The identity provider is correctly preserving the Relay state
• D. The users have the correct Federation ID within salesforce.

Answer: C

NEW QUESTION 4
How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?

• A. Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.
• B. Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.
• C. Remove the Login page from the list of Authentication Services on the My Domain configuration.
• D. Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.

Answer: C

NEW QUESTION 5
Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

• A. SP-initiated SSO will not work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. IdP-initiated SSO will not work.

Answer: B

NEW QUESTION 6
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

• A. Custom_permissions
• B. Api
• C. Refresh_token
• D. Full

Answer: BC

NEW QUESTION 7
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

• A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
• B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
• C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
• D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Answer: AC

NEW QUESTION 8
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?

• A. Web Server flow
• B. JWT Bearer Token flow
• C. Username-Password flow
• D. User Agent flow

Answer: B

NEW QUESTION 9
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

• A. The Oauth authorizations are being revoked by a nightly batch job.
• B. The refresh token expiration policy is set incorrectly in salesforce
• C. The app is requesting too many access Tokens in a 24-hour period
• D. The users forget to check the box to remember their credentials.

Answer: B

NEW QUESTION 10
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

• A. Invoke the revocation URL and pass the refresh token.
• B. Clear out the client Id to stop auto session refresh.
• C. Invoke the revocation URL and pass the access token.
• D. Clear out all the tokens to stop auto session refresh.

Answer: A

NEW QUESTION 11
which three are features of federated Single Sign-on solutions? Choose 3 answers

• A. It federates credentials control to authorized applications.
• B. It establishes trust between Identity store and service provider.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: BCE

NEW QUESTION 12
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

• A. Identity Connect will not support user provisioning in UC's current environment.
• B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
• C. Identity Connect will only support SP-initiated SAML flows in UC's current environment.
• D. Identity connect is not compatible with UC's current identity environment.

Answer: A

NEW QUESTION 13
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?

• A. SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
• B. Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.
• C. Provisioning API for both Provisioning and Deprovisioning.
• D. Just-in-Time (JIT) for both Provisioning and Deprovisioning.

Answer: D

NEW QUESTION 14
Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of single Sign-on for any users of the mobile app.
• B. Require high assurance sessions in order to use the connected App
• C. Use Google Authenticator as an additional part of the logical processes.
• D. Set login IP ranges to the internal network for all of the app users profiles.

Answer: BC

NEW QUESTION 15
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers

• A. Identity Connect
• B. Delegated Authentication
• C. Connected Apps
• D. Embedded Login

Answer: BD

NEW QUESTION 16
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?

• A. Use a HTTP POST to request the refresh token for the current user.
• B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
• C. Use a HTTP POST to make a call to the revoke token endpoint.
• D. Enable Single Logout with a secure logout URL.

Answer: C

NEW QUESTION 17
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the third-party app?

• A. Use a connected app with user provisioning flow.
• B. Create Canvas app in Salesforce for third-party app to provision users.
• C. Redirect users to the third-party app for registration.
• D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

Answer: A

NEW QUESTION 18
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?

• A. Check the Refresh Token policy defined in the Salesforce Connected App.
• B. Validate that the users are checking the box to remember their passwords.
• C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
• D. Confirm that the access Token's Time-To-Live policy has been set appropriately.

Answer: A

NEW QUESTION 19
......