
2023年10月最新のSalesforce Identity-and-Access-Management-Architect問題集で更新された245問あります
PDF無料ダウンロードにはIdentity-and-Access-Management-Architect有効な練習テスト問題
Salesforce Identity-and-Access-Management-Architect認定試験は、Salesforceプラットフォーム内でアクセスとアイデンティティを管理するエキスパートになりたいと考えている個人を対象としています。認定試験は、Salesforceプラットフォームとそのセキュリティモデルに深い理解を持つ、経験豊富な管理者、開発者、およびアーキテクトを対象としています。この認定を取得するには、候補者は、組織のニーズを満たす複雑なアイデンティティとアクセス管理ソリューションを設計および実装する能力を証明する必要があります。
質問 # 14
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers
- A. Field-Level Security
- B. Sharing Rules
- C. Profiles and Permission Sets
- D. Public Groups
- E. Roles
正解:C、D、E
解説:
Explanation
Salesforce Identity Connect can map AD groups to Salesforce public groups, roles, profiles, and permission sets. These permissions control the access and visibility of data and features in Salesforce. References:
Salesforce Identity Connect Implementation Guide
質問 # 15
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers
- A. Assign user "is Single Sign-on Enabled" permission via profile or permission set.
- B. Request Salesforce Support to enable delegated authentication.
- C. Once SSO is enabled, users are only able to login using Salesforce credentials.
- D. Enable My Domain and select "Prevent login from https://login.salesforce.com".
正解:A、D
質問 # 16
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using PingFederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?
- A. IDP-initiated
- B. Web server flow.
- C. IDP-initiated with deep linking
- D. Sp-Initiated
正解:D
解説:
Explanation
The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider
質問 # 17
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers
- A. Use Google Authenticator as an additional part of the login process
- B. Require High Assurance sessions in order to use the Connected App.
- C. Set Login IP Ranges to the internal network for all of the app users Profiles.
- D. Disallow the use of Single Sign-on for any users of the mobile app.
正解:A、B
解説:
Explanation
Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.
Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a second factor, such as a verification code or biometric scan, before they can access the connected app.
Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can be generated by the Google Authenticator app on the user's mobile device.
Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.
Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.
References: [High Assurance Sessions], [Google Authenticator], [Single Sign-On], [Login IP Ranges]
質問 # 18
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers
- A. OAuth Refresh Token FLow
- B. OAuth Username-Password Flow
- C. OAuth JWT Bearer Token FLow
- D. OAuth SAML Bearer Assertion FLow
正解:C、D
質問 # 19
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers
- A. Enable access to person and business account record types under Public Access Settings.
- B. Contact Salesforce Support to enable person accounts.
- C. Set organization-wide default sharing for Contact to Public Read Only.
- D. Contact Salesforce Support to enable business accounts.
- E. Under Login and Registration settings, ensure that the default account field is empty.
正解:A、B、E
質問 # 20
customer service representatives at Universal containers (UC) are complaining that whenever they click on links to case records and are asked to login with SAML SSO, they are being redirected to the salesforce home tab and not the specific case record. What item should an architect advise the identity team at UC to investigate first?
- A. My domain is configured and active within salesforce.
- B. The identity provider is correctly preserving the Relay state
- C. The salesforce SSO settings are using http post
- D. The users have the correct Federation ID within salesforce.
正解:B
質問 # 21
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?
- A. Salesforce Licence.
- B. Salesforce Platform Licence.
- C. External Identity Licence.
- D. Identity Licence.
正解:B
解説:
Explanation
The optimal Salesforce license type for all of the UC employees who will access the custom Innovation platform without logging in with Salesforce credentials is the Salesforce Platform license. The Salesforce Platform license allows users to access custom applications built on the Lightning Platform, such as Apex and Visualforce, and use standard objects such as accounts, contacts, reports, dashboards, and custom tabs. It also supports SSO with a third-party identity provider using SAML. Option A is not a good choice because the Identity license is designed for users who need to access Salesforce Identity features, such as identity provider, social sign-on, and user provisioning, but not for users who need to access custom applications. Option B is not a good choice because the Salesforce license is designed for users who need full access to standard CRM and Lightning Platform features, such as leads, opportunities, campaigns, forecasts, and contracts, but it may be unnecessary or expensive for users who only need to access custom applications. Option C is not a good choice because the External Identity license is designed for users who are external to the organization, such as customers or partners, but not for users who are internal employees.
References: Salesforce Help: User License Types, [Salesforce Help: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth]
質問 # 22
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?
- A. Salesforce will be the service provider (SP).
- B. Facebook and Linkedln will act as the IdPs and SPs.
- C. Facebook and Linkedln will be the SPs.
- D. Salesforce will be the identity provider (IdP).
正解:A
質問 # 23
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.
Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers
- A. Refresh token
- B. API
- C. full
- D. Web
正解:A、B
質問 # 24
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorized access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend? Choose 2 answers
- A. Remove existing restrictions on ip ranges for all types of user access.
- B. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
- C. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
- D. Use login flow to bypass ip range restriction for the mobile app.
正解:B、C
解説:
Explanation
Relaxing the IP restriction in the connected app settings for the Salesforce1 mobile app and relaxing the IP restriction with a second factor in the connected app settings for Salesforce1 mobile app are two options that an architect should recommend. These options allow UC employees to access the Salesforce1 mobile app from any location, while still maintaining some level of security. Relaxing the IP restriction means that users can log in to the connected app from outside the trusted IP ranges defined in their profiles1. Adding a second factor means that users need to provide an additional verification method, such as a verification code or a security key, to access the app2. Using a login flow to bypass IP range restriction for the mobile app is not a recommended option because it can create a complex and inconsistent user experience3. Removing existing restrictions on IP ranges for all types of user access is not a recommended option because it can expose UC's data and applications to unauthorized access4. References: 1: Restrict Access to Trusted IP Ranges for a Connected App 2: Require Multi-Factor Authentication for Connected Apps 3: [Custom Login Flows] 4:
[Restrict Login Access by IP Address]
質問 # 25
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?
- A. Named Credentials
- B. OAuth Device Flow
- C. Login Flows
- D. Single Sign-On Settings
正解:B
質問 # 26
Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels.
The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?
- A. Customer Community license
- B. Identity license
- C. Customer Community Plus license
- D. External Identity license
正解:B
質問 # 27
Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.
Which three steps should an identity architect take to implement social sign-on?
Choose 3 answers
- A. Create authentication providers for both Facebook and Linkedln.
- B. Enable "Federated Single Sign-On Using SAML".
- C. Check "Facebook" and "Linkedln" under Login Page Setup.
- D. Register both Facebook and Linkedln as connected apps.
- E. Update the default registration handlers to create and update users.
正解:A、C、E
解説:
Explanation
To implement social sign-on for customers to register and log in to a portal built on Salesforce Experience Cloud using their Facebook or LinkedIn credentials, the identity architect should take three steps:
Create authentication providers for both Facebook and LinkedIn. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and LinkedIn, which can be easily configured with minimal customization.
Check "Facebook" and "LinkedIn" under Login Page Setup. Login Page Setup is a setting that allows administrators to customize the login page for Experience Cloud sites. By checking "Facebook" and
"LinkedIn", the identity architect can enable social sign-on buttons for these identity providers on the login page.
Update the default registration handlers to create and update users. Registration handlers are classes that implement the Auth.RegistrationHandler interface and define how to create or update users in Salesforce based on the information from the external identity provider. The identity architect can update the default registration handlers to link the user's social identity with their Salesforce identity and prevent duplicate accounts. References: Authentication Providers, Social Sign-On with Authentication Providers, Login Page Setup, Create a Custom Registration Handler
質問 # 28
What item should an Architect consider when designing a Delegated Authentication implementation?
- A. The web service should use the Salesforce Federation ID to identify the user.
- B. The Web service should be secured with TLS using Salesforce trusted certificates.
- C. The Web service should be able to accept one to four input method parameters.
- D. The Web service should implement a custom password decryption method.
正解:B
質問 # 29
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?
- A. Use Delegated Authentication to call the Twitter login API to authenticate users.
- B. Configure an Authentication Provider for LinkedIn Social Media Accounts.
- C. Create a Custom Apex Registration Handler to handle new and existing users.
- D. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.
正解:B、C
質問 # 30
An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?
- A. Ensure the Callback URL is correctly set in the Connected Apps settings.
- B. Use a browser that has an add-on/extension that can inspect SAML.
- C. Paste the SAML Assertion Validator in Salesforce.
- D. Use the browser's Development tools to view the Salesforce page's markup.
正解:B、C
質問 # 31
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?
- A. Add the Employee portals IP address to the Trusted IP range for the connected App
- B. Add the employee portals IP address to the login IP range on the user profile.
- C. Use a dedicated profile for the user the Employee portal uses.
- D. Use a digital certificate signed by the employee portal Server.
正解:A
解説:
Explanation
Adding the employee portal's IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal's IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0 Username-Password Flow]
質問 # 32
Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Expenence Cloud site to allow the partners to administer their users' access.
How should a partner identity be provisioned in Salesforce for this solution?
- A. Create a user and a related contact.
- B. Create a person account.
- C. Create a contactless user.
- D. Create only a contact.
正解:A
解説:
Explanation
To provision a partner identity in Salesforce for a B2B collaboration site using SAML SSO, the identity architect should create a user and a related contact. A user record is required to authenticate and authorize the partner to access Salesforce resources. A contact record is required to associate the partner with an account, which represents the partner's organization. A contactless user or a person account are not supported for B2B collaboration sites. References: User and Contact Records for Partner Users, Create Partner Users
質問 # 33
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers
- A. Use Login Flow to bypass IP range restriction for the mobile app.
- B. Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.
- C. Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
- D. Remove existing restrictions on IP ranges for all types of user access.
正解:B、C
解説:
Explanation
The two options that an architect should recommend for UC to roll out the Salesforce1 mobile app and make it accessible from any location are:
Relax the IP restriction with a second factor in the Connected App settings for Salesforce1 mobile app.
This option allows UC to enable two-factor authentication (2FA) for the Salesforce1 mobile app, which requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. By enabling 2FA in the Connected App settings, UC can relax the IP restriction for the Salesforce1 mobile app, as users can access it from any location as long as they provide the second factor.
Relax the IP restrictions in the Connected App settings for the Salesforce1 mobile app. This option allows UC to disable or modify the IP restriction for the Salesforce1 mobile app in the Connected App settings, which control how users can access a connected app, such as Salesforce1. By relaxing the IP restrictions, UC can allow users to access the Salesforce1 mobile app from any location without requiring 2FA.
The other options are not recommended for this scenario. Removing existing restrictions on IP ranges for all types of user access would compromise security and compliance, as it would expose Salesforce to unauthorized access from any location. Using Login Flow to bypass IP range restriction for the mobile app would require custom code and logic, which could introduce complexity and errors. References: [Connected Apps], [Two-Factor Authentication], [Require a Second Factor of Authentication for Connected Apps], [IP Restrictions for Connected Apps], [Login Flows]
質問 # 34
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers
- A. Use Google Authenticator as an additional part of the login process
- B. Require High Assurance sessions in order to use the Connected App.
- C. Set Login IP Ranges to the internal network for all of the app users Profiles.
- D. Disallow the use of Single Sign-on for any users of the mobile app.
正解:A、B
質問 # 35
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
- A. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.
- B. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value.
- C. Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
- D. The Audience ID, which can be set in a shared cookie.
正解:A
解説:
Explanation
Configuring an authentication provider to delegate authentication to the LDAP directory ensures that users can only log in to Salesforce if they are active in the LDAP directory. This prevents terminated employees from accessing Salesforce with their old credentials. References: Authentication Providers, Delegated Authentication Single Sign-On
質問 # 36
Universal containers wants to implement SAML SSO for their internal salesforce users using a third-party IDP. After some evaluation, UC decides not to set up my domain for their salesforce.org. How does that decision impact their SSO implementation?
- A. Neithersp - nor IDP - initiated SSO will work
- B. IDP - initiated SSO will not work
- C. Either sp - or IDP - initiated SSO will work
- D. Sp-Initiated SSO will not work
正解:D
質問 # 37
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?
- A. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
- B. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.
- C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
- D. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
正解:A
質問 # 38
......
Identity-and-Access-Management-Architectテストエンジンお試しセット、Identity-and-Access-Management-Architect問題集PDF:https://jp.fast2test.com/Identity-and-Access-Management-Architect-premium-file.html
最新のSalesforce Identity-and-Access-Management-ArchitectのPDFと問題集で(2023)無料試験問題解答はここ:https://drive.google.com/open?id=1k7PWTuIGPiebPX_BJjPKmOizXWNCFmvi