[2023年10月26日] 有効なIdentity-and-Access-Management-Architectテスト解答とSalesforce Identity-and-Access-Management-Architect試験PDF問題を試そう [Q58-Q73]

Share

[2023年10月26日] 有効なIdentity-and-Access-Management-Architectテスト解答とSalesforce Identity-and-Access-Management-Architect試験PDF問題を試そう

実際に出るIdentity-and-Access-Management-Architect試験問題集には正確で更新された問題


Salesforce Certified Identity and Access Management Architectになるためには、複数選択肢とシナリオベースの問題で構成された厳しい試験に合格する必要があります。この試験はIAMの概念を理解し、実世界のシナリオでそれを適用する能力をテストするように設計されています。この試験は監視され、テストセンターで対面受験とオンラインでの受験が可能です。

 

質問 # 58
Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

  • A. The self-registration page will ask user to select an account.
  • B. The self-registration process will produce an error to the user.
  • C. The self-registration page will create a new account record.
  • D. The self-registration process will create a person Account record.

正解:B


質問 # 59
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Use the custom registration handler to link social identities to Salesforce identities.
  • B. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
  • C. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.
  • D. Redirect the user to a custom page that allows the user to select an existing social identity for login.

正解:A、C


質問 # 60
Universal containers (UC) would like to enable SSO between their existing Active Directory infrastructure and salesforce. The it team prefers to manage all users in Active Directory and would like to avoid doing any initial setup of users in salesforce directly, including the correct assignment of profiles, roles and groups.
Which two optimal solutions should UC use to provision users in salesforce? Choose 2 answers

  • A. Use an app exchange product to sync users from Active Directory to salesforce.
  • B. Use the salesforce REST API to sync users from active directory to salesforce
  • C. Use Identity connect to sync users from Active Directory to salesforce
  • D. Use Active Directory Federation Services to sync users from active directory to salesforce.

正解:A、C

解説:
Explanation
To provision users in Salesforce from Active Directory without doing any initial setup of users in Salesforce, UC can use an app exchange product or Identity Connect. An app exchange product is a third-party application that can synchronize users and groups from Active Directory to Salesforce using a web-based interface1. Identity Connect is a desktop application that can synchronize users and groups from Active Directory to Salesforce using a graphical user interface2. Both solutions can also map Active Directory attributes to Salesforce fields and assign profiles, roles, and permission sets to users12.
References: Active Directory Integration with Salesforce, Identity Connect


質問 # 61
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

  • A. Salesforce users will be locked out of Salesforce if the web service goes down.
  • B. Delegated Authentication is enabled or disabled for the entire Salesforce org.
  • C. The web service must reside on a public cloud service, such as Heroku.
  • D. UC will be required to develop and support a custom SOAP web service.

正解:A、D


質問 # 62
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?

  • A. Confirm that the access Token's Time-To-Live policy has been set appropriately.
  • B. Validate that the users are checking the box to remember their passwords.
  • C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
  • D. Check the Refresh Token policy defined in the Salesforce Connected App.

正解:D

解説:
Explanation
The first thing that the architect at UC should investigate is the refresh token policy defined in the Salesforce connected app. A refresh token is a credential that allows an application to obtain new access tokens without requiring the user to re-authenticate. The refresh token policy determines how long a refresh token is valid and under what conditions it can be revoked. If the refresh token policy is set to expire after a certain period of time or after a change in IP address or device ID, then the users may have to re-authenticate after using the app for a while or from a different location or device. Option B is not a good choice because validating that the users are checking the box to remember their passwords may not be relevant, as the app uses SSO with a third-party identity provider and does not rely on Salesforce credentials. Option C is not a good choice because verifying that the callback URL is correctly pointing to the new URI scheme may not be necessary, as the callback URL is used for redirecting the user back to the app after authentication, but it does not affect how long the user can stay authenticated. Option D is not a good choice because confirming that the access token's time-to-live policy has been set appropriately may not be effective, as the access token's time-to-live policy determines how long an access token is valid before it needs to be refreshed by a refresh token, but it does not affect how long a refresh token is valid or when it can be revoked. References: [Connected Apps Developer Guide], [Digging Deeper into OAuth 2.0 on Force.com]


質問 # 63
Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?

  • A. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.
  • B. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
  • C. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
  • D. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.

正解:D

解説:
Explanation
OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of a user. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:
Create a connected app for the third-party service in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.
Authorize the third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render the login page images based on the user's brand preference selected in the third-party service before authorization.
References:
OAuth 2.0
OAuth 2.0 Web Server Authentication Flow
Connected Apps
Create a Connected App
Experience ID
Authorize Apps with OAuth


質問 # 64
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).
Which feature of Identity Connect is applicable for this scenano?

  • A. Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.
  • B. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.
  • C. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.
  • D. If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion.

正解:C


質問 # 65
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements?
Choose 2 answers

  • A. App Launcher
  • B. Connected Apps
  • C. salesforce Canvas
  • D. Identity Connect

正解:A、C


質問 # 66
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?

  • A. OAuth 2.0 SAML Bearer Assertion Flow
  • B. OAuth 2.0 Device Authentication Row
  • C. OAuth 2.0 JWT Bearer Token Flow
  • D. OAuth 2.0 Asset Token Flow

正解:D


質問 # 67
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

  • A. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
  • B. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
  • C. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
  • D. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.

正解:C


質問 # 68
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?

  • A. RedirectURL
  • B. RelayState
  • C. DisplayState
  • D. StartURL

正解:B

解説:
Explanation
The HTTP parameter that should be used when submitting a SAML request to the IdP to ensure the user is returned to the intended resource after authentication is RelayState. RelayState is an optional parameter that can be used to preserve some state information across the SSO process. For example, RelayState can be used to specify the URL of the resource that the user originally requested on the SP before being redirected to the IdP for authentication. After the IdP validates the user's identity and sends back a SAML response, it also sends back the RelayState parameter with the same value as it received from the SP. The SP then uses the RelayState value to redirect the user to the intended resource after validating the SAML response. The other options are not valid HTTP parameters for this purpose. RedirectURL, DisplayState, and StartURL are not standard SAML parameters and they are not supported by Salesforce as SP or IdP. References: [SAML SSO Flows], [RelayState Parameter]


質問 # 69
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers

  • A. SAML Service Provider
  • B. OAuth Client
  • C. SAML Identity Provider
  • D. OAuth Resource Server

正解:A、B

解説:
Explanation
Salesforce acts as an OAuth client when it uses Okta to authorize a Forecasting web application to access Salesforce records on behalf of the user. Salesforce acts as a SAML service provider when it accepts SAML assertions from Okta to authenticate NTO users. References: OAuth 2.0 Web Server Authentication Flow, SAML Single Sign-On Overview


質問 # 70
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.
Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

  • A. Web
  • B. full
  • C. Refresh token
  • D. API

正解:C、D

解説:
Explanation
The two OAuth scopes that UC should configure in the connected app are:
Refresh token. This scope allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. This scope enables UC to provide an optimal experience for its mobile users by reducing the number of login prompts and authentication failures.
API. This scope allows the mobile app to make REST API calls to Salesforce using the access token.
The REST API allows the mobile app to access or manipulate data and metadata in Salesforce using HTTP methods. This scope enables UC to build a custom mobile app that can connect to Salesforce and perform various operations on Salesforce resources.
References: [OAuth Scopes], [Connected Apps], [Refresh Token], [REST API]


質問 # 71
An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).
Mow can end users change their password?

  • A. Users can change it on the enterprise LDAP authentication portal.
  • B. Users can click on the "Forgot your Password" link on the Salesforce.com login page.
  • C. Users once logged In, can go to the Change Password screen in Salesforce.
  • D. Users can request the Salesforce Admin to reset their password.

正解:D

解説:
Explanation
Users can request the Salesforce Admin to reset their password if they are using delegated authentication with LDAP. The other options are not applicable for this scenario, as the password is managed by the LDAP server, not by Salesforce. References: Delegated Authentication, FAQs for Delegated Authentication


質問 # 72
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

  • A. Use the same request bindings as the first org.
  • B. Use the Salesforce Username as the SAML Identity Type.
  • C. Use a different Entity ID than the first org.
  • D. Use the same SAML Identity location as the first org.

正解:C


質問 # 73
......


Salesforce認定IAM Architect認定は、世界中で認識されており、雇用主によって高く評価されています。これは、専門家がアイデンティティとアクセス管理ソリューションの専門知識を示し、キャリアを促進する優れた方法です。この認定は、アイデンティティとアクセス管理の知識とベストプラクティスを共有する専門家のコミュニティへのアクセスも提供します。この認定により、専門家はセキュリティへのコミットメントを実証し、アイデンティティとアクセス管理の分野のリーダーとしての地位を確立できます。

 

Identity-and-Access-Management-Architect試験問題集でPDF問題とテストエンジン:https://jp.fast2test.com/Identity-and-Access-Management-Architect-premium-file.html

Identity-and-Access-Management-Architect問題集で必ず合格させる試験:https://drive.google.com/open?id=1k7PWTuIGPiebPX_BJjPKmOizXWNCFmvi


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어