Identity and Access Management Designer Identity-and-Access-Management-Architect最新問題集で2024年03月04日
2024年最新の問題をマスター!Identity and Access Management Designer合格目指そう!Identity-and-Access-Management-Architectリアル試験問題集!
質問 # 41
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers
- A. Setup Salesforce as an identity provider (IdP) for order Tracking.
- B. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
- C. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
- D. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
正解:A、C
質問 # 42
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?
- A. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
- B. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.
- C. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
- D. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
正解:B
質問 # 43
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers
- A. The assertion sent to 5alesforce contains an assertion ID previously used.
- B. The subject element is missing from the assertion sent to salesforce.
- C. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
- D. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
正解:A、D
解説:
Explanation
A SAML SSO 'Replay Detected and Assertion Invalid' error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected. References: SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On
質問 # 44
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team.
What would be the recommended solution to grant mobile app access to sales users?
- A. Add a new identity provider to authenticate and authorize mobile users.
- B. Use a custom attribute on the user object to control access to the mobile app
- C. Use the permission set license to assign the mobile app permission to sales users
- D. Use connected apps Oauth policies to restrict mobile app access to authorized users.
正解:D
質問 # 45
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents.
An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
1. The development team has decided to use a Canvas app to expose the pricing application to agents.
2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers
- A. Select "Enable as a Canvas Personal App" in the connected app settings.
- B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
- C. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.
- D. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
正解:C、D
質問 # 46
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site?
Choose 2 answers
- A. To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
- B. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.
- C. To use dynamic branding, the community must be built with the Customer Account Portal template.
- D. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
正解:C、D
質問 # 47
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.
Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers
- A. Refresh token
- B. API
- C. full
- D. Web
正解:A、B
質問 # 48
Refer to the exhibit.
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?
- A. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
- B. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
- C. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.
- D. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
正解:A
解説:
Explanation
OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of a user. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:
Create a connected app for the third-party service in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.
Authorize the third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render the login page images based on the user's brand preference selected in the third-party service before authorization.
References:
OAuth 2.0
OAuth 2.0 Web Server Authentication Flow
Connected Apps
Create a Connected App
Experience ID
Authorize Apps with OAuth
質問 # 49
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers
- A. Configure Delegated Authentication
- B. Create a connected App
- C. Set up my domain
- D. Configure SAML SSO settings.
正解:C、D
質問 # 50
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce, Which Salesforce OAuth authorization flow should be used?
- A. A SAML Assertion Row
- B. OAuth 2.0 JWT Bearer Flow
- C. OAuth 2.0 User-Agent Flow
- D. OAuth 2.0 SAML Bearer Assertion Flow
正解:A
質問 # 51
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so.
For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?
- A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
- B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
- C. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.
- D. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
正解:B
解説:
Explanation
Using SAML Federated Authentication, treating SAML sessions as high assurance, and raising the session level required for exporting reports is the solution that should be recommended. This solution ensures that users can only export reports when they log in using AD credentials, which provide a high level of identity verification. Users who log in using Salesforce credentials, which provide a standard level of security, can still view reports but not export them. To implement this solution, you need to configure SAML Federated Authentication with AD as the identity provider4, set the session security level for SAML assertions to high assurance5, and require high-assurance session security for exporting reports1. This solution also avoids the complexity and overhead of creating and managing custom permission sets or login flows.
質問 # 52
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.
Which two options should an identity architect recommend to meet the requirement?
Choose 2 answers
- A. Salesforce Identity Connect
- B. Active Directory Password Sync Plugin
- C. Configure Cloud Provider Load Balancer
- D. Salesforce Trigger & Field on Contact Object
正解:A、B
質問 # 53
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.
- A. Full
- B. Custom_permissions
- C. Api
- D. Refresh_token
正解:C、D
解説:
Explanation
The two scope values that an architect should recommend to UC are api and refresh_token. The api scope allows the app to access the Salesforce REST API and use custom objects and custom Apex code. The refresh_token scope allows the app to obtain a refresh token that can be used to get new access tokens without requiring the user to re-enter credentials. Option A is not a good choice because the custom_permissions scope allows the app to access custom permissions in Salesforce, but it does not affect how the app can access the REST API or avoid user re-authentication. Option D is not a good choice because the full scope allows the app to access all data accessible by the user, including the web UI and the API, but it may be unnecessary or insecure for UC's requirement. References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com
質問 # 54
Under which scenario Web Server flow will be used?
- A. Used for web applications when server-side code needs to interact with APIS.
- B. Used for mobile applications and testing legacy Integrations.
- C. Used for verifying Access protected resources.
- D. Used for server-side components when page needs to be rendered.
正解:A
質問 # 55
A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue?
- A. The use of high assurance sections are required for the connected App.
- B. The users do not have the correct permission set assigned to them.
- C. The salesforce administrators gave revoked the Oauth authorization.
- D. The connected App setting "All users may self-authorize" is enabled.
正解:B
質問 # 56
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?
- A. Use the Login History object to track information about devices from which users log in.
- B. Use the Activations feature to meet the compliance requirement to track device information.
- C. Use Login Flows to capture device from which users log in and store device and user information in a custom object.
- D. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
正解:B
質問 # 57
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.
Which two actions should an identity architect recommend to meet these requirements?
Choose 2 answers
- A. Configure a predefined authentication provider for Twitter.
- B. Create a custom external authentication provider for Twitter.
- C. Configure a predefined authentication provider for Facebook.
- D. Create a custom external authentication provider for Facebook.
正解:A、C
解説:
Explanation
To give customers the ability to login with their Facebook and Twitter credentials, the identity architect should configure a predefined authentication provider for Facebook and a predefined authentication provider for Twitter. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and Twitter, which can be easily configured with minimal customization. Creating a custom external authentication provider is not necessary for this scenario.
References: Authentication Providers, Social Sign-On with Authentication Providers
質問 # 58
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.
How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID Connect?
- A. Configure a single sign-on setting and a registration handler for each social sign-on provider.
- B. Configure a single sign-on setting and a JIT handler for each social sign-on provider.
- C. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.
- D. Configure an authentication provider and a registration handler for each social sign-on provider.
正解:D
解説:
Explanation
To allow customers to login using Facebook, Google, and other social sign-on providers, the identity architect should configure an authentication provider and a registration handler for each social sign-on provider.
Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as Facebook or Google, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The registration handler can also be used to link the user's social identity with their Salesforce identity and prevent duplicate accounts. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler
質問 # 59
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?
- A. Security Assertion Markup Language Validator
- B. SAML Metadata file importer
- C. Identity Provider Metadata download
- D. Connected App Manager
正解:A
質問 # 60
Refer to the exhibit.
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?
- A. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
- B. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
- C. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.
- D. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
正解:A
質問 # 61
Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.
Which two Salesforce license types does UC need for its employees'
Choose 2 answers
- A. Salesforce and Identity Connect licenses
- B. Chatter Only and Identity licenses
- C. Identity and Identity Connect licenses
- D. Company Community and Identity licenses
正解:A、C
質問 # 62
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?
- A. Use information in the Signed Request that is received from Facebook.
- B. Use the updateUser() method on the Registration Handler class.
- C. Develop a scheduled job that calls out to Facebook on a nightly basis.
- D. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
正解:B
質問 # 63
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
- A. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
- B. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
- C. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
- D. Configure an authentication provider to delegate authentication to the LDAP directory.
正解:D
解説:
Explanation
Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues.
References: Login History
質問 # 64
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?
- A. Leverage external objects and data classification policies.
- B. Create custom scopes and assign to the connected app.
- C. Define a permission set that grants access to the app and assign to authorized users.
- D. Select "Admin approved users are pre-authonzed" and assign specific profiles.
正解:B
質問 # 65
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?
- A. JWT Bearer Flow
- B. User Agent Flow
- C. Username-Password Flow
- D. Web Server Flow
正解:A
解説:
Explanation
JWT Bearer Flow allows the third-party system to authenticate to Salesforce using a digital certificate and a JSON Web Token (JWT) without any user interaction. It also provides a high level of security as it does not require sharing credentials or storing tokens. References: OAuth 2.0 JWT Bearer Token Flow
質問 # 66
......
完全版は2024年最新のIdentity-and-Access-Management-Architect試験問題集テストガイドはトレーニング専門Fast2test:https://jp.fast2test.com/Identity-and-Access-Management-Architect-premium-file.html
合格準備Identity-and-Access-Management-ArchitectにはFast2testが提供するあなたをSalesforce Certified Identity and Access Management Architect試験合格させます顕著練習問題:https://drive.google.com/open?id=1xizdhvhXvrSlpW6ytAgU0Rjmeh_LU1qV