Identity-and-Access-Management-Designer Exam - Salesforce Certified Identity and Access Management Designer (SP19)

NEW QUESTION 1
Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?

• A. JWT Bearer Token flow
• B. Web Server Authentication Flow
• C. User Agent Flow
• D. Username and Password Flow

Answer: C

NEW QUESTION 2
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents. An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
* 1. The development team has decided to use a Canvas app to expose the pricing application to agents.
* 2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers

• A. Select "Enable as a Canvas Personal App" in the connected app settings.
• B. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
• C. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
• D. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.

Answer: CD

NEW QUESTION 3
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

• A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.
• B. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA
• C. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.
• D. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Answer: C

NEW QUESTION 4
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

• A. The Federation ID must be a valid Salesforce Username
• B. The Federation ID must is case sensitive
• C. The Federation ID must be in the form of an email address.
• D. The Federation ID must be populated on the user record.

Answer: BD

NEW QUESTION 5
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

• A. Web server
• B. Jwt bearer token
• C. User-Agent
• D. Username-password

Answer: AC

NEW QUESTION 6
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

• A. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
• B. Create a Connected App that supports the Refresh Token OAuth Flow
• C. Create a Connected App that supports the Web Server OAuth Flow.
• D. Create a Connected App that supports the User-Agent OAuth Flow.

Answer: A

NEW QUESTION 7
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?

• A. SAML Metadata file importer
• B. Identity Provider Metadata download
• C. Connected App Manager
• D. Security Assertion Markup Language Validator

Answer: D

NEW QUESTION 8
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?

• A. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
• B. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
• C. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
• D. Use custom login flows with callouts to a third-party fingerprint scanning application.

Answer: D

NEW QUESTION 9
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

• A. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
• B. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
• C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases whenattempting to access the classified information system
• D. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Answer: A

NEW QUESTION 10
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

• A. Public Group Assignment
• B. Granting report folder access
• C. Role Assignment
• D. Custom permission assignment
• E. Permission sets assignment

Answer: ACE

NEW QUESTION 11
Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it contributes ato successful Customer 360 Truth project.
What are two are key benefits of Customer 360 Identity as it relates to Customer 360? Choose 2 answers

• A. Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly populate all user data.
• B. Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization anunderstanding of the user's login activity across all its digital properties and applications.
• C. Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity,even if it spans multiple corporate brands and user experiences.
• D. Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to signing up so organizations can understand user activity before and after the users identify themselves.

Answer: BC

NEW QUESTION 12
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?

• A. Use a HTTP POST to request the refresh token for the current user.
• B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
• C. Use a HTTP POST to make a call to the revoke token endpoint.
• D. Enable Single Logout with a secure logout URL.

Answer: C

NEW QUESTION 13
Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

• A. The self-registration process will produce an error to the user.
• B. The self-registration page will ask user to select an account.
• C. The self-registration process will create a person Account record.
• D. The self-registration page will create a new account record.

Answer: A

NEW QUESTION 14
Which three are features of federated Single sign-on solutions? Choose 3 Answers

• A. It establishes trust between Identity Store and Service Provider.
• B. It federates credentials control to authorized applications.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: ADE

NEW QUESTION 15
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

• A. User-Agent Oauth flow
• B. SAML assertion Oauth flow
• C. User-Token Oauth flow
• D. Web server Oauth flow

Answer: B

NEW QUESTION 16
What item should an Architect consider when designing a Delegated Authentication implementation?

• A. The Web service should be secured with TLS using Salesforce trusted certificates.
• B. The Web service should be able to accept one to four input method parameters.
• C. The web service should use the Salesforce Federation ID to identify the user.
• D. The Web service should implement a custom password decryption method.

Answer: A

NEW QUESTION 17
An architect has successfully configured SAML-BASED SSO for universal containers. SSO has been working for 3 months when Universal containers manually adds a batch of new users to salesforce. The new users receive an error from salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access salesforce. What is the probable cause of this behaviour?

• A. The administrator forgot to reset the new user's salesforce password.
• B. The Federation ID field on the new user records is not correctly set
• C. The my domain capability is not enabled on the new user's profile.
• D. The new users do not have the SSO permission enabled on their profiles.

Answer: B

NEW QUESTION 18
Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.
Which two Salesforce license types does UC need for its employees' Choose 2 answers

• A. Company Community and Identity licenses
• B. Identity and Identity Connect licenses
• C. Chatter Only and Identity licenses
• D. Salesforce and Identity Connect licenses

Answer: BD

NEW QUESTION 19
which three are features of federated Single Sign-on solutions? Choose 3 answers

• A. It federates credentials control to authorized applications.
• B. It establishes trust between Identity store and service provider.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: BCE

NEW QUESTION 20
......