Identity-and-Access-Management-Designer Exam - Salesforce Certified Identity and Access Management Designer (SP19)

NEW QUESTION 1
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behaviour?

• A. User Provisioning for Connected Apps does not support role sync.
• B. Required operation(s) was not mapped in User Provisioning Settings.
• C. The Approval queue for User Provisioning Requests is unmonitored.
• D. Salesforce roles have more than three levels in the role hierarchy.

Answer: A

NEW QUESTION 2
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?

• A. Use Active Directory with Reverse Proxy as the Identity Provider.
• B. Use Microsoft Access control Service as the Authentication provider.
• C. Use Active Directory Federation Service (ADFS) as the Identity Provider.
• D. Use Salesforce Identity Connect as the Identity Provider.

Answer: D

NEW QUESTION 3
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

• A. Enable My Domain and select "Prevent login from https://login.salesforce.com".
• B. Request Salesforce Support to enable delegated authentication.
• C. Once SSO is enabled, users are only able to login using Salesforce credentials.
• D. Assign user "is Single Sign-on Enabled" permission via profile or permission set.

Answer: AD

NEW QUESTION 4
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

• A. Sp-Initiated
• B. IDP-initiated with deep linking
• C. IDP-initiated
• D. Web server flow.

Answer: A

NEW QUESTION 5
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?

• A. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
• B. Use information in the Signed Request that is received from Facebook.
• C. Develop a scheduled job that calls out to Facebook on a nightly basis.
• D. Use the updateUser() method on the Registration Handler class.

Answer: D

NEW QUESTION 6
Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

• A. SP-initiated SSO will not work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. IdP-initiated SSO will not work.

Answer: B

NEW QUESTION 7
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

• A. Use Delegated Authentication to call the Twitter login API to authenticate users.
• B. Configure an Authentication Provider for LinkedIn Social Media Accounts.
• C. Create a Custom Apex Registration Handler to handle new and existing users.
• D. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Answer: BC

NEW QUESTION 8
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message?

• A. The Self-signed Certificates from the Certificate & Key Management menu.
• B. The default client Certificate from the Develop--> API menu.
• C. The default client Certificate or the Certificate and Key Management menu.
• D. The CA-signed Certificate from the Certificate and Key Management Menu.

Answer: B

NEW QUESTION 9
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

• A. Invoke the revocation URL and pass the refresh token.
• B. Clear out the client Id to stop auto session refresh.
• C. Invoke the revocation URL and pass the access token.
• D. Clear out all the tokens to stop auto session refresh.

Answer: A

NEW QUESTION 10
Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?

• A. Web Server flow with a Refresh Token.
• B. Mobile Agent flow with a Bearer Token.
• C. User Agent flow with a Refresh Token.
• D. SAML Assertion flow with a Bearer Token.

Answer: C

NEW QUESTION 11
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

• A. Login Forensics
• B. Login Report
• C. Login Inspector
• D. Login History

Answer: A

NEW QUESTION 12
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?

• A. The Oauth authorizations are being revoked by a nightly batch job.
• B. The refresh token expiration policy is set incorrectly in salesforce
• C. The app is requesting too many access Tokens in a 24-hour period
• D. The users forget to check the box to remember their credentials.

Answer: B

NEW QUESTION 13
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?

• A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.
• B. The user has not configured the salesforce1 mobile app to use my domain for login
• C. The "Redirect to identity provider" option has not been selected the SAML configuration.
• D. The user has not been granted the "Enable single Sign-on" permission

Answer: B

NEW QUESTION 14
Containers (UC) has an existing Customer Community. UC wants to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process. What is the recommended approach an Architect Should recommend to UC?

• A. Create an After Insert Apex trigger on the user object to assign specific custom permissions.
• B. Create separate login flows corresponding to the different community user personas.
• C. Modify the Community pages to utilize specific fields on the User and Contact records.
• D. Modify the existing Communities registration controller to assign different profiles.

Answer: C

NEW QUESTION 15
Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its Architect to describe how the API calls will be authenticated to a specific user. Which two mechanisms can the Architect provide? Choose 2 Answers

• A. Authentication Token
• B. Session ID
• C. Refresh Token
• D. Access Token

Answer: CD

NEW QUESTION 16
Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.
How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID Connect?

• A. Configure an authentication provider and a registration handler for each social sign-on provider.
• B. Configure a single sign-on setting and a registration handler for each social sign-on provider.
• C. Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.
• D. Configure a single sign-on setting and a JIT handler for each social sign-on provider.

Answer: A

NEW QUESTION 17
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?

• A. Identity Provider (IdP)
• B. Resource Server
• C. Service Provider (SP)
• D. Client Application

Answer: C

NEW QUESTION 18
Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org.
What should be done to enable the retrieval of the access token status for the OpenID Connect connection?

• A. Query using OpenID Connect discovery endpoint.
• B. A Leverage OpenID Connect Token Introspection.
• C. Create a custom OAuth scope.
• D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.

Answer: B

NEW QUESTION 19
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location. Which two options should an architect recommend? Choose 2 answers

• A. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
• B. Use login flow to bypass ip range restriction for the mobile app.
• C. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
• D. Remove existing restrictions on ip ranges for all types of user access.

Answer: AB

NEW QUESTION 20
......