Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Online Practice Questions and Exam Preparation

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Online Questions & Answers

• Question 151:

  Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

  A. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
  B. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
  C. Use a self-signed certificate for salesforce and a self-signed cert for the external system
  D. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
  C. Use a self-signed certificate for salesforce and a self-signed cert for the external system
  D. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

• Question 152:

  Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

  What should an identity architect recommend to prevent this from happening in the future?

  A. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
  B. Configure an authentication provider to delegate authentication to the LDAP directory.
  C. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
  D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
  B. Configure an authentication provider to delegate authentication to the LDAP directory.

• Question 153:

  Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO inactivated the user account and needs U perform a forensic analysis and identify signals that could Indicate a breach has occurred.

  What should NTO's first step be in gathering signals that could indicate account compromise?

  A. Review the User record and evaluate the login and transaction history.
  B. Download the Setup Audit Trail and review all recent activities performed by the user.
  C. Download the Identity Provider Event Log and evaluate the details of activities performed by the user.
  D. Download the Login History and evaluate the details of logins performed by the user.
  D. Download the Login History and evaluate the details of logins performed by the user.

• Question 154:

  An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

  Which feature of Identity Connect is applicable for this scenano?

  A. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.
  B. If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion.
  C. Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.
  D. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.
  A. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.

  ---

  Explanation/Reference:

• Question 155:

  Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

  A. Public Group Assignment
  B. Granting report folder access
  C. Role Assignment
  D. Custom permission assignment
  E. Permission sets assignment
  A. Public Group Assignment
  C. Role Assignment
  E. Permission sets assignment

• Question 156:

  Northern Trail Outfitters is implementing a busmess-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Expenence Cloud site to allow the partners to administer their users' access.

  How should a partner identity be provisioned in Salesforce for this solution?

  A. Create only a contact.
  B. Create a contactless user.
  C. Create a user and a related contact.
  D. Create a person account.
  C. Create a user and a related contact.

• Question 157:

  A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

  A. OIDC is more secure than SAML and therefore is the obvious choice.
  B. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
  C. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.
  D. They are equivalent protocols and there is no real reason to choose one over the other.
  B. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.

  ---

  Explanation/Reference:

• Question 158:

  An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers. What SAML SSO setting in Salesforce provides this capability?

  A. Identity Provider Login URL.
  B. Issuer.
  C. Entity Id
  D. SAML Identity Location.
  C. Entity Id

• Question 159:

  A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue?

  A. The use of high assurance sections are required for the connected App.
  B. The users do not have the correct permission set assigned to them.
  C. The connected App setting "All users may self-authorize" is enabled.
  D. The salesforce administrators gave revoked the Oauth authorization.
  B. The users do not have the correct permission set assigned to them.

• Question 160:

  Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.

  How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

  A. Configure unique MyDomains for each company and have generated links use the appropriate MyDomam in the URL.
  B. Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to the appropriate IdP.
  C. Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion Markup Language flow when clicked.
  D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.
  D. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.

  ---

  Explanation/Reference: