ガイド(2024年最新)実際のSalesforce Identity-and-Access-Management-Architect試験問題 [Q67-Q89]

Share

ガイド(2024年最新)実際のSalesforce Identity-and-Access-Management-Architect試験問題

Identity-and-Access-Management-Architect試験問題集合格させるのは更新されたのは2024年年最新の認証済み試験問題

質問 # 67
Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?

  • A. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
  • B. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
  • C. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
  • D. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.

正解:C


質問 # 68
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
  • B. Use the custom registration handler to link social identities to Salesforce identities.
  • C. Redirect the user to a custom page that allows the user to select an existing social identity for login.
  • D. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.

正解:B、D

解説:
Explanation
To allow customers to log in to the community with any of their social identities, such as Facebook, Google, or Twitter, the identity architect needs to use authentication providers for social sign-on. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. To ensure that Salesforce has only one user per customer, regardless of how many social identities they have, the identity architect needs to use the custom registration handler to link social identities to Salesforce identities. The custom registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The custom registration handler can also be used to insert or update personal details of the customers when they log in to Salesforce using their social identity.
References: Authentication Providers, Social Sign-On with Authentication Providers, Create a Custom Registration Handler


質問 # 69
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

  • A. Salesforce Org 2
  • B. Financial System
  • C. Salesforce Org 1
  • D. Pingfederate

正解:C、D

解説:
Explanation
These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokens to the service providers (SPs). The SPs are the websites that host apps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ System are the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.
Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.
References: 5: Identity Providers and Service Providers - Salesforce 6: Salesforce as Service Provider and Identity Provider for SSO


質問 # 70
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats.
NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.
What should an Identity Architect do to provision, deprovision and authenticate users?

  • A. Salesforce Identity is not needed since NTO uses Microsoft AD.
  • B. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.
  • C. A Salesforce Identity can be included but NTO will require Identity Connect.
  • D. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.

正解:C


質問 # 71
Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case?
Choose 2 answers

  • A. The Identity Provider can centralize enterprise password policy.
  • B. The Identity Provider can authenticate multiple applications.
  • C. The Identity provider can store credentials for multiple applications.
  • D. The Identity Provider can authenticate multiple social media accounts.

正解:A、B

解説:
Explanation
The two capabilities of an identity provider that the architect should detail to help strengthen the business case are that the identity provider can authenticate multiple applications and that the identity provider can centralize enterprise password policy. These capabilities can provide benefits such as reducing login friction, improving user experience, enhancing security, and simplifying administration. Option B is not a good choice because the identity provider can authenticate multiple social media accounts may not be relevant for UC's business case, as it does not specify how UC will use social media for its identity management. Option C is not a good choice because the identity provider can store credentials for multiple applications may not be desirable or secure for UC's business case, as it may imply that the identity provider is using password vaulting or federation rather than single sign-on (SSO) or identity federation. References: Identity Management Concepts, [Single Sign-On Implementation Guide]


質問 # 72
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

  • A. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
  • B. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.
  • C. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
  • D. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.

正解:B


質問 # 73
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers

  • A. SSO from salesforce1 mobile app.
  • B. Resource deep linking
  • C. Login forensics
  • D. App launcher

正解:A、B


質問 # 74
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

  • A. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
  • B. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.
  • C. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
  • D. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.

正解:B

解説:
Explanation
Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user's identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3. References: 1: Customize User Authentication with Login Flows 2: Custom Login Flow Examples 3: Salesforce Multi-Factor Authentication


質問 # 75
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?

  • A. OIDC is more secure than SAML and therefore is the obvious choice.
  • B. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
  • C. They are equivalent protocols and there is no real reason to choose one over the other.
  • D. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.

正解:B


質問 # 76
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

  • A. In the mobile navigation menu on Salesforce for Android.
  • B. Included in the Call Control Tool that's part of Open CTI.
  • C. As part of the body of a Salesforce Knowledge article.
  • D. The sidebar of a Salesforce Console as a console component.

正解:B、D

解説:
Explanation
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that's part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that's part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]


質問 # 77
Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UC decides to use Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages. What OAuth flow is best suited for this scenario?

  • A. User-Agent flow
  • B. Web Application flow
  • C. SAML Bearer Assertion flow
  • D. Web Server flow

正解:D


質問 # 78
Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication?
Choose 2 answers

  • A. Salesforce license for sales users and Identity license for Marketing users
  • B. Identity license for sales users and Identity connect license for Marketing users
  • C. Salesforce license for sales users and External Identity license for Marketing users
  • D. Salesforce license for sales users and platform license for Marketing users.

正解:A、D


質問 # 79
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?

  • A. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
  • B. Use custom login flows with callouts to a third-party fingerprint scanning application.
  • C. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
  • D. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.

正解:B


質問 # 80
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?

  • A. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
  • B. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.
  • C. Scope - Deny refresh_token scope for this connected app.
  • D. Session Policy - Set timeout value of the connected app to 7 days.

正解:A

解説:
Explanation
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not logged in from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow


質問 # 81
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers

  • A. Set organization-wide default sharing for Contact to Public Read Only.
  • B. Under Login and Registration settings, ensure that the default account field is empty.
  • C. Enable access to person and business account record types under Public Access Settings.
  • D. Contact Salesforce Support to enable business accounts.
  • E. Contact Salesforce Support to enable person accounts.

正解:B、C、E


質問 # 82
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
1. They plan to implement Partner communities to provide access to their partner network .
2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?

  • A. Register partners in one org and access information from other orgs using APIs.
  • B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
  • C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
  • D. Consolidate Partner related information in a single org and provide access through Salesforce community.

正解:B

解説:
Explanation
SAML federation allows partners to log in to multiple Salesforce orgs with a single identity provider. The partner login can be created for the country of their operation and then federated to other orgs using SAML assertions. References: SAML Single Sign-On Overview, Federated Authentication Using SAML


質問 # 83
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using PingFederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?

  • A. Web server flow.
  • B. IDP-initiated with deep linking
  • C. Sp-Initiated
  • D. IDP-initiated

正解:C

解説:
Explanation
The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider


質問 # 84
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.
Which two connected app options need to be configured to fulfill this use case?
Choose 2 answers

  • A. Set the Session Timeout value to 3 months.
  • B. Set Permitted Users to "All users may self-authorize".
  • C. Set the Refresh Token Policy to expire refresh token after 3 months.
  • D. Set Permitted Users to "Admin approved users are pre-authorized".

正解:B、C


質問 # 85
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1
Choose 2 answers

  • A. Modify the CommunitiesSelfRegController to assign the Profile and Account.
  • B. Configure Registration for Communities to use a custom Visualforce Page.
  • C. Modify the SelfRegistration trigger to assign Profile and Account.
  • D. Configure Registration for Communities to use a custom Apex Controller.

正解:A、B


質問 # 86
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?

  • A. Web Server Flow
  • B. User Agent Flow
  • C. JWT Bearer Flow
  • D. Username-Password Flow

正解:C


質問 # 87
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.
Which OAuth flow should be used to meet these requirements?

  • A. OAuth 2.0 User-Agent Flow
  • B. OAuth 2.0 Asset Token Flow
  • C. OAuth 2.0 Username-Password Flow
  • D. OAuth 2.0 SAML Bearer Assertion Flow

正解:B


質問 # 88
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?

  • A. User Agent flow
  • B. JWT Bearer Token flow
  • C. Web Server flow
  • D. Username-Password flow

正解:B


質問 # 89
......


Salesforce Identity-and-Access-Management-Architect試験は、Salesforceエコシステム内のIDおよびアクセス管理(IAM)の分野における専門家の知識とスキルをテストするように設計されています。この試験では、候補者がSalesforceの顧客向けに安全でスケーラブルで、準拠したIAMソリューションを設計および実装する能力を測定します。この認定は、IAMで豊富な経験を持ち、Salesforce IAMアーキテクチャの専門知識を検証しようとしている専門家向けです。

 

合格させる保証付き無料クイズ2024年最新の実際に出ると確認されたSalesforce:https://www.goshiken.com/Salesforce/Identity-and-Access-Management-Architect-mondaishu.html

Identity-and-Access-Management-Architect試験問題でリアルに更新された問題PDF:https://drive.google.com/open?id=1mbcwY18Xw8cgQA7h0l8X4Zl0esAnobiq