[2023年10月15日] Identity-and-Access-Management-ArchitectのPDF問題とテストエンジンには245問があります [Q67-Q82]

Share

[2023年10月15日] Identity-and-Access-Management-ArchitectのPDF問題とテストエンジンには245問があります

更新された試験エンジンはIdentity-and-Access-Management-Architect試験無料お試しサンプル365日更新されます


Salesforce Certified IdentityおよびAccess Management Architect認定試験は、複雑なアイデンティティとアクセス管理ソリューションを設計および実装する候補者の能力を評価する包括的な試験です。この試験は、60の複数選択の質問で構成され、105分間続きます。この試験は提示されており、候補者はテストセンターでオンラインまたは対面でそれを採用することができます。試験料は400ドルであり、候補者は認定を獲得するために68%の合格スコアを達成する必要があります。


Salesforce Identity-and-Access-Management-Architect認定試験は、SalesforceのIDとアクセス管理を専門とする専門家の専門知識を検証するように設計されています。この認定は、Salesforceの安全でスケーラブルなアイデンティティとアクセス管理ソリューションを設計、実装、および管理する方法に関するスキルと知識を実証したい個人に最適です。

 

質問 # 67
Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?

  • A. Ensure that users have the same email value in their user records in all of UC's salesforce orgs.
  • B. Ensure the same username is allowed in multiple orgs by contacting salesforce support.
  • C. Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.
  • D. Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

正解:C


質問 # 68
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.
Which two actions should an identity architect recommend to meet these requirements?
Choose 2 answers

  • A. Create a custom external authentication provider for Twitter.
  • B. Configure a predefined authentication provider for Facebook.
  • C. Create a custom external authentication provider for Facebook.
  • D. Configure a predefined authentication provider for Twitter.

正解:B、D

解説:
Explanation
To give customers the ability to login with their Facebook and Twitter credentials, the identity architect should configure a predefined authentication provider for Facebook and a predefined authentication provider for Twitter. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and Twitter, which can be easily configured with minimal customization. Creating a custom external authentication provider is not necessary for this scenario.
References: Authentication Providers, Social Sign-On with Authentication Providers


質問 # 69
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers

  • A. Configure the salesforce1 app to use the my domain URL
  • B. Use the existing SAML SSO flow along with Web server flow
  • C. Configure the embedded Web browser to use my domain URL.
  • D. Use the existing SAML SSO flow along with user agent flow.

正解:A、C

解説:
Explanation
To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identity provider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because Salesforce Mobile Applications only work with service provider initiated setups46.
Therefore, option B and D are the correct answers.
References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On


質問 # 70
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'

  • A. StartURL on Identity Provider
  • B. Service-Provider-Initiated SSO
  • C. Web Server OAuth SSO flow
  • D. Identity-Provider-initiated SSO

正解:B


質問 # 71
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC's middleware authenticate to Salesforce while adhering to this requirement?

  • A. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
  • B. Create a Connected App that supports the Web Server OAuth Flow.
  • C. Create a Connected App that supports the Refresh Token OAuth Flow
  • D. Create a Connected App that supports the User-Agent OAuth Flow.

正解:A

解説:
Explanation
A is correct because creating a connected app that supports the JWT Bearer Token OAuth Flow allows the middleware to authenticate to Salesforce without storing usernames and passwords. The JWT Bearer Token OAuth Flow uses a certificate and a private key to sign a JSON Web Token (JWT) that contains information about the user identity and requested access. The middleware sends the JWT to Salesforce, which verifies it using the certificate and grants an access token2.
B is incorrect because creating a connected app that supports the Refresh Token OAuth Flow requires storing usernames and passwords in the middleware. The Refresh Token OAuth Flow uses a username-password authentication flow to obtain an access token and a refresh token. The middleware can use the refresh token to obtain new access tokens without user interaction, but it still needs to store the username and password for the initial authentication3.
C is incorrect because creating a connected app that supports the Web Server OAuth Flow requires user interaction to authenticate to Salesforce. The Web Server OAuth Flow redirects the user to a Salesforce login page, where they enter their credentials and grant access to the middleware. The middleware then receives an authorization code that it can exchange for an access token and a refresh token4.
D is incorrect because creating a connected app that supports the User-Agent OAuth Flow also requires user interaction to authenticate to Salesforce. The User-Agent OAuth Flow is similar to the Web Server OAuth Flow, except that it does not return a refresh token. The middleware can only use the access token until it expires5.
References: 2: Accessing Salesforce with JWT OAuth Flow 3: OAuth Authorization Flows - Salesforce 4: OAuth Authorization Flows - Salesforce 5: OAuth Authorization Flows - Salesforce


質問 # 72
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?

  • A. Require the use of Salesforce security Tokens on password.
  • B. Include client ID and client secret in the login header callout.
  • C. Enforce mutual Authentication between systems using SSL.
  • D. Set up a proxy server for the login service in the DMZ.

正解:A


質問 # 73
Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the apocopate approval in the Salesforce org.
Which three steps should the identity architect use to implement this requirement?
Choose 3 answers

  • A. Create a connected app for Concur in Salesforce.
  • B. Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.
  • C. Enable User Provisioning for the connected app.
  • D. Create an approval process for user object associated with the provisioning flow.
  • E. Create an approval process for a custom object associated with the provisioning flow.

正解:A、B、C

解説:
Explanation
User provisioning is a feature that allows Salesforce to create, update, or deactivate user accounts on a third-party system, such as Concur, based on user assignments in Salesforce1. To implement user provisioning for Concur with an approval process, the identity architect should use the following steps2:
Create a connected app for Concur in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To create a connected app for Concur, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type4.
Enable User Provisioning for the connected app. This step allows you to configure the user provisioning settings for the connected app, such as the provisioning API endpoint URL, the client ID and client secret, the mapping of user attributes, and the linkage rules5. You can also choose to require an approval process for user provisioning requests by selecting the Approval Required option6.
Create an approval process for UserProvisioningRequest object associated with the provisioning flow. A UserProvisioningRequest object represents a user provisioning request that is sent to or received from a third-party system7. An approval process specifies the steps necessary for a record to be approved and who must approve it at each step8. To create an approval process for UserProvisioningRequest object, you need to define the approval steps, assignees, actions, criteria, and email alerts9.
References:
User Provisioning for Connected Apps
Tutorial: Configure Salesforce for automatic user provisioning
Connected Apps
Create a Connected App
Enable User Provisioning for a Connected App
Require Approvals for User Provisioning Requests
UserProvisioningRequest
Approval Processes
Create an Approval Process


質問 # 74
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

  • A. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.
  • B. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
  • C. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
  • D. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

正解:B

解説:
Explanation
Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider, such as a SAML-based IdP. This eliminates the need for manual or batch user provisioning in Salesforce and minimizes license usage. To use JIT provisioning, the identity architect needs to configure the SAML settings in Salesforce and include the user attributes in the SAML assertion sent by the IdP. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management


質問 # 75
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers

  • A. OAuth Client
  • B. OAuth Resource Server
  • C. SAML Service Provider
  • D. SAML Identity Provider

正解:A、C


質問 # 76
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce?
Choose 2 answers

  • A. Users accessing Salesforce from a public Wi-Fi access point.
  • B. Users choosing passwords that are the same as their Facebook password.
  • C. Users creating simple-to-guess password reset questions.
  • D. Users leaving laptops unattended and not logging out of Salesforce.

正解:A、B


質問 # 77
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?

  • A. Customer Community plus Login License
  • B. Partner Community Login License
  • C. Partner Community License
  • D. External Apps License

正解:B

解説:
Explanation
Partner Community Login License is the best option for UC's use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users. References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing


質問 # 78
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

  • A. Included in the Call Control Tool that's part of Open CTI.
  • B. In the mobile navigation menu on Salesforce for Android.
  • C. As part of the body of a Salesforce Knowledge article.
  • D. The sidebar of a Salesforce Console as a console component.

正解:C、D


質問 # 79
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?

  • A. Facebook and Linkedln will act as the IdPs and SPs.
  • B. Salesforce will be the service provider (SP).
  • C. Facebook and Linkedln will be the SPs.
  • D. Salesforce will be the identity provider (IdP).

正解:B


質問 # 80
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.
Which configuration will meet this requirement?

  • A. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.
  • B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.
  • C. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.
  • D. Create and assign a permission set to all employees that includes "MFA for User Interface Logins."

正解:A

解説:
Explanation
Enabling "MFA for User Interface Logins" for the organization is the simplest way to ensure that all user logins include a single MFA prompt. This setting applies to both direct logins and SSO logins, and overrides any other MFA settings at the profile or permission set level. References: Enable MFA for Direct User Logins, Everything You Need to Know About MFA Auto-Enablement and Enforcement


質問 # 81
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience.
What should be used and considered before recommending it as a solution on the Salesforce Platform?

  • A. Salesforce REST apis. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
  • B. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and feel.
  • C. Embedded Login. Consider whether or not it relies on third party cookies which can cause browser compatibility issues.
  • D. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on.

正解:C

解説:
Explanation
Embedded Login is a feature that allows Salesforce to embed a login widget into any web page, such as a service provider's site, to enable users to log in with their Salesforce credentials. However, Embedded Login relies on third-party cookies, which can cause browser compatibility issues and require users to adjust their browser settings. Therefore, this should be considered before recommending it as a solution on the Salesforce Platform. References: Embedded Login, Embedded Login Implementation Guide


質問 # 82
......


Salesforce Certified Identity and Access Management Architectになるためには、Identity-and-Access-Management-Architect Examに合格する必要があります。この認定は、Salesforceのアイデンティティとアクセス管理の概念と原則に深い理解を持つ経験豊富なITプロフェッショナルに最適です。試験は多肢選択問題からなり、約3時間で完了します。合格するには、候補者は少なくとも65%のスコアを取得する必要があります。

 

試験合格保証Identity-and-Access-Management-Architect試験には正確な問題解答付き:https://www.goshiken.com/Salesforce/Identity-and-Access-Management-Architect-mondaishu.html

テストエンジンの練習テストならこれIdentity-and-Access-Management-Architect有効で更新された問題集:https://drive.google.com/open?id=1bRZybeUlUTjlJqj-ADvkBNjpoRLpvH5E