Salesforce Certified Identity and Access Management Designer (Identity-and-Access-Management-Designer) Free Practice Test

Question 1

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

A. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

B. Ensure that there is an HTTPS connection between IDP and SP.

C. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

D. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.

Correct Answer: C

Question 2

Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?

A. User-Agent

B. SP-Initiated with Deep Linking

C. SP-Initiated

D. IdP-Initiated

Correct Answer: D

Question 3

A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single sign-on Salesforce will be the system of records. Users are getting error messages when logging in.
Which Salesforce feature should be used to debug the issue?

A. Apex Exception Email

B. Debug Logs

C. View Setup Audit Trail

D. Login History

Correct Answer: D

Question 4

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.

B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

C. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

D. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Correct Answer: A,C

Question 5

Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?

A. Mobile Agent flow with a Bearer Token.

B. User Agent flow with a Refresh Token.

C. Web Server flow with a Refresh Token.

D. SAML Assertion flow with a Bearer Token.

Correct Answer: B

Question 6

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

A. Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.

B. Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.

C. Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.

D. Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.

Correct Answer: D

Question 7

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?

A. OAuth 2.0 Asset Token Flow

B. OAuth 2.0 SAML Bearer Assertion Flow

C. OAuth 2.0 Device Authentication Row

D. OAuth 2.0 JWT Bearer Token Flow

Correct Answer: A

Question 8

Users logging into Salesforce are frequently prompted to verify their identity.
The identity architect is required to provide recommendations so that frequency of prompt verification can be reduced.
What should the identity architect recommend to meet the requirement?

A. Implement an single sign-on for Salesforce using an external identity provider.

B. Implement 2FA authentication for the Salesforce org.

C. Set trusted IP ranges for the organization.

D. Implement multi-factor authentication for the Salesforce org.

Correct Answer: C

Question 9

Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP). Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.
How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?

A. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.

B. Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion Markup Language flow when clicked.

C. Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to the appropriate IdP.

D. Configure unique MyDomains for each company and have generated links use the appropriate MyDomam in the URL.

Correct Answer: A

Question 10

Which two statements are capable of Identity Connect? Choose 2 answers

A. Support multiple orgs connecting to multiple Active Directory servers.

B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.

C. Synchronization of Salesforce Permission Set Licence Assignments.

D. Automated user synchronization and de-activation.

Correct Answer: B,D

Question 11

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

A. Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.

B. Remove existing restrictions on IP ranges for all types of user access.

C. Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

D. Use Login Flow to bypass IP range restriction for the mobile app.

Correct Answer: A,C

Question 12

universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users?

A. Use connected apps Oauth policies to restrict mobile app access to authorized users.

B. Use the permission set license to assign the mobile app permission to sales users

C. Use a custom attribute on the user object to control access to the mobile app

D. Add a new identity provider to authenticate and authorize mobile users.

Correct Answer: A

Question 13

Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?

A. Web Server Authentication Flow

B. Username and Password Flow

C. JWT Bearer Token flow

D. User Agent Flow

Correct Answer: D

Welcome to TestSimulate

Salesforce Certified Identity and Access Management Designer (Identity-and-Access-Management-Designer) Free Practice Test