Perfect Identity and Access Management Designer Study Guide - Real Exam Questions For Preparation

Perfect Identity and Access Management Designer Study Guide – Real Exam Questions For Preparation

Regina2021-11-12T02:35:48+00:00

Preparing Identity and Access Management Designer exam well can be guaranteed by ITExamShop, perfect Identity and Access Management Designer study guide come with real exam questions and answers for preparation. Salesforce Identity and Access Management Designer certification is designed for identity professionals who want to demonstrate their knowledge, skills and capabilities at assessing identity architecture; designing secure, high-performance access management solutions on the Customer 360 platform; communicating technical solutions effectively to business and technical stakeholders. Real Identity and Access Management Designer exam questions provided by ITExamShop are based on the exam knowledge and skills, which will help you test the your exam capabilities and ensure that you can pass Identity and Access Management Designer certification exam successfully.

Before Getting Identity and Access Management Designer Perfect Study Guide, Just Check Free Questions First

Page 1 of 3

1. Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory (AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users .

Which three actions can AD groups control through identity connect? Choose 3 answers

Public Group Assignment

Granting report folder access

Role Assignment

Custom permission assignment

Permission sets assignment

2. Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page .

What is the likely cause of the issue?

The "Redirect to Identity Provider" option has been selected in the my domain configuration.

The user has not configured the salesforce1 mobile app to use my domain for login

The "Redirect to identity provider" option has not been selected the SAML configuration.

The user has not been granted the "Enable single Sign-on" permission

3. A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.

What should be used to fulfill this requirement?

Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.

Use the Activations feature to meet the compliance requirement to track device information.

Use the Login History object to track information about devices from which users log in.

Use Login Flows to capture device from which users log in and store device and user information in a custom object.

4. Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app .

Which two scope values should an Architect recommend to UC? Choose 2 answers.

Custom_permissions

Api

Refresh_token

Full

5. Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection .

How can the connection to salesforce be restricted only to the employee portal server?

Add the Employee portals IP address to the Trusted IP range for the connected App

Use a digital certificate signed by the employee portal Server.

Add the employee portals IP address to the login IP range on the user profile.

Use a dedicated profile for the user the Employee portal uses.

6. A global company's Salesforce Identity Architect is reviewing its Salesforce production org

login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.

Which two issues would cause these errors? Choose 2 answers

The subject element is missing from the assertion sent to salesforce.

The certificate loaded into SSO configuration does not match the certificate used by the Id

The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

The assertion sent to 5alesforce contains an assertion ID previously used.

7. Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type).

Which three OAuth concepts apply to this flow? Choose 3 answers

Client ID

Refresh Token

Authorization Code

Verification Code

Scopes

8. Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access .

What license type should an Architect recommend for the customers?

Customer Community license

Identity license

Customer Community Plus license

External Identity license

9. Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden .

Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps? Choose 2 answers

Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.

Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

10. Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location .

Which two options should an architect recommend? Choose 2 answers

Relax the ip restriction in the connect app settings for the salesforce1 mobile app

Use login flow to bypass ip range restriction for the mobile app.

Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app

Remove existing restrictions on ip ranges for all types of user access.

Page 2 of 3

11. Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using pingfederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL .

What type of single Sign-on is this?

Sp-Initiated

IDP-initiated with deep linking

IDP-initiated

Web server flow.

12. Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization .

Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?

Redirect_uri

State

Scope

Callback_uri

13. A group of users try to access one of universal containers connected apps and receive the following error message: "Failed: Not approved for access".

What is most likely to cause of the issue?

The use of high assurance sections are required for the connected App.

The users do not have the correct permission set assigned to them.

The connected App setting "All users may self-authorize" is enabled.

The salesforce administrators gave revoked the Oauth authorization.

14. In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.

Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA

Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.

Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

15. Universal Containers (UC) is rolling out its new Customer Identity and Access Management Solution built on top of its existing Salesforce instance. UC wants to allow customers to login using Facebook, Google, and other social sign-on providers.

How should this functionality be enabled for UC, assuming ail social sign-on providers support OpenID Connect?

Configure an authentication provider and a registration handler for each social sign-on provider.

Configure a single sign-on setting and a registration handler for each social sign-on provider.

Configure an authentication provider and a Just-In-Time (JIT) handler for each social sign-on provider.

Configure a single sign-on setting and a JIT handler for each social sign-on provider.

16. Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.

What type of authentication flow is required to support deep linking?

Web Server OAuth SSO flow

Service-Provider-Initiated SSO

Identity-Provider-initiated SSO

StartURL on Identity Provider

17. Which three are capabilities of SAML-based Federated authentication? Choose 3 answers

Trust relationships between Identity Provider and Service Provider are required.

SAML tokens can be in XML or JSON format and can be used interchangeably.

Web applications with no passwords are more secure and stronger against attacks.

Access tokens are used to access resources on the server once the user is authenticated.

Centralized federation provides single point of access, control and auditing.

18. Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use password less login, allowing customers to login with a one-time passcode sent to them via email or SMS.

How should the quantity of required Identity Verification Credits be estimated?

Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.

Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.

Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that will incur a verification challenge.

Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

19. Which three types of attacks would a 2-Factor Authentication solution help garden against?

Key logging attacks

Network perimeter attacks

Phishing attacks

Dictionary attacks

Man-in-the-middle attacks

20. A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.

Which Salesforce OAuth authorization flow should be used?

OAuth 2.0 JWT Bearer How

OAuth 2.0 Device Flow

OAuth 2.0 User-Agent Flow

OAuth 2.0 Asset Token Flow

Page 3 of 3

21. Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. Trie employees should sign in to a custom Benefits web app using their Salesforce credentials.

Which license should the identity architect recommend to fulfill this requirement?

Identity Only License

External Identity License

Identity Verification Credits Add-on License

Identity Connect License

22. universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team .

What would be the recommended solution to grant mobile app access to sales users?

Use a custom attribute on the user object to control access to the mobile app

Use connected apps Oauth policies to restrict mobile app access to authorized users.

Use the permission set license to assign the mobile app permission to sales users

Add a new identity provider to authenticate and authorize mobile users.

23. Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community .

What SSO flow should an architect recommend?

User-Agent

IDP-initiated

Sp-Initiated

Web server

24. Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.

What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

Build an integration that queries LDAP periodically and creates new active users in Salesforce.

Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.

Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.

25. Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce? Choose 2 answers

Enable My Domain and select "Prevent login from https://login.salesforce.com".

Request Salesforce Support to enable delegated authentication.

Once SSO is enabled, users are only able to login using Salesforce credentials.

Assign user "is Single Sign-on Enabled" permission via profile or permission set.