Updated Jul-2023 100% Cover Real Identity-and-Access-Management-Architect Exam Questions Make Sure You 100% Pass [Q135-Q159]

Updated Jul-2023 100% Cover Real Identity-and-Access-Management-Architect Exam Questions Make Sure You 100% Pass

Identity-and-Access-Management-Architect dumps Accurate Questions and Answers with Free and Fast Updates

NEW QUESTION # 135
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML).
For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used?

• A. OAuth 2.0 JWT Bearer Flow
• B. OAuth 2.0 User-Agent Flow
• C. SAML Assertion Flow
• D. OAuth 2-0 SAML Bearer Assertion Flow

Answer: C

NEW QUESTION # 136
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?

• A. Named Credentials
• B. OAuth Device Flow
• C. Single Sign-On Settings
• D. Login Flows

Answer: B

NEW QUESTION # 137
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers

• A. OAuth Client
• B. OAuth Resource Server
• C. SAML Identity Provider
• D. SAML Service Provider

Answer: A,D

NEW QUESTION # 138
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

• A. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
• B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
• C. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.
• D. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

Answer: A

NEW QUESTION # 139
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?

• A. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
• B. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
• C. Use custom login flows with callouts to a third-party fingerprint scanning application.
• D. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.

Answer: C

NEW QUESTION # 140
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers

• A. Implement SesslonManagement Class.
• B. Implement RegistrationHandler Interface.
• C. Implement Auth.SamlJitHandler Interface.
• D. Create and update methods.

Answer: C,D

NEW QUESTION # 141
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2 answers

• A. High-assurance sessions must be configured under Session Security Level Policies.
• B. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
• C. AMR field shows the authentication methods used at IdP.
• D. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

Answer: C,D

NEW QUESTION # 142
Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.
At a minimum, which Salesforce license is required to support this requirement?

• A. Identity Only
• B. Identity Connect
• C. External Identity
• D. Identity Verification

Answer: A

NEW QUESTION # 143
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?

• A. Full
• B. Visualforce
• C. API
• D. Web

Answer: D

NEW QUESTION # 144
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers

• A. Use a professional social media such as LinkedIn as an Authentication provider
• B. Build a custom web page that uses the identity store and calls frontdoor.jsp
• C. Implement the Openid protocol and configure an Authentication provider
• D. Build a custom Web service that is supported by Delegated Authentication.

Answer: C,D

NEW QUESTION # 145
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

• A. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.
• B. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.
• C. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.
• D. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.

Answer: A

NEW QUESTION # 146
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location. Which two options should an Architect recommend? Choose 2 answers

• A. Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
• B. Remove existing restrictions on IP ranges for all types of user access.
• C. Use Login Flow to bypass IP range restriction for the mobile app.
• D. Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.

Answer: A,D

NEW QUESTION # 147
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

• A. The sidebar of a Salesforce Console as a console component.
• B. In the mobile navigation menu on Salesforce for Android.
• C. As part of the body of a Salesforce Knowledge article.
• D. Included in the Call Control Tool that's part of Open CTI.

Answer: A,C

NEW QUESTION # 148
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?

• A. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.
• B. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.
• C. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
• D. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.

Answer: C

NEW QUESTION # 149
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?

• A. Configure an authentication provider to delegate authentication to the LDAP directory.
• B. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
• C. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
• D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Answer: A

NEW QUESTION # 150
A real estate company wants to provide its customers a digital space to design their interior decoration options.
To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead?
Choose 2 answers

• A. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community.
• B. Use declarative registration handler process builder/flow to create, update users and contacts.
• C. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.
• D. Apex coding skills are needed for registration handler to create and update users.

Answer: A,D

NEW QUESTION # 151
Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC? Choose 2 answers

• A. Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.
• B. Build a community builder page for both the change password and Forgot password experiences.
• C. Build a custom visualforce page for both the change password and Forgot password experiences.
• D. Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience.

Answer: A,C

NEW QUESTION # 152
How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

• A. Add the list of company's network IP addresses to the Login Range list under 2FA Setup.
• B. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.
• C. Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.
• D. Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.

Answer: B

NEW QUESTION # 153
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

• A. The clock on the Identity Provider server is twenty minutes behind Salesforce.
• B. The Identity Provider is also used to SSO into five other applications.
• C. The Issuer Certificate from the Identity Provider expired two weeks ago.
• D. The default language for the Identity Provider and Salesforce are Different.

Answer: A,C

NEW QUESTION # 154
Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?

• A. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO.
• B. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.
• C. Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.
• D. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.

Answer: D

NEW QUESTION # 155
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?

• A. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.
• B. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA
• C. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.
• D. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.

Answer: C

NEW QUESTION # 156

A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.
The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint.
What should an Identity architect do to meet this requirement?

• A. Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.
• B. Upload a third-party certificate from Salesforce into the on-premise server.
• C. Configure the company firewall to allow traffic from Salesforce IP ranges.
• D. Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore.

Answer: C

NEW QUESTION # 157
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

• A. Entity id
• B. Identity provider login URL
• C. SAML identity location
• D. Issuer

Answer: A

NEW QUESTION # 158
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements?
Choose 2 answers

• A. salesforce Canvas
• B. Connected Apps
• C. App Launcher
• D. Identity Connect

Answer: A,C

NEW QUESTION # 159
......

Real Identity-and-Access-Management-Architect Quesions Pass Certification Exams Easily: https://realpdf.pass4suresvce.com/Identity-and-Access-Management-Architect-pass4sure-vce-dumps.html