Certified Identity and Access Management Designer v1.0 (Certified Identity and Access Management Designer)

Page:    1 / 4   
Total 60 questions

The security team at Universal Containers has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other uses of Salesforce, users should be allowed to use AD credentials or Salesforce credentials.
What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

  • A. Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically add or remove a Permission Set that grants the Export Reports permission.
  • B. Use SAML Federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
  • C. Use SAML Federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports permission.
  • D. Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.


Answer : B

Which three capabilities does SAML-based Federated authentication provide? (Choose three.)

  • A. Centralized federation provides single point of access, control and auditing.
  • B. Access tokens are used to access resources on the server once the user is authenticated.
  • C. Web applications with no passwords are more secure and stronger against hacks.
  • D. Trust relationships between Identity Provider and Service Provider are required.
  • E. SAML tokens can be in XML or JSON format and can be used interchangeably.


Answer : ABD

Universal Containers is setting up their Customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default Account record.
What will happen when customers self-register in the Community?

  • A. The self-registration process will produce an error to the user.
  • B. The self-registration process will create a Person Account record.
  • C. The self-registration page will create a new Account record.
  • D. The self-registration page will ask users to select an Account.


Answer : A

After a recent audit, Universal Containers (UC) was advised to implement Two-Factor Authentication for all of their critical systems, including Salesforce.
Which two actions should UC consider to meet this requirement? (Choose two.)

  • A. Require users to use a biometric reader as well as their password.
  • B. Require users to supply their email and phone number, which gets validated.
  • C. Require users to enter a second password after the first authentication.
  • D. Require users to provide their RSA token along with their credentials.


Answer : AD

Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were a part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app.
What should the Architect at UC first investigate?

  • A. Check the Refresh Token Policy defined in the Salesforce Connected App.
  • B. Confirm that the Access Token's Time-To-Live policy has been set appropriately.
  • C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
  • D. Validate that the users are checking the box to remember their passwords.


Answer : A

Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC? (Choose two.)

  • A. Configure Registration for Communities to use a custom Visualforce Page.
  • B. Configure Registration for Communities to use a custom Apex Controller.
  • C. Modify the CommunitiesSelfRegController to assign the Profile and Account.
  • D. Modify the SelfRegistration trigger to assign Profile and Account.


Answer : AC

Universal Containers (UC) wants to build a mobile application that will be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app.
Which two scope values should an Architect recommend to UC? (Choose two.)

  • A. full
  • B. api
  • C. refresh_token
  • D. custom_permissions


Answer : AC

Universal Containers (UC) built a Customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the Customer Community: Salesforce, Google, and Facebook.
Which two role combinations are represented by the systems in this scenario? (Choose two.)

  • A. Google is the Service Provider and Facebook is the Identity Provider.
  • B. Facebook is the Service Provider and Salesforce is the Identity Provider.
  • C. Salesforce is the Service Provider and Google is the Identity Provider.
  • D. Salesforce is the Service Provider and Facebook is the Identity Provider.


Answer : CD

Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and assign the appropriate Profile and Permission Sets based on AD group membership.
What would be the recommended way to implement SSO?

  • A. Use Salesforce Identity Connect as the Identity Provider.
  • B. Use Active Directory with Reverse Proxy as the Identity Provider.
  • C. Use Microsoft Access Control Service as the Authentication Provider.
  • D. Use Active Directory Federation Service (ADFS) as the Identity Provider.


Answer : A

Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the Salesforce App Launcher to control the apps that are available to individual users.
Which three steps are required to make this happen? (Choose three.)

  • A. Add each Connected App to the App Launcher with a Start URL.
  • B. Create a Connected App for each external application.
  • C. Set up Salesforce as a SAML IdP with My Domain.
  • D. Set up Identity Connect to synchronize user data.
  • E. Set up an Auth Provider for each external application.


Answer : ACE

Universal Containers (UC) has implemented an SP-initiated SAML flow between an external IdP and Salesforce. A user at UC is attempting to log in to Salesforce mobile app for the first time and is being prompted for Salesforce credentials instead of being shown the IdP login page.
What is the likely cause of the issue?

  • A. The "Redirect to Identity Provider” option has NOT been selected in the My Domain configuration.
  • B. The "Redirect to Identity Provider" option has NOT been selected on the SAML configuration.
  • C. The user has NOT been granted the “Enable Single Sign-on” permission.
  • D. The user has NOT configured the Salesforce mobile app to use My Domain for login.


Answer : D

Which two security risks can be mitigated by enabling Two-Factor Authentication in Salesforce? (Choose two.)

  • A. Users accessing Salesforce from a public Wi-Fi access point.
  • B. Users creating simple-to-guess password reset questions.
  • C. Users leaving laptops unattended and NOT logging out of Salesforce.
  • D. Users choosing passwords that are the same as their Facebook password.


Answer : AD

Universal Containers (UC) would like to enable SAML-based SSO for a Salesforce Partner Community. UC has an existing LDAP identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the Partner Community.
What SSO flow should an Architect recommend?

  • A. IdP-Initiated
  • B. SP-Initiated
  • C. User-Agent
  • D. Web Server


Answer : A

An Architect needs to set up a Facebook Authentication provider as a login option for a Salesforce Customer Community.
What portion of the authentication provider setup associates a Facebook user with a Salesforce user?

  • A. Apex Registration Handler
  • B. Federation ID
  • C. Consumer Key and Consumer Secret
  • D. User Info Endpoint URL


Answer : A

Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorized access. UC wants to roll out the Salesforce mobile app and make it accessible from any location.
Which two options should an Architect recommend? (Choose two.)

  • A. Use Login Flow to bypass IP range restriction for the mobile app.
  • B. Relax the IP restriction with a second factor in the Connect App settings for Salesforce mobile app.
  • C. Relax the IP restriction in the Connect App settings for the Salesforce mobile app.
  • D. Remove existing restrictions on IP ranges for all types of user access.


Answer : BC

Page:    1 / 4   
Total 60 questions