OCTOBER 7, 2022

Identity And Access Management Designer Dumps – Pass

Salesforce Identity And Access Management Designer
Exam Easily

1. A consumer products company uses Salesforce to maintain consumer information, including orders. The company
implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using
their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.

Once enabled, what role will Salesforce play?

Facebook and Linkedln will be the SPs.
Salesforce will be the service provider (SP).
Salesforce will be the identity provider (IdP).
Facebook and Linkedln willact as the IdPs and SPs.

2. An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is
ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error .

Which two optimal actions should the Architect take to troubleshoot the issue?
Ensure the Callback URL is correctly set in the Connected Apps settings.
Use a browser that has an add-on/extension that can inspect SAM
Paste the SAML Assertion Validator in Salesforce.
Use the browser's Development tools to view the Salesforce page's markup.

3. universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and
access management. The mobile app access needs to be restricted to only the sales team .

What would be the recommended solution to grant mobile app access to sales users?
Use a custom attribute on the user object to control access to the mobile app
Use connected apps Oauth policies to restrict mobile app access to authorized users.
Use the permission set license to assign the mobile app permission to sales users
Add a new identity provider to authenticate and authorize mobile users.

4. A university is planning to set up an identity solution for its alumni. A third-party identity provider will be used for single
sign-on Salesforce will be the system of records. Users aregetting error messages when logging in.

Which Salesforce feature should be used to debug the issue?

Apex Exception Email
View Setup Audit Trail
Debug Logs
Login History

5. Universal containers (UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards.
Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the
reward calculation system needs to be secure .

Which are the recommended best practices for using Oauth flows in this scenario? Choose2 answers
Oauth refresh token flow
 Oauth SAML bearer assertion flow
Oauthjwt bearer token flow
Oauth Username-password flow
Question was not answered

6. Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers
App Launcher
Resource deep linking
SSO from Salesforce Mobile App
Login Forensics
Question was not answered

7. Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking
which supports Security Assertion Markup Language (SAML) based singlesign-on. The VP of customer service wants to
ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.

What should be done to fulfill the requirement? Choose 2 answers

Setup Salesforce as an identity provider (IdP) for order Tracking.
Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
Question was not answered

8. Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook
credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in
their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts .

How can the Architect meet these requirements?

Create a custom application on Heroku that manages the sign-on process from Facebook.
Use JIT Provisioning to automatically create the account in the accounting system.
Add an Apex callout in the registration handler of the authorization provider.
Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.
Question was not answered

9. Universal containers wants salesforceinbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for
authentication .

What Oauth flow would be recommended in this scenario?

User-Agent Oauth flow
SAML assertion Oauth flow
User-Token Oauth flow
Web server Oauth flow
Question was not answered

10. Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and
corporate identity store.

What type of authentication flow is required to support deep linking'

 Web Server OAuth SSO flow
Service-Provider-Initiated SSO
Identity-Provider-initiated SSO
Start URL on Identity Provider
Question was not answered

11. Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their
company’s internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has
features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid
provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API .

What is the role of Salesforce in the context of SSO, based on this scenario?
Service Provider, because Salesforce is the application for managing ideas.
Connected App, because Salesforce is connected with Employee portal via AP
Identity Provider, because the API calls are authenticated by Salesforce.
An independent system, because Salesforce is not part of the SSO setup.
Question was not answered

12. The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to
require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of
Salesforce, users should be allowed to use AD Credentials or Salesforce credentials .

What solution should be recommended to prevent exporting reports except when logged in using AD credentials while
maintaining the ability to view reports when logged in with Salesforce credentials?
Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.
Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants
the Export Reports Permission.
Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting
reports.
Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export
Reports Permission.
Question was not answered

13. Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be
able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.

A user should select either of the two brands in Heroku before logging into the community. The app then performs
Authorization using OAuth2.0 with the Salesforce Experience Cloud site.

NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku
before Authorization.

What should an identity architect do to fulfill the above requirements?

For each brand create different communities and redirect users to the appropriate community using a custom Login controller
written in Apex.
Create multiple login screens using Experience Builder and use Login Flows at runtime toroute to different login screens.
Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
Question was not answered

14. Universal Containers (UC) rolling out a new Customer Identity and AccessManagement Solution will be built on top of their
existing Salesforce instance.

Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless
single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.

Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers
Manage which connected apps a user has access to by assigning authentication providers to theusers profile.
Assign the connected app to the customer community, and enable the users profile in the Community settings.
Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
Set each of the Connected Appaccess settings to Admin Pre-Approved.
Question was not answered

15. Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on
Experience Cloud. The identity architect has recommended to use Person Accounts.

Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers
Enable access to person and business account record types under Public Access Settings.
Contact Salesforce Support to enable business accounts.
Under Login and Registration settings, ensure that the default account field is empty.
Contact Salesforce Support to enable person accounts.
Set organization-wide default sharing for Contact to Public Read Only.
Question was not answered

16. Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic
branding features as of the login process.

Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers
To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
To use dynamic branding, the community must be built with the Customer Account Portal template.
An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.
Question was not answered
17. A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: "
Failed: Not approved for access."

What is the most likely cause of this issue?

The Connected App settings "All users may self-authorize" is enabled.
The Salesforce Administrators have revoked the OAuth authorization.
The Users do not have the correct permission set assigned to them.
The Userof High Assurance sessions are required for the Connected App.
Question was not answered

18. Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their
salesforce user profiles .

What should the architect recommend to allow salesforce profiles to be managed from a central system of record?
Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
Create an apex scheduled job in one org that will synchronize the other orgs profile.
Implement Delegated Authentication that will update the user profiles as necessary.
Implement an Oauthjwt flow to pass the profile credentials between systems.
Question was not answered

19. Uwversal Containers (UC) is building a custom employeehut) application on Amazon Web Services (AWS) and would like to
store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity
architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.

How should an identity architect configure AWS to authenticate and authorize Salesforce users?
Configure the custom employee app as a connected app.
Configure AWS as an OpenID Connect Provider.
Create a custom external authentication provider.
Develop a custom Auth server in AW
Question was not answered

20. Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web
Server Flow uses the OAuth 2.0 authorization code grant type).

Which three OAuth concepts apply to this flow? Choose 3 answers

Verification URL
Client Secret
Access Token
Scopes
Question was not answered

21. A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:

1) Customer purchases the device.

2) Customer registers the device using their mobile app.

3) A case should automatically becreated in Salesforce and associated with the customers account in cases where the device
registers issues with tracking.
Which OAuth flow should be used to meet these requirements?
OAuth 2.0 Asset Token Flow
OAuth 2.0 Username-Password Flow
OAuth2.0 User-Agent Flow
OAuth 2.0 SAML Bearer Assertion Flow
Question was not answered

22. How should an Architect automatically redirect users to the login page of the external Identity provider when using an SP-
Initiated SAML flow with Salesforce as a Service Provider?
Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login Page.
Enable the Redirect to the Identity Provider setting under Authentication Services on the My domain Configuration.
Remove the Login page from the list of Authentication Services on the My Domain configuration.
Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the SAML Configuration.
Question was not answered

23. Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage
their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the
community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-
compliant Idp.

In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-
initiated SSO work? Choose 2 answers
Configure SAML SSO settings.
Create a Connected App.
Configure Delegated Authentication.
Set up My Domain.
Question was not answered

24. Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an
internal Company portal. When ideasare posted in Salesforce, links to the ideas are created in the company portal pages as
part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except
when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after
authorization .

Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after
OAuth authorization?
Redirect_uri
State
Scope
Callback_uri
Question was not answered

25. In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account
when using digital certificates?
Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.
Use of self-signedcertificate leads to higher maintenance for trusted party because they have to act as the trusted CA
Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.
 Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their trust store.
Question was not answered

26. Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use
salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee
portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages .

What scope should be requested when using the Oauth token to meet this requirement?
Web
Full
API
Visualforce
Question was not answered

27. Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict
the types of resources mobile users can access .

What Oauth feature of Salesforceshould be used to achieve the goal?

Access Tokens
Mobile pins
Refresh Tokens
Scopes
Question was not answered

28. Universal containers (UC) is setting up Delegated Authentication to allow employees to log inusing their corporate
credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has
asked that a reliable trust mechanism be put in place between the login service and salesforce .

What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?
Include client ID and client secret in the login header callout.
Set up a proxy server for the login service in the DM
Require the use ofSalesforce security Tokens on password.
Enforce mutual Authentication between systems using SS
Question was not answered

29. Universal Containers (UC) is planning to deploy a custom mobile app that will allow usersto get e-signatures from its
customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signature as a file attachment and
uses OAuth protocol for both authentication and authorization .

What is the most recommended and secureOAuth scope setting that an Architect should recommend?
Id
Web
Api
Custom_permissions
Question was not answered

30. Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce
Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.
What role combination is represented by the systems in this scenario''
Financial System and CPQ System are the only Service Providers.
Salesforce Org1 and Salesforce Org2 are the only Service Providers.
Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.
Salesforce Org1 and PingFederate are acting as Identity Providers.
Question was not answered

31. A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a
secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the
architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind? Choose 2 answers
AMR field shows the authentication methods used at Id
Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at Id
High-assurance sessions must be configured under Session Security Level Policies.
Dependency on what is supported by OpenID Connect (OIDC) implementation at Id
Question was not answered

32. An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service
Providers .

What SAML SSOsetting in Salesforce provides this capability?

Identity Provider Login UR
Issuer.
Entity Id
SAML Identity Location.
Question was not answered

33. Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and
UC5 is also in UC1, however not all users 65* have access to everyorg. Universal Containers would like to simplify the
authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this
with the least impact to cost and maintenance .

What approach should an Architect recommend to UC?

Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
 Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.
Question was not answered

34. Universal Containers (UC) wants its closed Won opportunities to be synced to a Datawarehouse in near real time. UC has
implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between
Salesforce and Target System is secure .

What certificate is sent along with the Outbound Message?

The Self-signed Certificates from the Certificate & Key Management menu.
The default client Certificate from the Develop--> API menu.
The default client Certificate or the Certificate and Key Management menu.
The CA-signed Certificate from the Certificateand Key Management Menu.
Question was not answered

35. Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from
having toenter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce
connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token,
Users are stillcomplaining that they have to enter their credentials once a day .

What is the most likely cause of the issue?

The Oauth authorizations are being revoked by a nightly batch job.
The refresh token expiration policy is set incorrectly in salesforce
The app is requesting too many access Tokens in a 24-hour period
The users forget to check the box to remember their credentials.
Question was not answered

36. Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against
unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location .

Which two options should an Architect recommend? Choose 2 answers

Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.
Remove existing restrictions on IP ranges for all types of user access.
Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
Use Login Flow to bypass IP range restriction for the mobile app.
Question was not answered

37. A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).

When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?
OIDC is more secure than SAML and therefore is the obvious choice.
The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the
S
They are equivalent protocols and there is no real reason to choose one over the other.
Question was not answered
38. Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile
that maps to its Active Directory Department.

How should an identity architect implement this requirement?

Use the create User method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
Use the update User method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time
(JIT) provisioning.
Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.
Question was not answered

39. What item should an Architect consider when designing a Delegated Authentication implementation?
The Web service should be secured with TLS using Salesforce trusted certificates.
The Web service should be able to accept one to four input method parameters.
The web service should use the Salesforce Federation ID to identify the user.
The Webservice should implement a custom password decryption method.
Question was not answered

40. A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and
requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be
used for identity verification.

Which feature should an identity architect recommend to meet the requirements?

Integrate with social websites (Facebook, Linkedin. Twitter)
Use an external Identity Provider
Create a custom Lightning Web Component
Use Login Discovery
Question was not answered

41. Universal Containers (UC) would like to enableself-registration for their Salesforce Partner Community Users. UC wants to
capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate
Profile and Account values.

Which two actions should the Architect recommend to UC1? Choose 2 answers
Configure Registration for Communities to use a custom Visualforce Page.
Modify the SelfRegistration trigger to assign Profile and Account.
Modify the CommunitiesSelfRegController to assign the Profile and Account.
Configure Registration for Communities to use a custom Apex Controller.
Question was not answered

42. Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps
from within salesforce through App launcher and connected App set up? Choose 2 answers
Google is the identity provider
Salesforce is the identity provider
Google is the service provider
Salesforce is the service provider
Question was not answered
43. Universal Containers (UC) wants to build a few applications that leverage the Salesforce REST API. UC has asked its
Architect to describe how the API calls will be authenticated to a specific user .

Which two mechanisms can the Architect provide? Choose 2 Answers

Authentication Token
Session ID
Refresh Token
Access Token
Question was not answered

44. Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single
sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to
register and authenticate new customers on the website.

Which two Salesforce features should an identity architect use in order to provide username/password authentication for the
website? Choose 2 answers
Identity Connect
Delegated Authentication
Connected Apps
Embedded Login
Question was not answered

45. Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended
audiences to create user records, thereby consuming licences and adding dirty data .

Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose 2
answers
Use open-ended security questions and complex password requirements
Primarily use lookup and picklist fields on the self registration page.
Require a captcha at the end of the self-registration process.
Use hidden fields populated via java script events in the self-registration page.
Question was not answered

46. Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password.
Employees are unable to use mobile VPN.

Which two options should an identity architect recommend to meet the requirement? Choose 2 answers
Active Directory Password Sync Plugin
Configure Cloud Provider Load Balancer
Salesforce Trigger & Field on Contact Object
Salesforce Identity Connect
Question was not answered

47. A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application
with its Experience Cloud customer portal.

Which two features should be utilized to provide users with login and identity services for the third-party application? Choose2
answers
Use the App Launcher with single sign-on (SSO).
 External a Data source with Named Principal identity type.
Use a connected app.
Use Delegated Authentication.
Question was not answered

48. An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google
Workspace (formerly knot as G Suite).

An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend
users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.

Which solution is recommended to meet this requirement?

Configure user Provisioning for Connected Apps.
Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user provisioning and de-
provisioning.
Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
Question was not answered

49. Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application
called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for
all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for
SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have
received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as
well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose .

Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated
Authentication? Choose 2 answers
Salesforce license for sales users and Identity license for Marketing users
Salesforce license for sales users and External Identity license for Marketing users
Identity license for sales users and Identity connect license for Marketing users
Salesforce license for sales users and platform license for Marketing users.
Question was not answered

50. Northern Trail Outfitters (NTO) uses Salesforce for SalesOpportunity Management. Okta was recently brought in to Just-in-
Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting
web application to access Salesforce records on their behalf.

Which two roles are being performed by Salesforce? Choose 2 answers

SAML Identity Provider
OAuth Client
OAuth Resource Server
SAML Service Provider
Question was not answered

51. Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-
agent flow. Application users will authenticate using username and password. They should not be forced to approve API
access in the mobile app or reauthenticate for 3 months.

Which two connected app options need to be configured to fulfill this use case? Choose 2 answers
 Set Permitted Users to "Admin approved users are pre-authorized".
Set Permitted Users to "All users may self-authorize".
Set the Session Timeout value to 3 months.
Set the Refresh Token Policy to expire refresh token after 3 months.
Question was not answered

52. When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how
should an identity architect ensure a specific brand experience in Salesforce is presented?
The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a
URL parameter.
Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based
on the parameters value.
The Audience ID, which can be set in a shared cookie.
Question was not answered

53. Universal Containers (UC) uses a home-grown Employee portal for their employees to collaborate. UCdecides to use
Salesforce Ideas to allow employees to post Ideas from the Employee portal. When users click on some of the links in the
Employee portal, the users should be redirected to Salesforce, authenticated, and presented with the relevant pages .

What OAuth flow is best suited for this scenario?

Web Application flow
SAML Bearer Assertion flow
User-Agent flow
Web Server flow
Question was not answered

54. Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external
system. Choose 2 answers
Use a trusted CA-signed certificate for salesforce and a trusted CA-signedcert for the external system
Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
Use a self-signed certificate for salesforce and a self-signed cert for the external system
Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
Question was not answered

55. Universal containers (UC) does my domain enable in the context of a SAML SSOconfiguration? Choose 2 answers
Resource deep linking
App launcher
SSO from salesforce1 mobile app.
Login forensics
Question was not answered

56. Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC
decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC
decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth
Username - password flow for the connection .

How can the connection to salesforce be restricted only to the employee portal server?
Add the Employee portals IP address to the Trusted IP range for the connected App
 Use a digital certificate signed by the employee portal Server.
Add the employee portals IP address to the login IP range on the user profile.
Use a dedicated profile for the user the Employee portal uses.
Question was not answered

57. An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active
Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

Which feature of Identity Connect is applicable for this scenano?

When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked
Immediately.
If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing
Salesforce users in First-in, First-out (FIFO) fashion.
Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-
of-the-box.
When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a
default feature.
Question was not answered

58. A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.

Which Salesforce OAuth authorization flow should be used?

OAuth 2.0 JWT Bearer How
OAuth 2.0 Device Flow
OAuth 2.0 User-Agent Flow
OAuth 2.0 Asset Token Flow
Question was not answered

59. An identity architect is setting up an integration between Salesforceand a third-party system. The third-party system needs
to authenticate to Salesforce and then make API calls against the REST API.

One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini
need for end user interaction and maximizes security.

Which OAuth flow should be used to fulfill the requirement?

JWT Bearer Flow
Web Server Flow
User Agent Flow
Username-Password Flow
Question was not answered

60. Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their
company's internal website viaSSO. It is set up to work with Active Directory .

What is the role of Active Directory in this scenario?

Identity store
Authentication store
Identity provider
 Service provider
Question was not answered

61. Under which scenario Web Server flow will beused?

Used for web applications when server-side code needs to interact with API
Used for server-side components when page needs to be rendered.
Used for mobile applications and testing legacy Integrations.
Used for verifying Access protected resources.
Question was not answered

62. Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across
Microsoft Active Directory (AD) and Salesforce Sales Cloud.

NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.

Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers
Public Groups
Field-Level Security
Roles
Sharing Rules
Profiles and Permission Sets
Question was not answered

63. Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team
at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this
application .

How can an architect support fingerprints as a form of identification for salesforce Authentication?
Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
Use an appexchange product that does fingerprint scanning with native salesforce
identity confirmation.
Use custom login flows with callouts to a third-party fingerprint scanning application.
Question was not answered

64. Containers (UC) has implemented SAML-based single Sign-on for their Salesforce application and is planning to provide
access to Salesforce on mobile devices using the Salesforce1 mobile app. UC wants to ensure that Single Sign-on is used for
accessing the Salesforce1 mobile App .

Which two recommendations should the Architect make? Choose 2 Answers

Configure the Embedded Web Browser to use My Domain UR
Configure the Salesforce1 App to use the MY Domain UR
Use the existing SAML-SSO flow along with User Agent Flow.
Use the existing SAML SSO flow along with Web Server Flow.
Question was not answered

65. A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.
The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's
on-premise application endpoint.

What should an Identity architect do to meet this requirement?

Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.
Configure the company firewall to allow traffic from Salesforce IP ranges.
Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Trust store.
Upload a third-party certificate from Salesforce into the on-premise server.
Question was not answered

66. Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this
application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be
seamless.

What Authorization flow should the Architect recommend?

JWT Bearer Token Flow
Web Server Authentication Flow
User Agent Flow
Username and Password Flow
Question was not answered
67. Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept
the community rules, and update key contact information for each community member before their annual partner event.

Which approach will meet this requirement?

Create tasks for users who need to update their data or acceptthe new community rules.
Create a custom landing page and email campaign asking all community members to login and verify their data.
Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or
outdated information.
Add a banner to the community Home page asking users to update their profile and accept the new community rules.
Question was not answered

68. Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The
CRM_Superllser andCRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and
Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup
Language (SAML) identity provider.

Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
Use a login flow to query custom SAML attributes and set permission sets.
Use a login flow to query standard SAML attributes and set permission sets.
Question was not answered

69. Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring
users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new
javascript code and/or libraries to the application .

What implementation should an Architect recommend to UC?

Create a Canvas app and use Signed Requests to authenticate the users.
Rewrite the web application as a set of Visualforce pages and Apex code.
Configure the web application as an item in the Salesforce App Launcher.
Add the web application as a ConnectedApp using OAuth User-Agent flow.
Question was not answered

70. Northern Trail Outfitters (NTO) employees use a custom on-premise helpdesk application to request, approve, notify, and
track access granted to various on-premises and cloud applications, including Salesforce. Salesforce is currently used to
authenticate users.

How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved
profiles and permission sets?
Build an integration that performs a remote call-in to the Salesforce SOAP or REST AP
Use a login flow to query the helpdesk to validate user status.
Have the helpdesk initiate an IdP-initiatedJust-m-Time provisioning Security Assertion Markup Language flow.
Use Salesforce Connect to integrate with the helpdesk application.
Question was not answered

71. Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web
page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications.
What SAML SSO flow should an Architect recommend for UC?
SP-Initiated with Deep Linking
SP-Initiated
IdP-Initiated
User-Agent
Question was not answered

72. Universal Containers isusing OpenID Connect to enable a connection from their new mobile app to its production
Salesforce org.

What should be done to enable the retrieval of the access token status for the OpenID Connect connection?
Query using OpenID Connect discovery endpoint.
A Leverage OpenID Connect Token Introspection.
Create a custom OAuth scope.
Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint.
Question was not answered

73. An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User
authentication is the only requirement. The users email or mobile phone number should be supported as a username.

Which two licenses are needed to meet this requirement? Choose 2 answers
External Identity Licenses
Identity Connect Licenses
Email Verification Credits
SMS verification Credits
Question was not answered

74. Universal Containers (UC) is considering a Customer 360 initiative to gain a single source of the truth for its customer data
across disparate systems and services. UC wants to understand the primary benefits of Customer 360 Identity and how it
contributes ato successful Customer 360 Truth project.

What are two are key benefits of Customer 360 Identity as it relates to Customer 360? Choose 2 answers
Customer 360 Identity automatically integrates with Customer 360 Data Manager and Customer 360 Audiences to seamlessly
populate all user data.
Customer 360 Identity enables an organization to build a single login for each of its customers, giving the organization an
understanding of the user's login activity across all its digital properties and applications.
Customer 360 Identity supports multiple brands so you can deliver centralized identity services and correlation of user activity,
even if it spans multiple corporate brands and user experiences.
Customer 360 Identity not only provides a unified sign up and sign in experience, but also tracks anonymous user activity prior to
signing up so organizations can understand user activity before and after the users identify themselves.
Question was not answered

75. Northern Trail Outfitters (NTO) is launching anew sportswear brand on its existing consumer portal built on Salesforce
Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a
discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link
they clicked on; otherwise, users will view a recognizable NTO-branded page.

The campaign is launching quickly, so there is no time to procure any additional licenses.

However, the development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?
Create a full sandbox to replicate the portal site and update the branding accordingly.
Implement Experience ID in the code and extend the URLs and endpomts, as required.
Use Heroku to build the new brand site and embedded login to reuse identities.
Configure an additional community site on the same org that is dedicated for the new brand.
Question was not answered

76. Enter a verification code that is to be sent via email or text .

What is the recommended approach to fulfill this requirement?

Create a Login Discovery page and provide a Login Discovery Handler Apex class.
Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
Create an Authentication provider and implement a self-registration handler class.
Create a customlogin flow that uses an Apex controller to verify the phone numbers with the company's verification service.
Question was not answered

77. Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse innear real time. UC has
implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between
Salesforce and Target System is Secure .

What Certificate is sent along with the Outbound Message?

The CA-Signed Certificate from the Certificate and Key Management menu.
The default Client Certificate from the Develop--> API Menu.
The default Client Certificate or a Certificate from Certificate and Key Management menu.
The Self-Signed Certificates from the Certificate & Key Management menu.
Question was not answered

78. Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate
credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has
asked that a reliable trust mechanism be put in place between the login service and Salesforce.

What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?
Require the use of Salesforce security tokens on passwords.
Enforce mutual authentication between systems using SS
Include Client Id and Client Secret in the login header callout.
Set up a proxy service for the login service in the DM
Question was not answered

79. Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use password less login,
allowing customers to login with a one-time passcode sent to them via email or SMS.

How should the quantity of required Identity Verification Credits be estimated?

Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a
month should estimate additional SMS verifications needed.
Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of
login verification challenges for SMS verification users.
Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of logins that
will incur a verification challenge.
Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community
licenses.
Question was not answered

80. A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order
fulfillment app that needs to request order data from Salesforce. The order fulfillmentapp needs to integrate with the
Salesforce API using OAuth 2.0 protocol.

What should an identity architect use to fulfill this requirement?

Canvas App Integration
OAuth Tokens
Authentication Providers
Connected App and OAuth scopes
Question was not answered

81. Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage
their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the
community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED
complaint IDP.

In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-
Initiated SSO work? Choose 2 answers
Configure SAML SSO settings.
Configure Delegated Authentication
Create a connected App
Setup my domain
Question was not answered

82. In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider.

What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended
resourse after authentication?
RedirectURL
RelayState
DisplayState
StartURL
Question was not answered

83. Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is
important for to give its customers the ability to login with their Facebook and Twitter credentials.

Which two actions should an identity architect recommend to meet these requirements? Choose 2 answers
Create a custom external authentication provider for Facebook.
Configure a predefined authentication provider for Facebook.
Create a custom external authentication provider for Twitter.
Configure a predefined authentication provider for Twitter.
Question was not answered

84. An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user
management, which must be utilized by all applications as follows:
1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated cloud
applications.

2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity
provider (Central IAM Service).

Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for
provisioning and deprovisioning of users.
Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users.
Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and
deprovisioning of users.
Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SS
Question was not answered

85. Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and
corporate identity store .

What type of Authentication flow is required to support deep linking?

Web server Oauth SSO flow.
Identity-provider-initiated SSO
Service-provider-initiated SSO
StartURL on identity provider
Question was not answered

86. Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system.
The HR director wants to ensure Concur accounts for employees are created only after the appropnate approval in the
Salesforce org.

Which three steps should the identity architect use to implement this requirement? Choose 3 answers
Create an approval process for a custom object associated with the provisioning flow.
Create a connected app for Concur in Salesforce.
Enable UserProvisioning for the connected app.
Create an approval process for user object associated with the provisioning flow.
Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.
Question was not answered

87. Universal Containers (UC)has an existing e-commerce platform and is implementing a new customer community. They do
not want to force customers to register on both applications due to concern over the customers experience. It is expected that
25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating
SAML responses and has an existing REST-ful API capable of managing users .

How should UC create the identities of its e-commerce users with the customer community?
Use SAMLJIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.
Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SS
Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow
SS
Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use
SAML to allowSS
Question was not answered

88. Which three are capabilities of SAML-based Federated authentication? Choose 3 answers
Trust relationships between Identity Provider and Service Provider are required.
SAML tokens can be in XML or JSON format and can be used interchangeably.
Web applications with no passwords are more secure and stronger against attacks.
Access tokens are used to access resources on the server once the user is authenticated.
Centralized federation provides single point of access, control and auditing.
Question was not answered

89. Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform
will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be
able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO
.

What is the optimal Salesforce license type for all of the UC employees?
Identity Licence.
Salesforce Licence.
External Identity Licence.
Salesforce Platform Licence.
Question was not answered

90. Universal containers (UC) wants toimplement a partner community. As part of their implementation, UC would like to
modify both the Forgot password and change password experience with custom branding for their partner community users .

Which 2 actions should an architect recommend to UC? Choose 2 answers

Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password
experience.
Build a custom visualforce page for both the change password and Forgot password experiences.
Build a custom visualforce page for the change password experience and a community builder page for the Forgot password
experience.
Build a community builder page for both the change password and Forgot password experiences.
Question was not answered