Renewal Salesforce Certified Identity And Access Management Architect (SU23) Identity-and-Access-Management-Architect Samples

We provide real Identity-and-Access-Management-Architect exam questions and answers braindumps in two formats. Download PDF & Practice Tests. Pass Salesforce Identity-and-Access-Management-Architect Exam quickly & easily. The Identity-and-Access-Management-Architect PDF type is available for reading and printing. You can print more and practice many times. With the help of our Salesforce Identity-and-Access-Management-Architect dumps pdf and vce product and material, you can easily pass the Identity-and-Access-Management-Architect exam.

Online Salesforce Identity-and-Access-Management-Architect free dumps demo Below:

NEW QUESTION 1
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

  • A. Just-in-Time (JIT) provisioning
  • B. Custom middleware and web services
  • C. Custom login flow and Apex handler
  • D. Third-party AppExchange solution

Answer: A

Explanation:
Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. This eliminates the need for manual or batch user provisioning in Salesforce. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

NEW QUESTION 2
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?

  • A. External Identity
  • B. Identity Verification
  • C. Identity Connect
  • D. Identity Only

Answer: D

Explanation:
To use Salesforce as an IdP for its remaining employees, the IT team at UC should use the Identity Only license. The Identity Only license is a license type that enables users to access external applications that are integrated with Salesforce using single sign-on (SSO) or delegated authentication, but not access Salesforce objects or data. The other license types are not relevant for this scenario. References: Identity Only License, User Licenses

NEW QUESTION 3
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

  • A. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
  • B. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
  • C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system
  • D. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Answer: A

Explanation:
Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open “classified” cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respond to user attributes in a way that benefits a business process. In this case, the custom handler can query the user’s open “classified” cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open “classified” case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamically query the user’s open “classified” cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open “classified” cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.
References: Certification - Identity and Access Management Architect - Trailhead, Create a Custom Connected App Handler, Manage Access Through a Custom Connected App Handler

NEW QUESTION 4
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behavior?

  • A. User Provisioning for Connected Apps does not support role sync.
  • B. Required operation(s) was not mapped in User Provisioning Settings.
  • C. The Approval queue for User Provisioning Requests is unmonitored.
  • D. Salesforce roles have more than three levels in the role hierarchy.

Answer: B

Explanation:
User Provisioning for Connected Apps supports role sync, but the required operation(s) must be mapped in User Provisioning Settings. According to the Salesforce documentation1, “To provision roles, map the Role operation to a field in the connected app. The field must contain the role’s unique name.” Therefore, option B is the correct answer.
References: Salesforce Documentation

NEW QUESTION 5
Universal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.
How should an identity architect configure AWS to authenticate and authorize Salesforce users?

  • A. Configure the custom employee app as a connected app.
  • B. Configure AWS as an OpenID Connect Provider.
  • C. Create a custom external authentication provider.
  • D. Develop a custom Auth server in AWS.

Answer: B

Explanation:
To authenticate and authorize Salesforce users with AWS, the identity architect should configure AWS as an OpenID Connect Provider. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as AWS, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. The other options are not relevant for this scenario. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

NEW QUESTION 6
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

  • A. Public Group Assignment
  • B. Granting report folder access
  • C. Role Assignment
  • D. Custom permission assignment
  • E. Permission sets assignment

Answer: ACE

Explanation:
AD groups can control public group assignment, role assignment, and permission set assignment through Identity Connect. Identity Connect is a tool that integrates Microsoft Active Directory (AD) user accounts with Salesforce user records1. It allows Salesforce admins to leverage the existing user data and group
memberships in AD to automate user provisioning and deprovisioning in Salesforce. Identity Connect can map AD groups to Salesforce public groups, roles, and permission sets, and assign them to users based on their group membership2. This way, AD groups can control the access level and visibility of users in Salesforce. AD groups cannot control granting report folder access or custom permission assignment through Identity Connect. These are not supported features of Identity Connect. Report folder access is controlled by the folder sharing settings in Salesforce. Custom permission assignment is controlled by the custom permission settings in Salesforce. References: Get to Know Identity Connect, Map Your Data, [Folder Sharing], [Custom Permissions]

NEW QUESTION 7
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers

  • A. Use Login Flow in User Context to update role and permission sets.
  • B. Use Login Flow in System Context to update role and permission sets.
  • C. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
  • D. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer: BD

Explanation:
To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:
Identity-and-Access-Management-Architect dumps exhibit Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a Login Flow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity
architect can update the agent role and permission sets based on the information from Active Directory or other criteria.
Identity-and-Access-Management-Architect dumps exhibit Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion. References: Login Flows, SAML Just-in-Time Provisioning, Auth.SamlJitHandler Interface

NEW QUESTION 8
Which two statements are capable of Identity Connect? Choose 2 answers

  • A. Synchronization of Salesforce Permission Set Licence Assignments.
  • B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.
  • C. Support multiple orgs connecting to multiple Active Directory servers.
  • D. Automated user synchronization and de-activation.

Answer: BD

Explanation:
The two statements that are capabilities of Identity Connect are:
Identity-and-Access-Management-Architect dumps exhibit It supports both identity-provider-initiated and service-provider-initiated SSO. Identity Connect is a desktop application that integrates Salesforce with Microsoft Active Directory (AD) and enables single sign-on (SSO) between the two systems. Identity Connect supports both identity-provider-initiated SSO, which is when the user starts at the AD site and then is redirected to Salesforce with a SAML assertion, and service-provider-initiated SSO, which is when the user starts at the Salesforce site and then is redirected to AD for authentication.
Identity-and-Access-Management-Architect dumps exhibit It enables automated user synchronization and deactivation. Identity Connect allows administrators to synchronize user accounts and attributes between AD and Salesforce, either manually or on a scheduled basis. Identity Connect also allows administrators to deactivate user accounts in Salesforce when they are disabled or deleted in AD, which helps maintain security and compliance.
The other options are not capabilities of Identity Connect. Identity Connect does not support synchronization of Salesforce permission set license assignments, as these are not related to AD attributes. Identity Connect does not support multiple orgs connecting to multiple AD servers, as it can only connect one Salesforce org to one AD domain at a time. References: [Identity Connect], [Identity Connect Features], [Identity Connect User Synchronization], [Identity Connect Single Sign-On]

NEW QUESTION 9
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

  • A. Disallow the use of Single Sign-on for any users of the mobile app.
  • B. Require High Assurance sessions in order to use the Connected App.
  • C. Set Login IP Ranges to the internal network for all of the app users Profiles.
  • D. Use Google Authenticator as an additional part of the login process

Answer: BD

Explanation:
Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.
Identity-and-Access-Management-Architect dumps exhibit Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a second factor, such as a verification code or biometric scan, before they can access the
connected app.
Identity-and-Access-Management-Architect dumps exhibit Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can be generated by the Google Authenticator app on the user’s mobile device.
Identity-and-Access-Management-Architect dumps exhibit Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.
Identity-and-Access-Management-Architect dumps exhibit Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.
References: [High Assurance Sessions], [Google Authenticator], [Single Sign-On], [Login IP Ranges]

NEW QUESTION 10
Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose 2 answers

  • A. Use open-ended security questions and complex password requirements
  • B. Primarily use lookup and picklist fields on the self registration page.
  • C. Require a captcha at the end of the self-registration process.
  • D. Use hidden fields populated via java script events in the self-registration page.

Answer: CD

Explanation:
To prevent unauthorized form submissions during the self-registration process, UC should require a captcha at the end of the self-registration process and use hidden fields populated via JavaScript events in the self-registration page. These methods will help to verify that the user is a human and not a bot, and also to validate the user’s input against some predefined values. Option A is not a good choice because open-ended security questions and complex password requirements may frustrate the user and reduce the conversion rate. Option B is not a good choice because lookup and picklist fields may not prevent bots from submitting the form, as they can be easily automated or bypassed.
References: Single Sign-On Implementation Guide, Customizing User Authentication with Login Flows

NEW QUESTION 11
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorized access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend? Choose 2 answers

  • A. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
  • B. Use login flow to bypass ip range restriction for the mobile app.
  • C. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
  • D. Remove existing restrictions on ip ranges for all types of user access.

Answer: AC

Explanation:
Relaxing the IP restriction in the connected app settings for the Salesforce1 mobile app and relaxing the IP restriction with a second factor in the connected app settings for Salesforce1 mobile app are two options that an architect should recommend. These options allow UC employees to access the Salesforce1 mobile app from any location, while still maintaining some level of security. Relaxing the IP restriction means that users can log in to the connected app from outside the trusted IP ranges defined in their profiles1. Adding a second factor means that users need to provide an additional verification method, such as a verification code or a security key, to access the app2. Using a login flow to bypass IP range restriction for the mobile app is not a recommended option because it can create a complex and inconsistent user experience3. Removing existing restrictions on IP ranges for all types of user access is not a recommended option because it can expose UC’s data and applications to unauthorized access4. References: 1: Restrict Access to Trusted IP Ranges for a Connected App 2: Require Multi-Factor Authentication for Connected Apps 3: [Custom Login Flows] 4: [Restrict Login Access by IP Address]

NEW QUESTION 12
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

  • A. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
  • B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
  • C. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
  • D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Answer: B

Explanation:
Using SAML Federated Authentication, treating SAML sessions as high assurance, and raising the session level required for exporting reports is the solution that should be recommended. This solution ensures that users can only export reports when they log in using AD credentials, which provide a high level of identity verification. Users who log in using Salesforce credentials, which provide a standard level of security, can still view reports but not export them. To implement this solution, you need to configure SAML Federated Authentication with AD as the identity provider4, set the session security level for SAML assertions to high
assurance5, and require high-assurance session security for exporting reports1. This solution also avoids the complexity and overhead of creating and managing custom permission sets or login flows.

NEW QUESTION 13
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind? Choose 2 answers

  • A. AMR field shows the authentication methods used at IdP.
  • B. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
  • C. High-assurance sessions must be configured under Session Security Level Policies.
  • D. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Answer: AB

Explanation:
The AMR field in the Login History shows the authentication methods used at the IdP level, such as password, MFA, or SSO. Both OIDC and SAML are supported protocols for SSO, but the IdP must implement the AMR attribute and pass it to Salesforce. References: Secure Your Users’ Identity, Salesforce Multi-Factor Authentication (MFA) and Single Sign-on (SSO)

NEW QUESTION 14
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?

  • A. The CA-Signed Certificate from the Certificate and Key Management menu.
  • B. The default Client Certificate from the Develop--> API Menu.
  • C. The default Client Certificate or a Certificate from Certificate and Key Management menu.
  • D. The Self-Signed Certificates from the Certificate & Key Management menu.

Answer: A

Explanation:
The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose. The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague and does not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.
References: [Outbound Messages], [Sign Outbound Messages with a Certificate], [CA-Signed Certificates], [Default Client Certificate], [Self-Signed Certificates]

NEW QUESTION 15
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

  • A. User-Agent Oauth flow
  • B. SAML assertion Oauth flow
  • C. User-Token Oauth flow
  • D. Web server Oauth flow

Answer: B

Explanation:
The SAML assertion OAuth flow allows a connected app to use a SAML assertion to request an OAuth access token to call Salesforce APIs. This flow provides an alternative for orgs that are currently using SAML to access Salesforce and want to access the web services API in the same way3. This flow can be used for inbound OAuth-enabled integration clients that want to use SAML-based single sign-on for authentication.
References: OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps, Access Data with AP
Integration, Error ‘Invalid assertion’ in OAuth 2.0 SAML Bearer Flow

NEW QUESTION 16
......

100% Valid and Newest Version Identity-and-Access-Management-Architect Questions & Answers shared by Dumps-hub.com, Get Full Dumps HERE: https://www.dumps-hub.com/Identity-and-Access-Management-Architect-dumps.html (New 246 Q&As)