Salesforce Identity-and-Access-Management-Architect Question Answers

What is Salesforce Identity-and-Access-Management-Architect?

Salesforce Identity-and-Access-Management-Architect is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The Identity and Access Management Designer Certification validates a candidate's expertise to work with Salesforce. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the Salesforce Certified Identity and Access Management Architect (WI24) Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Salesforce Identity-and-Access-Management-Architect Practice Questions. Passing Salesforce Certified Identity and Access Management Architect (WI24) will be your ticket to a better future!

Pass with Salesforce Identity-and-Access-Management-Architect Braindumps!

Contrary to the belief that certification exams are generally hard to get through, passing Salesforce Certified Identity and Access Management Architect (WI24) is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Salesforce Identity-and-Access-Management-Architect PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Salesforce Identity and Access Management Designer certification is all about having the right information. Hence, we filled our Salesforce Identity-and-Access-Management-Architect Dumps with all the necessary data you need to pass. These carefully curated sets of Salesforce Certified Identity and Access Management Architect (WI24) Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Salesforce Identity-and-Access-Management-Architect Braindumps now!

We aim to provide all Identity and Access Management Designer certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Salesforce Identity-and-Access-Management-Architect Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.

Why Choose Salesforce Identity-and-Access-Management-Architect PDF?

Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the Salesforce Certified Identity and Access Management Architect (WI24) candidates. Not every Salesforce exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the Identity and Access Management Designer solutions. Salesforce Identity-and-Access-Management-Architect Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Salesforce Identity-and-Access-Management-Architect Dumps with ease.

If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].

Question # 1

Universal Containers (UC) uses Active Directory (AD) as their identity store for employeesand must continue to do so for network access. UC is undergoing a major transformationprogram and moving all of their enterprise applications to cloud platforms includingSalesforce, Workday, and SAP HANA. UC needs to implement an SSO solution foraccessing all of the third-party cloud applications and the CIO is inclined to use Salesforcefor all of their identity and access management needs.Which two Salesforce license types does UC need for its employees'Choose 2 answers

A. Company Community and Identity licenses
B. Identity and Identity Connect licenses
C. Chatter Only and Identity licenses
D. Salesforce and Identity Connect licenses

Show Answer

---

Question # 2

Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partnercommunity. UC has an existing ldap identity store and a third-party portal. They would liketo use the existing portal as the primary site these users’ access, but also want to allowseamless access to the partner community. What SSO flow should an architectrecommend?

A. User-Agent
B. IDP-initiated
C. Sp-Initiated
D. Web server

Show Answer

---

Question # 3

Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud forcustomer self-service. Guests of the portal be able to self-register, but be unable toautomatically be assigned to a contact record until verified. External Identity licenses havebeen purchased for the project.After registered guests complete an onboarding process, a flow will create the appropriateaccount and contact records for the user.Which three steps should an identity architect follow to implement the outlinedrequirements?Choose 3 answers

A. Enable "Allow customers and partners to self-register".
B. Select the "Configurable Self-Reg Page" option under Login & Registration.
C. Set jp an external login page and call Salesforce APIs for user creation.
D. Customize the self-registration Apex handler to temporarily associate the user to ashared single contact record.
E. Customize me self-registration Apex handler to create only the user record.

Show Answer

---

Question # 4

Universal containers (UC) have a custom, internal-only, mobile billing application for userswho are commonly out of the office. The app is configured as a connected App insalesforce. Due to the nature of this app, UC would like to take the appropriate measuresto properly secure access to the app. Which two are recommendations to make the UC?Choose 2 answers

A. Disallow the use of single Sign-on for any users of the mobile app.
B. Require high assurance sessions in order to use the connected App
C. Use Google Authenticator as an additional part of the logical processes.
D. Set login IP ranges to the internal network for all of the app users profiles.

Show Answer

---

Question # 5

A company wants to provide its employees with a custom mobile app that accessesSalesforce. Users are required to download the internal native IOS mobile app fromcorporate intranet on their mobile device. The app allows flexibility to access other non-Salesforce internal applications once users authenticate with Salesforce. The apps selfauthorize,and users are permitted to use the apps once they have logged into Salesforce.How should an identity architect meet the above requirements with the privately distributedmobile app?

A. Use connected app with OAuth and Security Assertion Markup Language (SAML) toaccess other non-Salesforce internal apps.
B. Configure Mobile App settings in connected app and Salesforce as identity provider fornon-Salesforce internal apps.
C. Use Salesforce as an identity provider (IdP) to access the mobile app and use theexternal IdP for other non-Salesforce internal apps.
D. Create a new hybrid mobile app and use the connected app with OAuth to authenticateusers for Salesforce and non-Salesforce internal apps.

Show Answer

---

Question # 6

Universal containers (UC) employees have salesforce access from restricted ip rangesonly, to protect against unauthorized access. UC wants to rollout the salesforce1 mobileapp and make it accessible from any location. Which two options should an architectrecommend? Choose 2 answers

A. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
B. Use login flow to bypass ip range restriction for the mobile app.
C. Relax the ip restriction with a second factor in the connect app settings for salesforce1mobile app
D. Remove existing restrictions on ip ranges for all types of user access.

Show Answer

---

Question # 7

Universal Containers (UC) is building a custom employee hut) application on Amazon WebServices (AWS) and would like to store their users' credentials there. Users will also needaccess to Salesforce for internal operations. UC has tasked an identity architect withevaluating Afferent solutions for authentication and authorization between AWS andSalesforce.How should an identity architect configure AWS to authenticate and authorize Salesforceusers?

A. Configure the custom employee app as a connected app.
B. Configure AWS as an OpenID Connect Provider.
C. Create a custom external authentication provider.
D. Develop a custom Auth server in AWS.

Show Answer

---

Question # 8

Universal Containers uses Salesforce as an identity provider and Concur as the EmployeeExpense management system. The HR director wants to ensure Concur accounts foremployees are created only after the apocopate approval in the Salesforce org.Which three steps should the identity architect use to implement this requirement?Choose 3 answers

A. Create an approval process for a custom object associated with the provisioning flow.
B. Create a connected app for Concur in Salesforce.
C. Enable User Provisioning for the connected app.
D. Create an approval process for user object associated with the provisioning flow.
E. Create an approval process for UserProvisionlngRequest object associated with theprovisioning flow.

Show Answer

---

Question # 9

Northern Trail Outfitters mar ages functional group permissions in a custom securityapplication supported by a relational database and a REST service layer. Grouppermissions are mapped as permission sets in Salesforce.Which action should an identity architect use to ensure functional group permissions arereflected as permission set assignments?

A. Use a Login Flow to query SAML attributes and set permission sets.
B. Use a Login Flow with invocable Apex to callout to the security application and setpermission sets.
C. Use the Apex Just-in-Time (JIT) handler to query the Security Assertion markupLanguage (SAML) attributes and set permission sets.
D. Use the Apex JIT handler to callout to the security application and set permission sets

Show Answer

---

Question # 10

Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration siteusing Salesforce Experience Cloud. The partners will authenticate with an existing identityprovider and the solution will utilize Security Assertion Markup Language (SAML) toprovide single sign-on to Salesforce. Delegated administration will be used in theExpenence Cloud site to allow the partners to administer their users' access.How should a partner identity be provisioned in Salesforce for this solution?

A. Create only a contact.
B. Create a contactless user.
C. Create a user and a related contact.
D. Create a person account.

Show Answer

---

Question # 11

Universal containers (UC) is successfully using Delegated Authentication for theirsalesforce users. The service supporting Delegated Authentication is written in Java. UChas a new CIO that is requiring all company Web services be RESR-ful and written in.NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2answers

A. Delegated Authentication will not work with a.net service.
B. Delegated Authentication will continue to work with rest services.
C. Delegated Authentication will continue to work with a.net service.
D. Delegated Authentication will not work with rest services.

Show Answer

---

Question # 12

A web service is developed that allows secure access to customer order status on theSalesforce Platform. The service connects to Salesforce through a connected app with theweb server flow. The following are the required actions for the authorization flow:1. User Authenticates and Authorizes Access2. Request an Access Token3. Salesforce Grants an Access Token4. Request an Authorization Code5. Salesforce Grants Authorization CodeWhat is the correct sequence for the authorization flow?

A. 1, 4, 5, 2, 3
B. 4, 1, 5, 2, 3
C. 2, 1, 3, 4, 5
D. 4,5,2, 3, 1

Show Answer

---

Question # 13

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered. What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP? 

A. Ensure that there is an HTTPS connection between IDP and SP. 
B. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a selfsigned certificate. 
C. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP. 
D. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP. 

Show Answer

---

Question # 14

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce. What should a identity architect recommend to create partners? 

A. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping. 
B. Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store. 
C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs. 
D. Allow partners to register through the IdP and create partner users in Salesforce through an API. 

Show Answer

---

Question # 15

A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials. Once enabled, what role will Salesforce play? 

A. Facebook and Linkedln will be the SPs. 
B. Salesforce will be the service provider (SP). 
C. Salesforce will be the identity provider (IdP). 
D. Facebook and Linkedln will act as the IdPs and SPs. 

Show Answer

---

Question # 16

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours? 

A. Login Inspector 
B. Login History 
C. Login Report 
D. Login Forensics 

Show Answer

---

Question # 17

Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAMLBASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers 

A. Configure SAML SSO settings. 
B. Configure Delegated Authentication 
C. Create a connected App 
D. Set up my domain 

Show Answer

---

Question # 18

An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security. Which OAuth flow should be used to fulfill the requirement? 

A. JWT Bearer Flow 
B. Web Server Flow 
C. User Agent Flow 
D. Username-Password Flow 

Show Answer

---

Question # 19

Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met? 

A. Use SAML Just-In-Time Provisioning between Facebook and Salesforce. 
B. Use information in the Signed Request that is received from Facebook. 
C. Develop a scheduled job that calls out to Facebook on a nightly basis. 
D. Use the updateUser() method on the Registration Handler class. 

Show Answer

---

Question # 20

Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in . NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers 

A. Delegated Authentication will not work with a.net service. 
B. Delegated Authentication will continue to work with rest services. 
C. Delegated Authentication will continue to work with a.net service. 
D. Delegated Authentication will not work with rest services. 

Show Answer

---

Question # 21

Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue? 

A. The Oauth authorizations are being revoked by a nightly batch job. 
B. The refresh token expiration policy is set incorrectly in salesforce 
C. The app is requesting too many access Tokens in a 24-hour period 
D. The users forget to check the box to remember their credentials. 

Show Answer

---

Question # 22

Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community? 

A. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.
 B. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.
 C. Use a nightly batch ETL job to sync users between the Customer Community and the ecommerce platform and use SAML to allow SSO. 
D. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO. 

Show Answer

---

Question # 23

Universal containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers 

A. Disallow the use of single Sign-on for any users of the mobile app. 
B. Require high assurance sessions in order to use the connected App 
C. Use Google Authenticator as an additional part of the logical processes. 
D. Set login IP ranges to the internal network for all of the app users profiles.

Show Answer

---

Question # 24

Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels. The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers? 

A. Customer Community license 
B. Identity license 
C. Customer Community Plus license 
D. External Identity license 

Show Answer

---

Question # 25

Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers 

A. Users leaving laptops unattended and not logging out of Salesforce. 
B. Users accessing Salesforce from a public Wi-Fi access point. 
C. Users choosing passwords that are the same as their Facebook password. 
D. Users creating simple-to-guess password reset questions. 

Show Answer

---

Question # 26

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app. The chief security officer is rolling out an org wide compliance policy to enforce re venfication of devices if an employee has not logged in from that device in the last week. Which connected app setting should be leveraged to comply with this policy change?

A. Scope - Deny refresh_token scope for this connected app. 
B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days. 
C. Session Policy - Set timeout value of the connected app to 7 days. 
D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date. 

Show Answer

---

Question # 27

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers 

A. The Federation ID must be a valid Salesforce Username
 B. The Federation ID must is case sensitive 
C. The Federation ID must be in the form of an email address. 
D. The Federation ID must be populated on the user record. 

Show Answer

---

Question # 28

Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?

A. Check the Refresh Token policy defined in the Salesforce Connected App. 
B. Validate that the users are checking the box to remember their passwords. 
C. Verify that the Callback URL is correctly pointing to the new URI Scheme. 
D. Confirm that the access Token's Time-To-Live policy has been set appropriately. 

Show Answer

---

Question # 29

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account. NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud. What should an Identity architect do to fulfill the requirement? 

A. Configure an authentication provider for Social Login using Google and a custom registration handler. 
B. Implement a Just-in-Time handler class that has logic to create cases upon first login. 
C. Create an authentication provider for Social Login using Google and leverage standard registration handler. 
D. Implement a login flow with a record create component for Case. 

Show Answer

---

Question # 30

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory. What should an identity architect recommend to prevent this from happening in the future? 

A. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP. 
B. Configure an authentication provider to delegate authentication to the LDAP directory. 
C. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce. 
D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Show Answer

---

Question # 31

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation? 

A. IdP-initiated SSO will NOT work. 
B. Neither SP- nor IdP-initiated SSO will work. 
C. Either SP- or IdP-initiated SSO will work. 
D. SP-initiated SSO will NOT work 

Show Answer

---

Question # 32

A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement? 

A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information. 
B. Use the Activations feature to meet the compliance requirement to track device information. 
C. Use the Login History object to track information about devices from which users log in. 
D. Use Login Flows to capture device from which users log in and store device and user information in a custom object. 

Show Answer

---

Question # 33

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC? 

A. Create a Canvas app and use Signed Requests to authenticate the users. 
B. Rewrite the web application as a set of Visualforce pages and Apex code. 
C. Configure the web application as an item in the Salesforce App Launcher. 
D. Add the web application as a ConnectedApp using OAuth User-Agent flow. 

Show Answer

---

Question # 34

Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met? 

A. Use the updateUser method on the registration Handler Class. 
B. Develop a scheduled job that calls out to Facebook on a nightly basis. 
C. Use information in the signed Request that is received from facebook. 
D. Use SAML Just-In-Time Provisioning between Facebook and Salesforce. 

Show Answer

---

Question # 35

Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

 A. Public Group Assignment 
B. Granting report folder access 
C. Role Assignment 
D. Custom permission assignment 
E. Permission sets assignment 

Show Answer

---

Question # 36

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol. What should an identity architect do to fulfill this requirement? 

A. Contact Salesforce Support and enable delegate single sign-on. 
B. Create a custom external authentication provider. 
C. Use certificate-based authentication. 
D. Configure OpenID Connect authentication provider.

Show Answer

---

Question # 37

Universal containers (UC) has implemented SAML SSO to enable seamless access across multiple applications. UC has regional salesforce orgs and wants it's users to be able to access them from their main Salesforce org seamless. Which action should an architect recommend? 

A. Configure the main salesforce org as an Authentication provider. 
B. Configure the main salesforce org as the Identity provider. 
C. Configure the regional salesforce orgs as Identity Providers. 
D. Configure the main Salesforce org as a service provider. 

Show Answer

---

Question # 38

Universal Containers (UC) has implemented a multi-org architecture in their company. Many users have licences across multiple orgs, and they are complaining about remembering which org and credentials are tied to which business process. Which two recommendations should the Architect make to address the Complaints? Choose 2 answers 

A. Activate My Domain to Brand each org to the specific business use case. 
B. Implement SP-Initiated Single Sign-on flows to allow deep linking.
 C. Implement IdP-Initiated Single Sign-on flows to allow deep linking. 
D. Implement Delegated Authentication from each org to the LDAP provider

Show Answer

---

Question # 39

Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months. Which two connected app options need to be configured to fulfill this use case? Choose 2 answers 

A. Set Permitted Users to "Admin approved users are pre-authorized". 
B. Set Permitted Users to "All users may self-authorize".
 C. Set the Session Timeout value to 3 months. 
D. Set the Refresh Token Policy to expire refresh token after 3 months. 

Show Answer

---

Question # 40

Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

A. Add the Employee portals IP address to the Trusted IP range for the connected App 
B. Use a digital certificate signed by the employee portal Server. 
C. Add the employee portals IP address to the login IP range on the user profile. 
D. Use a dedicated profile for the user the Employee portal uses.

Show Answer

---

Question # 41

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce. Which OAuth flow should the architect recommend? 

A. OAuth 2.0 Asset Token Flow 
B. OAuth 2.0 Device Authentication Row 
C. OAuth 2.0 JWT Bearer Token Flow 
D. OAuth 2.0 SAML Bearer Assertion Flow 

Show Answer

---

Question # 42

Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements? 

A. Create a custom application on Heroku that manages the sign-on process from Facebook. 
B. Use JIT Provisioning to automatically create the account in the accounting system. 
C. Add an Apex callout in the registration handler of the authorization provider. 
D. Use OAuth JWT flow to pass the data from Salesforce to the Accounting System. 

Show Answer

---

Question # 43

An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs. Which Salesforce OAuth authorization flow should be used? 

A. OAuth 2-0 SAML Bearer Assertion Flow 
B. OAuth 2.0 JWT Bearer Flow 
C. SAML Assertion Flow 
D. OAuth 2.0 User-Agent Flow

Show Answer

---

Question # 44

Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behaviour? 

A. User Provisioning for Connected Apps does not support role sync. 
B. Required operation(s) was not mapped in User Provisioning Settings. 
C. The Approval queue for User Provisioning Requests is unmonitored.
 D. Salesforce roles have more than three levels in the role hierarchy. 

Show Answer

---

Question # 45

Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following: 1. Enter a phone number and/or email address 2. Enter a verification code that is to be sent via email or text. What is the recommended approach to fulfill this requirement?

A. Create a Login Discovery page and provide a Login Discovery Handler Apex class. 
B. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
 C. Create an Authentication provider and implement a self-registration handler class. 
D. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service. 

Show Answer

---

Question # 46

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements. What is recommended to ensure these requirements are met ?

A. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo. 
B. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems. 
C. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on. 
D. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce

Show Answer

---

Question # 47

Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication? Choose 2 answers 

A. Salesforce license for sales users and Identity license for Marketing users 
B. Salesforce license for sales users and External Identity license for Marketing users 
C. Identity license for sales users and Identity connect license for Marketing users 
D. Salesforce license for sales users and platform license for Marketing users. 

Show Answer

---

Question # 48

A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).  When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML? 

A. OIDC is more secure than SAML and therefore is the obvious choice. 
B. The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider. 
C. If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP. 
D. They are equivalent protocols and there is no real reason to choose one over the other. 

Show Answer

---

Question # 49

Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud. NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions. Which three Salesforce permissions are available to map to AD permissions? Choose 3 answers 

A. Public Groups 
B. Field-Level Security 
C. Roles 
D. Sharing Rules 
E. Profiles and Permission Sets 

Show Answer

---

Question # 50

Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce, Which Salesforce OAuth authorization flow should be used?

 A. OAuth 2.0 SAML Bearer Assertion Flow 
B. A SAML Assertion Row 
C. OAuth 2.0 User-Agent Flow 
D. OAuth 2.0 JWT Bearer Flow 

Show Answer

---

Question # 51

Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department. How should an identity architect implement this requirement? 

A. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. 
B. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning. 
D. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile. 

Show Answer

---

Question # 52

Universal Containers is using OpenID Connect to enable a connection from their new mobile app to its production Salesforce org. What should be done to enable the retrieval of the access token status for the OpenID Connect connection? 

A. Query using OpenID Connect discovery endpoint. 
B. A Leverage OpenID Connect Token Introspection. 
C. Create a custom OAuth scope. 
D. Enable cross-origin resource sharing (CORS) for the /services/oauth2/token endpoint. 

Show Answer

---

Question # 53

Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML. What rote does Salesforce Identity play in its relationship with the enterprise SSO system?

A. Identity Provider (IdP) 
B. Resource Server 
C. Service Provider (SP) 
D. Client Application 

Show Answer

---

Question # 54

A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities. Which Salesforce OAuth authorization flow should be used? 

A. OAuth 2.0 JWT Bearer How 
B. OAuth 2.0 Device Flow 
C. OAuth 2.0 User-Agent Flow 
D. OAuth 2.0 Asset Token Flow 

Show Answer

---

Question # 55

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution: 1. Users should not have to login every time they use the app. 2. The app should be able to make calls to the Salesforce REST API. 3. End users should NOT see the OAuth approval page. How should the identity architect configure the Salesforce connected app to meet the requirements?

A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin PreApproved". 
B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved". 
C. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved". 
D. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize". 

Show Answer

---

Question # 56

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers 

A. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP. 
B. Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp. 
C. Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp. 
D. Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp. 

Show Answer

---

Question # 57

Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use. Which three steps should an identity architect take to implement social sign-on? Choose 3 answers 

A. Register both Facebook and Linkedln as connected apps. 
B. Create authentication providers for both Facebook and Linkedln. 
C. Check "Facebook" and "Linkedln" under Login Page Setup. 
D. Enable "Federated Single Sign-On Using SAML". 
E. Update the default registration handlers to create and update users.

Show Answer

---

Question # 58

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials. What should an identity architect recommend to meet these requirements? 

A. Configure a predefined authentication provider for Amazon. 
B. Create a custom external authentication provider for Amazon.
 C. Configure an OpenID Connect Authentication Provider for Amazon. 
D. Configure Amazon as a connected app. 

Show Answer

---

Question # 59

Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.

A. Financial System and CPQ System are the only Service Providers. 
B. Salesforce Org1 and Salesforce Org2 are the only Service Providers. 
C. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers. 
D. Salesforce Org1 and PingFederate are acting as Identity Providers. 

Show Answer

---

Question # 60

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers 

A. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App. 
B. Enable the "Enforce Ip restrictions" settings in the connected App. 
C. Enable the "All users may self-authorize" setting in the Connected App. 
D. Enable the "High Assurance session required" setting in the Connected App. 

Show Answer

---

Question # 61

Universal containers (UC) wants to implement a partner community. As part of their implementation, UC would like to modify both the Forgot password and change password experience with custom branding for their partner community users. Which 2 actions should an architect recommend to UC? Choose 2 answers 

A. Build a community builder page for the change password experience and Custom Visualforce page for the Forgot password experience. 
B. Build a custom visualforce page for both the change password and Forgot password experiences. 
C. Build a custom visualforce page for the change password experience and a community builder page for the Forgot password experience.
D. Build a community builder page for both the change password and Forgot password experiences. 

Show Answer

---

Question # 62

Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs. Which two Salesforce license types does UC need for its employees' Choose 2 answers 

A. Company Community and Identity licenses 
B. Identity and Identity Connect licenses 
C. Chatter Only and Identity licenses 
D. Salesforce and Identity Connect licenses 

Show Answer

---

Question # 63

Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

A. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce. 
B. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce. 
C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce. 
D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. 

Show Answer

---

Question # 64

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA. Which configuration will meet this requirement? 

A. Create and assign a permission set to all employees that includes "MFA for User Interface Logins." 
B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees. 
C. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.
 D. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels. 

Show Answer

---

Question # 65

An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username. Which two licenses are needed to meet this requirement? Choose 2 answers 

A. External Identity Licenses 
B. Identity Connect Licenses 
C. Email Verification Credits 
D. SMS verification Credits 

Show Answer

---

Question # 66

An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows: 1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioining in the integrated cloud applications. 2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated at identity provider (Central IAM Service). Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?

A. A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users. 
B. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users. 
C. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. 
D. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO. 

Show Answer

---

Question # 67

Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org? 

A. Use the same SAML Identity location as the first org. 
B. Use a different Entity ID than the first org. 
C. Use the same request bindings as the first org. 
D. Use the Salesforce Username as the SAML Identity Type. 

Show Answer

---

Question # 68

Northern Trail Outfitters want to allow its consumer to self-register on it business-toconsumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts. Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers 

A. Enable access to person and business account record types under Public Access Settings. 
B. Contact Salesforce Support to enable business accounts. 
C. Under Login and Registration settings, ensure that the default account field is empty. 
D. Contact Salesforce Support to enable person accounts. 
E. Set organization-wide default sharing for Contact to Public Read Only. 

Show Answer

---

Question # 69

Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

A. Identity Connect will not support user provisioning in UC's current environment. 
B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment. 
C. Identity Connect will only support SP-initiated SAML flows in UC's current environment. 
D. Identity connect is not compatible with UC's current identity environment. 

Show Answer

---

Question # 70

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers 

A. Disallow the use of Single Sign-on for any users of the mobile app. 
B. Require High Assurance sessions in order to use the Connected App. 
C. Set Login IP Ranges to the internal network for all of the app users Profiles. 
D. Use Google Authenticator as an additional part of the login process 

Show Answer

---

Question # 71

A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity. Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours? 

A. Login Forensics 
B. Login Report 
C. Login Inspector 
D. Login History 

Show Answer

---

Question # 72

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance. Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type. Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers 

A. Manage which connected apps a user has access to by assigning authentication providers to the users profile. 
B. Assign the connected app to the customer community, and enable the users profile in the Community settings. 
C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. 
D. Set each of the Connected App access settings to Admin Pre-Approved. 

Show Answer

---

Question # 73

Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers 

A. The web service needs to include Source IP as a method parameter. 
B. UC should whitelist all salesforce ip ranges on their corporate firewall. 
C. The web service can be written using either the soap or rest protocol. 
D. Delegated Authentication is enabled for the system administrator profile. 
E. The return type of the Web service method should be a Boolean value 

Show Answer

---

Question # 74

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets. Which two mechanisms are used to provision agents with the appropriate permissions? Choose 2 answers 

A. Use Login Flow in User Context to update role and permission sets. 
B. Use Login Flow in System Context to update role and permission sets. 
C. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets. 
D. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. 

Show Answer

---

Salesforce Service-Cloud-Consultant Exam Overview

Overview	Details
Exam Name	Salesforce Certified Service Cloud Consultant (SC24)
Exam Code	SC24
Duration	105 minutes
Number of Questions	60 (multiple-choice and multi-select)
Passing Score	67% (40 correct answers)
Format	Computer-based (Pearson VUE testing centers or online proctored)
Language	English
Content Areas (Weight)	Service Cloud Solution Design (16%) Implementation Strategies (15%) Case Management (15%) Knowledge Management (9%) Interaction Channels (10%) Contact Center Analytics (5%) Integration and Data Management (5%) Industry Knowledge (10%) Service Console (15%)

Salesforce Identity-and-Access-Management-Architect Frequently Asked Questions