Salesforce Identity and Access Management Architect Exam Practice Test Instant Access

Question 1

An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.

What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

AEnsure that there is an HTTPS connection between IDP and SP.

BEnsure that on the SSO settings page, the 'Request Signing Certificate' field has a self-signed certificate.

CEnsure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

DEncrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

Answer : D

Question 2

An Enterprise is using a Lightweight Directory Access Protocol (LDAP ) server as the only point for user authentication with a username/password. Salesforce delegated authentication is configured to integrate Salesforce under single sign-on (SSO).

Mow can end users change their password?

AUsers once logged In, can go to the Change Password screen in Salesforce.

BUsers can click on the 'Forgot your Password' link on the Salesforce.com login page.

CUsers can request the Salesforce Admin to reset their password.

DUsers can change it on the enterprise LDAP authentication portal.

Answer : C

Question 3

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.

Which OAuth flow should the identity architect recommend to meet the requirement?

AOAuth 2.0 Asset Token Flow for Securing Connected Devices

BOAuth 2.0 Username-Password Flow for Special Scenarios

COAuth 2.0 Web Server Flow for Web App Integration

DOAuth 2.0 JWT Bearer Flow for Server-to-Server Integration

Answer : A

Question 4

Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.

Which configuration will meet this requirement?

ACreate and assign a permission set to all employees that includes 'MFA for User Interface Logins.'

BCreate a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.

CEnable 'MFA for User Interface Logins' for your organization from Setup -> Identity Verification.

DFor all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

Answer : C

Question 5

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:

1. Users should not have to login every time they use the app.

2. The app should be able to make calls to the Salesforce REST API.

3. End users should NOT see the OAuth approval page.

How should the identity architect configure the Salesforce connected app to meet the requirements?

AEnable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to 'Admin Pre-Approved'.

BEnable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved'.

CEnable the Full Access Scope and then set the connected app access settings to 'Admin Pre-Approved'.

DEnable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to 'User may self authorize'.

Answer : A

Question 6

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.

Which two mechanisms are used to provision agents with the appropriate permissions?

Choose 2 answers

AUse Login Flow in User Context to update role and permission sets.

BUse Login Flow in System Context to update role and permission sets.

CUse SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.

DUse SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer : B, D

Question 7

Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.

Which three steps need to be configured to enable self-registration using person accounts?

Choose 3 answers

AEnable access to person and business account record types under Public Access Settings.

BContact Salesforce Support to enable business accounts.

CUnder Login and Registration settings, ensure that the default account field is empty.

DContact Salesforce Support to enable person accounts.

ESet organization-wide default sharing for Contact to Public Read Only.

Answer : A, C, D

Salesforce Identity and Access Management Architect Salesforce Certified Identity and Access Management Architect Exam Practice Test