Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Exam Practice Test Instant Access

Question 1

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.

What is recommended to ensure these requirements are met ?

AUse connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.

BImplement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

CAdd a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.

DConfigure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-

Answer : B

Question 2

Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

AAdd the Employee portals IP address to the Trusted IP range for the connected App

BUse a digital certificate signed by the employee portal Server.

CAdd the employee portals IP address to the login IP range on the user profile.

DUse a dedicated profile for the user the Employee portal uses.

Answer : A

Question 3

Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled ''User Provisioning'' on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behaviour?

AUser Provisioning for Connected Apps does not support role sync.

BRequired operation(s) was not mapped in User Provisioning Settings.

CThe Approval queue for User Provisioning Requests is unmonitored.

DSalesforce roles have more than three levels in the role hierarchy.

Answer : A

Question 4

Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.

What should a identity architect recommend to create partners?

AOn successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.

BCreate a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.

CCreate a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.

DAllow partners to register through the IdP and create partner users in Salesforce through an API.

Answer : B

Question 5

Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.

NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.

What should an Identity architect do to fulfill the requirement?

AConfigure an authentication provider for Social Login using Google and a custom registration handler.

BImplement a Just-in-Time handler class that has logic to create cases upon first login.

CCreate an authentication provider for Social Login using Google and leverage standard registration handler.

DImplement a login flow with a record create component for Case.

Answer : D

Question 6

Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.

What should the logout function perform in this scenario, where user sessions are refreshed automatically?

AInvoke the revocation URL and pass the refresh token.

BClear out the client Id to stop auto session refresh.

CInvoke the revocation URL and pass the access token.

DClear out all the tokens to stop auto session refresh.

Answer : A

Question 7

Which two considerations should be made when implementing Delegated Authentication?

Choose 2 answers

AThe authentication web service can include custom attributes.

BIt can be used to authenticate API clients and mobile apps.

CIt requires trusted IP ranges at the User Profile level.

DSalesforce servers receive but do not validate a user's credentials.

EJust-in-time Provisioning can be configured for new users.

Answer : B, E