Salesforce Identity-and-Access-Management-designer Exam Practice Test Instant Access

Question 1

Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.

What should an identity architect recommend to prevent this from happening in the future?

ACreate a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.

BConfigure an authentication provider to delegate authentication to the LDAP directory.

Cuse a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.

DSetup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Answer : B

Question 2

An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).

Which feature of Identity Connect is applicable for this scenano?

AWhen Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.

BIf the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing
Salesforce users in First-in, First-out (FIFO) fashion.

CIdentity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.

DWhen configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.

Answer : A

Question 3

Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.

Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.

What should an identity architect recommend to optimize license usage and reduce maintenance overhead?

AMerge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.

BDelete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.

CContacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.

DEnable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.

Answer : C

Question 4

Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.

Which two mechanisms are used to provision agents with the appropriate permissions?

Choose 2 answers

AUse Login Flow in User Context to update role and permission sets.

BUse Login Flow in System Context to update role and permission sets.

CUse SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.

DUse SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer : B, D

Question 5

Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.

What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?

ARequire the use of Salesforce security tokens on passwords.

BEnforce mutual authentication between systems using SSL.

CInclude Client Id and Client Secret in the login header callout.

DSet up a proxy service for the login service in the DMZ.

Answer : A

Question 6

Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?

AWeb Server flow

BJWT Bearer Token flow

CUsername-Password flow

DUser Agent flow

Answer : B

Question 7

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.

Which two considerations should the architect keep in mind?

Choose 2 answers

AAMR field shows the authentication methods used at IdP.

BBoth OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

CHigh-assurance sessions must be configured under Session Security Level Policies.

DDependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Answer : A, B

Salesforce Identity-and-Access-Management-designer Identity and Access Management Designer Exam Practice Test