All About Precise Identity-and-Access-Management-Designer Exam

NEW QUESTION 1
A web service is developed that allows secure access to customer order status on the Salesforce Platform, The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
* 1. User Authenticates and Authorizes Access
* 2. Request an Access Token
* 3. Salesforce Grants an Access Token
* 4. Request an Authorization Code
* 5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?

• A. 1, 4, 5, 2, 3
• B. 4, 1, 5, 2, 3
• C. 2, 1, 3, 4, 5
• D. 4,5,2, 3, 1

Answer: D

NEW QUESTION 2
Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?

• A. SP-Initiated with Deep Linking
• B. SP-Initiated
• C. IdP-Initiated
• D. User-Agent

Answer: C

NEW QUESTION 3
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement? Choose 2 answers

• A. Setup Salesforce as an identity provider (IdP) for order Tracking.
• B. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
• C. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
• D. Setup Order Tracking as a Canvas app in 5alesforce to POST IdP initiated SAML assertion.

Answer: AB

NEW QUESTION 4
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location. Which two options should an architect recommend? Choose 2 answers

• A. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
• B. Use login flow to bypass ip range restriction for the mobile app.
• C. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
• D. Remove existing restrictions on ip ranges for all types of user access.

Answer: AB

NEW QUESTION 5
What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

• A. Reference to a URL redirect parameter at the identity provider.
• B. Reference to a URL redirect parameter at the service provider.
• C. Reference to the login address URL of the service provider.
• D. Reference to the login address URL of the identity Provider.

Answer: B

NEW QUESTION 6
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

• A. The Federation ID must be a valid Salesforce Username
• B. The Federation ID must is case sensitive
• C. The Federation ID must be in the form of an email address.
• D. The Federation ID must be populated on the user record.

Answer: BD

NEW QUESTION 7
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers

• A. OAuth Refresh Token FLow
• B. OAuth Username-Password Flow
• C. OAuth SAML Bearer Assertion FLow
• D. OAuth JWT Bearer Token FLow

Answer: CD

NEW QUESTION 8
An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user?

• A. Consumer key and consumer secret
• B. Federation ID
• C. User info endpoint URL
• D. Apex registration handler

Answer: D

NEW QUESTION 9
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?

• A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.
• B. Use Login Flows to add a screen that shows personalized alerts.
• C. Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
• D. Create custom metadata that stores user alerts and use a LWC to display alerts.

Answer: B

NEW QUESTION 10
Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers

• A. Federation ID
• B. Salesforce User ID
• C. User Full Name
• D. User Email Address
• E. Salesforce Username

Answer: ACD

NEW QUESTION 11
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behaviour?

• A. User Provisioning for Connected Apps does not support role sync.
• B. Required operation(s) was not mapped in User Provisioning Settings.
• C. The Approval queue for User Provisioning Requests is unmonitored.
• D. Salesforce roles have more than three levels in the role hierarchy.

Answer: A

NEW QUESTION 12
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

• A. Add each connected App to the App Launcher with a Start URL.
• B. Set up an Auth Provider for each External Application.
• C. Set up Salesforce as a SAML Idp with My Domain.
• D. Set up Identity Connect to Synchronize user data.
• E. Create a Connected App for each external application.

Answer: ACE

NEW QUESTION 13
Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles. What should the architect recommend to allow salesforce profiles to be managed from a central system of record?

• A. Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
• B. Create an apex scheduled job in one org that will synchronize the other orgs profile.
• C. Implement Delegated Authentication that will update the user profiles as necessary.
• D. Implement an Oauthjwt flow to pass the profile credentials between systems.

Answer: A

NEW QUESTION 14
Universal Containers built a custom mobile app for their field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

• A. Invoke the revocation URL and pass the refresh token.
• B. Clear out the client Id to stop auto session refresh.
• C. Invoke the revocation URL and pass the access token.
• D. Clear out all the tokens to stop auto session refresh.

Answer: A

NEW QUESTION 15
Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?

• A. JWT Bearer Token Flow
• B. Web Server Authentication Flow
• C. User Agent Flow
• D. Username and Password Flow

Answer: C

NEW QUESTION 16
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

• A. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
• B. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
• D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Answer: C

NEW QUESTION 17
Northern Trail Outfitters (NTO) has a number of employees who do NOT need access Salesforce objects. Trie employees should sign in to a custom Benefits web app using their Salesforce credentials.
Which license should the identity architect recommend to fulfill this requirement?

• A. Identity Only License
• B. External Identity License
• C. Identity Verification Credits Add-on License
• D. Identity Connect License

Answer: A

NEW QUESTION 18
......