最新Identity-and-Access-Management-Architect合格保証試験問題集には正確で最新な問題があります [Q63-Q82]

最新Identity-and-Access-Management-Architect合格保証試験問題集には正確で最新な問題があります

Identity-and-Access-Management-Architect試験ブレーン問題集で学習注釈と理論

Salesforce Identity-and-Access-Management-Architect 認定試験の出題範囲：

トピック	出題範囲
トピック 1	与えられたシナリオで、B2E および B2C シナリオで ID ストアからユーザーをプロビジョニングするための最も適切な方法を推奨する Salesforce でユーザーをプロビジョニングするための適切な方法を推奨する
トピック 2	SSO を有効にしてアクセス権を適用するために、Salesforce でユーザーをプロビジョニングする方法を特定する プラットフォームで利用可能な監査と監視のアプローチを特定する
トピック 3	OAuth のさまざまな実装概念について説明する ID ソリューションの一部である構成要素について説明する
トピック 4	Experience Cloud のユーザー エクスペリエンスをカスタマイズする機能について説明する 与えられたシナリオで、最も適切な OAuth フローを特定する
トピック 5	与えられたシナリオで、承認のために接続されたアプリの適切な範囲と構成を推奨する 与えられたシナリオで、組み込みログインをいつ使用するかを決定する
トピック 6	シングル サインオン ソリューションで発生する可能性がある一般的な障害点のトラブルシューティング IdP の問題を診断するために使用できるツールについて説明する

この試験に備えるために、候補者はSalesforceのアイデンティティおよびアクセス管理ソリューション（シングルサインオン（SSO）、アイデンティティプロバイダ（IdP）、セキュリティアサーションマークアップ言語（SAML）を含む）について、しっかりと理解している必要があります。また、データセキュリティとコンプライアンスに関する経験があり、アイデンティティおよびアクセス管理の業界ベストプラクティスに精通していることが望ましいです。

 

質問 # 63
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?

• A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".
• B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".
• C. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".
• D. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

正解：A

質問 # 64
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

• A. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.
• B. Ensure that there is an HTTPS connection between IDP and SP.
• C. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.
• D. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.

正解：A

質問 # 65
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?

• A. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.
• B. Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
• C. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.
• D. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.

正解：B

質問 # 66
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

• A. Configure SAML SSO settings.
• B. Create a Connected App.
• C. Configure Delegated Authentication.
• D. Set up My Domain.

正解：A、D

質問 # 67
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?

• A. Use Active Directory Federation Service (ADFS) as the Identity Provider.
• B. Use Microsoft Access control Service as the Authentication provider.
• C. Use Salesforce Identity Connect as the Identity Provider.
• D. Use Active Directory with Reverse Proxy as the Identity Provider.

正解：C

質問 # 68
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers

• A. Embedded Login
• B. Identity Connect
• C. Connected Apps
• D. Delegated Authentication

正解：A、D

質問 # 69
The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.
The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.
Which two solutions should the IAM specialist recommend?
Choose 2 answers

• A. Login & Registration pages can be branded in the Community Administration settings.
• B. Build custom site pages for reset and forgot password features.
• C. Build custom pages for branding requirements in Experience Cloud.
• D. Use Experience Builder to build branded Reset and Forgot Password pages.

正解：A、D

質問 # 70
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?

• A. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.
• B. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.
• C. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
• D. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.

正解：C

質問 # 71
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?

• A. Identity Provider (IdP)
• B. Client Application
• C. Resource Server
• D. Service Provider (SP)

正解：D

質問 # 72
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?

• A. Create a custom landing page and email campaign asking all community members to login and verify their data.
• B. Create tasks for users who need to update their data or accept the new community rules.
• C. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.
• D. Add a banner to the community Home page asking users to update their profile and accept the new community rules.

正解：C

質問 # 73
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

• A. Public Group Assignment
• B. Granting report folder access
• C. Permission sets assignment
• D. Custom permission assignment
• E. Role Assignment

正解：A、C、E

質問 # 74
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

• A. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
• B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
• C. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.
• D. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

正解：A

質問 # 75
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?

• A. Create an Authentication provider and implement a self-registration handler class.
• B. Create a Login Discovery page and provide a Login Discovery Handler Apex class.
• C. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
• D. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service.

正解：B

質問 # 76
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers

• A. Build a custom web page that uses the identity store and calls frontdoor.jsp
• B. Build a custom Web service that is supported by Delegated Authentication.
• C. Implement the Openid protocol and configure an Authentication provider
• D. Use a professional social media such as LinkedIn as an Authentication provider

正解：B、C

質問 # 77
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

• A. Use a digital certificate signed by the employee portal Server.
• B. Use a dedicated profile for the user the Employee portal uses.
• C. Add the Employee portals IP address to the Trusted IP range for the connected App
• D. Add the employee portals IP address to the login IP range on the user profile.

正解：C

質問 # 78
Under which scenario Web Server flow will be used?

• A. Used for verifying Access protected resources.
• B. Used for mobile applications and testing legacy Integrations.
• C. Used for web applications when server-side code needs to interact with APIS.
• D. Used for server-side components when page needs to be rendered.

正解：C

質問 # 79
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC's middleware authenticate to Salesforce while adhering to this requirement?

• A. Create a Connected App that supports the Refresh Token OAuth Flow
• B. Create a Connected App that supports the User-Agent OAuth Flow.
• C. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
• D. Create a Connected App that supports the Web Server OAuth Flow.

正解：C

質問 # 80
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

• A. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
• B. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
• C. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
• D. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

正解：A

質問 # 81
The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

• A. Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.
• B. Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
• C. Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.
• D. Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.

正解：B

質問 # 82
......

合格させるSalesforce Identity-and-Access-Management-Architectテスト練習問題 試験問題集：https://www.jpntest.com/shiken/Identity-and-Access-Management-Architect-mondaishu