Question # 1
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature? |
A. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user. | B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account. | C. Contactless user feature is available only with the External Identity license, which can restrict the ExperienceCloud functionality available to the user. | D. Passwordless authentication cannot be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record. |
B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
Explanation:
According to the Salesforce documentation3, contactless user feature allows creating users without contact information, such as email address or phone number. This reduces the overhead of managing customers and partners who don’t need or want to provide their contact information. However, if a contactless user is upgraded to a Community license, a contact record is automatically created and linked to the user record, but not associated with an account. This can impact the architecture of NTO’s Customer 360 Platform, as they may need to associate contacts with accounts for reporting or other purposes.
Question # 2
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers |
A. OAuth Refresh Token FLow | B. OAuth Username-Password Flow | C. OAuth SAML Bearer Assertion FLow | D. OAuth JWT Bearer Token FLow |
C. OAuth SAML Bearer Assertion FLow
D. OAuth JWT Bearer Token FLow
Explanation:
OAuth is an open-standard protocol that allows a client app toaccess protected resources on a resource server, such as Salesforce API, by obtaining an access token from an authorization server. OAuth supports different types of flows, which are ways of obtaining an access token. For integrating a third-party Reward Calculation system with Salesforce securely, two recommended practices for using OAuth flow are:
OAuth SAML Bearer Assertion Flow, which allows the client app to use a SAML assertion issued by a trusted identity provider to request an access token from Salesforce. This flow does not require the client app to store any credentials or secrets, and leverages the existing SSO infrastructure between Salesforce and the identity provider.
OAuth JWT Bearer Token Flow, which allows the client app to use a JSON Web Token (JWT) signed by a private key to request an access token from Salesforce. This flow does not require any user interaction or consent, and uses a certificate to verify the identity of the client app.
Verified References: [OAuth 2.0 SAML Bearer AssertionFlow for Server-to-Server Integration], [OAuth 2.0 JWT Bearer Token Flow for Server-to-Server Integration]
Question # 3
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
|
A. Use the existing SAML SSO flow along with user agent flow. | B. Configure the embedded Web browser to use my domain URL. | C. Use the existing SAML SSO flow along withWeb server flow | D. Configure the salesforce1 app to use the my domain URL |
B. Configure the embedded Web browser to use my domain URL.
D. Configure the salesforce1 app to use the my domain URL
Explanation:
To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identityprovider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because SalesforceMobile Applications only work with service provider initiated setups46. Therefore, option B and D are the correct answers.
References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On
Question # 4
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement? |
A. External Apps License | B. Partner CommunityLicense | C. Partner Community Login License | D. Customer Community plus Login License |
C. Partner Community Login License
Explanation:
Partner Community Login License is the best option for UC’s use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users.
References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing
Question # 5
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers |
A. The Use Digital Signature option in the connected app. | B. The "web" OAuth scope in theconnected app, | C. The "api" OAuth scope in the connected app. | D. The "edair_api" OAuth scope m the connected app. |
A. The Use Digital Signature option in the connected app.
C. The "api" OAuth scope in the connected app.
Explanation:
JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT)instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework thatenables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:
The Use Digital Signature option, which enables the connected app to verifythe signature of the JWT using a certificate.
The “api” OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user. References: JWT OAuth Flow, Connected Apps, OAuth Scopes
Question # 6
An organization has a central cloud-based Identity and Access Management (IAM) Service for authentication and user management, which must be utilized by all applications as follows:
1 - Change of a user status in the central IAM Service triggers provisioning or deprovisioning in the integrated cloud applications.
2 - Security Assertion Markup Language single sign-on (SSO) is used to facilitate access for users authenticated atidentity provider (Central IAM Service).
Which approach should an IAM architect implement on Salesforce Sales Cloud to meet the requirements?
|
A. A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users. | B. Configure Salesforce as a SAML service provider, and enable Just-in Time (JIT) provisioning and deprovisioning of users. | C. Configure central IAM Service as an authentication provider and extend registration handler to manage provisioning and deprovisioning of users. | D. Deploy Identity Connect component and set up automated provisioning and deprovisioning of users, as well as SAML-based SSO. |
A. A Configure Salesforce as a SAML Service Provider, and enable SCIM (System for Cross-Domain Identity Management) for provisioning and deprovisioning of users.
Explanation:
To meet the requirements of using a central cloud-basedIAM service for authentication and user management, the IAM architect should implement Salesforce Sales Cloud as a SAML service provider and enable SCIM for provisioning and deprovisioning of users. SAML is a protocol that allows users to authenticate andauthorize with an external identity provider and access Salesforce resources. By configuring Salesforce as a SAML service provider, the IAM architect can use the central IAM service as an identity provider and enable single sign-on for users. SCIM is a standard that defines how to manage user identities across different systems. By enabling SCIM in Salesforce, the IAM architect can synchronize user data between the central IAM service and Salesforce and automate user provisioning and deprovisioning based onthe changes made in the central IAM service.
References: SAML Single Sign-On Settings, SCIM User Provisioning for Connected Apps
Question # 7
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?
|
A. Set up the corporate portal as a ConnectedApp in Salesforce and use the Web server OAuth flow. | B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request. | C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow. | D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request. |
D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
Explanation:
The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource accessrequest. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user’s identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3.
References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? – OneLogin
Question # 8
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate andplace orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement? |
A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order detailsto retrieve customer data. | B. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data. | C. Use a Connected App Handler Apex Plugin class to collect only order details to retrievecustomer data. | D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data. |
D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
Explanation:
Self-registration allows guests to create their own user accounts and access the community. The self-registration page can be customized to collect order details and use them to retrieve customer data from the org.
References: Customize Self-Registration
Question # 9
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforcere-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?
|
A. Scope - Deny refresh_token scope for this connected app. | B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days. | C. Session Policy - Set timeout value of the connected app to 7 days. | D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date. |
B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
Explanation:
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not loggedin from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow
Question # 10
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message? |
A. The CA-SignedCertificate from the Certificate and Key Management menu. | B. The default Client Certificate from the Develop--> API Menu. | C. The default Client Certificate or a Certificate from Certificate and Key Management menu. | D. The Self-Signed Certificates from theCertificate & Key Management menu. |
A. The CA-SignedCertificate from the Certificate and Key Management menu.
Explanation:
The CA-Signed Certificate from the Certificate and Key Management menu is the certificate that is sent along with the outbound message. An outbound message is a SOAP message that is sent from Salesforce to an external endpoint when a workflow rule or approval process is triggered. To ensure that the communication between Salesforce and the target system is secure, the outbound message can be signed with a certificate that is generated or uploaded in the Certificate and Key Management menu. The certificate must be CA-Signed, which means that it is issued by a trusted certificate authority (CA) that verifies the identity of the sender. The other options are not valid certificates for this purpose.
The default client certificate from the Develop–> API Menu is a self-signed certificate that is used for testing purposes only and does not provide adequate security. The default client certificate or a certificate from Certificate and Key Management menu is too vague anddoes not specify whether the certificate is CA-Signed or self-signed. The self-signed certificates from the Certificate & Key Management menu are certificates that are generated by Salesforce without any verification by a CA, and they are not recommended for production use.
References: [Outbound Messages], [Sign Outbound Messages with a Certificate], [CA-Signed Certificates], [Default Client Certificate], [Self-Signed Certificates]
Get 243 Salesforce Certified Identity and Access Management Architect (SU24) questions Access in less then $0.12 per day.
Salesforce Bundle 1: 1 Month PDF Access For All Salesforce Exams with Updates $100
$400
Buy Bundle 1
Salesforce Bundle 2: 3 Months PDF Access For All Salesforce Exams with Updates $200
$800
Buy Bundle 2
Salesforce Bundle 3: 6 Months PDF Access For All Salesforce Exams with Updates $300
$1200
Buy Bundle 3
Salesforce Bundle 4: 12 Months PDF Access For All Salesforce Exams with Updates $400
$1600
Buy Bundle 4
Disclaimer: Fair Usage Policy - Daily 5 Downloads
Salesforce Certified Identity and Access Management Architect (SU24) Exam Dumps
Exam Code: Identity-and-Access-Management-Architect
Exam Name: Salesforce Certified Identity and Access Management Architect (SU24)
- 90 Days Free Updates
- Salesforce Experts Verified Answers
- Printable PDF File Format
- Identity-and-Access-Management-Architect Exam Passing Assurance
Get 100% Real Identity-and-Access-Management-Architect Exam Dumps With Verified Answers As Seen in the Real Exam. Salesforce Certified Identity and Access Management Architect (SU24) Exam Questions are Updated Frequently and Reviewed by Industry TOP Experts for Passing Identity and Access Management Designer Exam Quickly and Hassle Free.
Salesforce Identity-and-Access-Management-Architect Test Dumps
Struggling with Salesforce Certified Identity and Access Management Architect (SU24) preparation? Get the edge you need! Our carefully created Identity-and-Access-Management-Architect test dumps give you the confidence to pass the exam. We offer:
1. Up-to-date Identity and Access Management Designer practice questions: Stay current with the latest exam content.
2. PDF and test engine formats: Choose the study tools that work best for you. 3. Realistic Salesforce Identity-and-Access-Management-Architect practice exam: Simulate the real exam experience and boost your readiness.
Pass your Identity and Access Management Designer exam with ease. Try our study materials today!
Official Salesforce Certified Identity and Access Management Architect SU24 exam info is available on Salesforce website at https://trailhead.salesforce.com/en/credentials/identityandaccessmanagementarchitect
Prepare your Identity and Access Management Designer exam with confidence!We provide top-quality Identity-and-Access-Management-Architect exam dumps materials that are:
1. Accurate and up-to-date: Reflect the latest Salesforce exam changes and ensure you are studying the right content.
2. Comprehensive Cover all exam topics so you do not need to rely on multiple sources.
3. Convenient formats: Choose between PDF files and online Salesforce Certified Identity and Access Management Architect (SU24) practice questions for easy studying on any device.
Do not waste time on unreliable Identity-and-Access-Management-Architect practice test. Choose our proven Identity and Access Management Designer study materials and pass with flying colors. Try Dumps4free Salesforce Certified Identity and Access Management Architect (SU24) 2024 material today!
-
Assurance
Salesforce Certified Identity and Access Management Architect (SU24) practice exam has been updated to reflect the most recent questions from the Salesforce Identity-and-Access-Management-Architect Exam.
-
Demo
Try before you buy! Get a free demo of our Identity and Access Management Designer exam dumps and see the quality for yourself. Need help? Chat with our support team.
-
Validity
Our Salesforce Identity-and-Access-Management-Architect PDF contains expert-verified questions and answers, ensuring you're studying the most accurate and relevant material.
-
Success
Achieve Identity-and-Access-Management-Architect success! Our Salesforce Certified Identity and Access Management Architect (SU24) exam questions give you the preparation edge.
If you have any question then contact our customer support at live chat or email us at support@dumps4free.com.
|