Salesforce Identity-and-Access-Management-Designer 問題集

質問 1：
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?
A. Just-in-Time (JIT) provisioning
B. Third-party AppExchange solution
C. Custom login flow and Apex handler
D. Custom middleware and web services
正解：A

質問 2：
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
A. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
B. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
C. Use Login Flow in System Context to update role and permission sets.
D. Use Login Flow in User Context to update role and permission sets.
正解：A,C

質問 3：
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers
A. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.
B. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
C. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
D. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
正解：A,C

質問 4：
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?
A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
B. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
C. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.
D. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
正解：A

質問 5：
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?
A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".
B. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".
C. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".
D. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".
正解：A

質問 6：
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
A. Configure an authentication provider to delegate authentication to the LDAP directory.
B. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
C. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
D. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
正解：A

質問 7：
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?
A. Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
B. Configure user Provisioning for Connected Apps.
C. Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user provisioning and de-provisioning.
D. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
正解：B

質問 8：
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
A. Configure the embedded Web browser to use my domain URL.
B. Configure the salesforce1 app to use the my domain URL
C. Use the existing SAML SSO flow along with Web server flow
D. Use the existing SAML SSO flow along with user agent flow.
正解：B,D