パスできるIdentity-and-Access-Management-Architect試験最速合格保証2025問題集! [Q100-Q115]

Share

パスできるIdentity-and-Access-Management-Architect試験最速合格保証2025問題集!

Identity-and-Access-Management-Architect問題集完全版問題で試験学習ガイド


Salesforce Identity-and-Access-Management-Architect試験は、Salesforceプラットフォーム上でIAMに特化したITプロフェッショナルにとって貴重な資格です。この認定は、安全で拡張性のあるIAMソリューションを設計、実装、管理するための知識と専門知識を認めたものです。IAM分野においてキャリアを向上させたいITアーキテクト、管理者、またはコンサルタントであれば、この認定は検討に値するでしょう。

 

質問 # 100
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?

  • A. Facebook and Linkedln will be the SPs.
  • B. Salesforce will be the identity provider (IdP).
  • C. Facebook and Linkedln will act as the IdPs and SPs.
  • D. Salesforce will be the service provider (SP).

正解:D


質問 # 101
Universal containers want to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?

  • A. Refresh Tokens
  • B. Scopes
  • C. Access Tokens
  • D. Mobile pins

正解:B

解説:
Explanation
The OAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopes can be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuth token and protect against unauthorized or excessive access.
References: [OAuth Scopes], [Connected Apps], [OAuth Authorization Flows]


質問 # 102
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?

  • A. Configure user Provisioning for Connected Apps.
  • B. Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
  • C. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
  • D. Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user provisioning and de-provisioning.

正解:A


質問 # 103
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?

  • A. SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
  • B. Just-in-Time (JIT) for both Provisioning and Deprovisioning.
  • C. Provisioning API for both Provisioning and Deprovisioning.
  • D. Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.

正解:B


質問 # 104
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

  • A. Authentication store
  • B. Identity provider
  • C. Identity store
  • D. Service provider

正解:B

解説:
Explanation
The role of Active Directory in this scenario is an identity provider. An identity provider is an application that authenticates users and provides information about them to service providers6. A service provider is an application that provides a service to users and relies on an identity provider for authentication6. In this scenario, the employee portal is a service provider that provides collaboration features to employees and relies on Active Directory for authentication. Active Directory is an identity provider that authenticates employees using their corporate credentials and sends information about them to the employee portal7.
References: Identity Provider Overview, Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider


質問 # 105
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team.
What would be the recommended solution to grant mobile app access to sales users?

  • A. Use the permission set license to assign the mobile app permission to sales users
  • B. Use a custom attribute on the user object to control access to the mobile app
  • C. Use connected apps Oauth policies to restrict mobile app access to authorized users.
  • D. Add a new identity provider to authenticate and authorize mobile users.

正解:C


質問 # 106
Which three are features of federated Single sign-on solutions? Choose 3 Answers

  • A. It establishes trust between Identity Store and Service Provider.
  • B. It improves affiliated applications adoption rates.
  • C. It enables quick and easy provisioning and deactivating of users.
  • D. It solves all identity and access management problems.
  • E. It federates credentials control to authorized applications.

正解:A、B、C


質問 # 107
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

  • A. Api
  • B. Refresh_token
  • C. Full
  • D. Custom_permissions

正解:A、B


質問 # 108
Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers

  • A. Salesforce users will be locked out of Salesforce if the web service goes down.
  • B. UC will be required to develop and support a custom SOAP web service.
  • C. The web service must reside on a public cloud service, such as Heroku.
  • D. Delegated Authentication is enabled or disabled for the entire Salesforce org.

正解:A、B

解説:
Explanation
The two risks that the architect should point out for using delegated authentication as the sole means of authenticating Salesforce users are:
UC will be required to develop and support a custom SOAP web service. Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service by making a SOAP callout to a web service that verifies the user's credentials. This feature requires UC to develop and support a custom SOAP web service that can accept and validate the user's username and password, and return a boolean value to indicate whether the authentication is successful or not. This could increase complexity and cost for UC, as they need to write custom code and maintain the web service.
Salesforce users will be locked out of Salesforce if the web service goes down. Delegated authentication relies on the availability and performance of the external web service that handles the authentication requests from Salesforce. If the web service goes down or becomes slow, Salesforce users will not be able to log in or access Salesforce, as they will receive an error message or a timeout response. This could cause disruption and frustration for UC's business operations and user satisfaction.
The other options are not valid risks for using delegated authentication. Delegated authentication can be enabled or disabled for individual users or groups of users by using permission sets or profiles, not for the entire Salesforce org. The web service does not need to reside on a public cloud service, such as Heroku, as it can be hosted on any platform that supports SOAP services and can communicate with Salesforce. References:
[Delegated Authentication], [Enable 'Delegated Authentication'], [Troubleshoot Delegated Authentication]


質問 # 109
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

  • A. Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
  • B. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
  • C. Run registration handler on incoming OAuth responses.
  • D. Call SOAP API upsertQ on user object.

正解:C

解説:
Explanation
To automate provisioning and deprovisioning of users into Salesforce from an external system, the identity architect should run a registration handler on incoming OAuth responses. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from an external identity provider. OAuth is a protocol that allows users to authorize an external application to access Salesforce resources on their behalf. By running a registration handler on incoming OAuth responses, the identity architect can automate user provisioning and deprovisioning based on the OAuth attributes. References: Registration Handler, Authorize Apps with OAuth


質問 # 110
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

  • A. Salesforce Org 1
  • B. Financial System
  • C. Pingfederate
  • D. Salesforce Org 2

正解:A、C

解説:
These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokensto the service providers (SPs). The SPs are the websites that hostapps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ Systemare the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.
Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.
References: 5: Identity Providers and Service Providers - Salesforce 6: Salesforce as Service Provider and Identity Provider for SSO


質問 # 111
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers

  • A. Login forensics
  • B. Resource deep linking
  • C. App launcher
  • D. SSO from salesforce1 mobile app.

正解:B、D


質問 # 112
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message?

  • A. The Self-signed Certificates from the Certificate & Key Management menu.
  • B. The default client Certificate or the Certificate and Key Management menu.
  • C. The default client Certificate from the Develop--> API menu.
  • D. The CA-signed Certificate from the Certificate and Key Management Menu.

正解:B

解説:
Explanation
The default client certificate or the certificate from the Certificate and Key Management menu is sent along with the outbound message. When sending outbound messages, Salesforce will present the CA-signed or self-signed certificate configured under Setup | Security Controls | Certificate and Key Management | API Client Certificate1. The default client certificate is a self-signed certificate that Salesforce generates for you when you enable outbound messages2. You can also create your own self-signed or CA-signed certificates and upload them to the Certificate and Key Management menu3. The certificate from the Develop | API menu is not used for outbound messages, but for SOAP API clients that need to authenticate with Salesforce4.
References: 1: Know more about all the SSL certificates that are supported by Salesforce 2: Setting Up Outbound Messaging 3: Create a Self-Signed Certificate 4: [Generate or Regenerate a Client Certificate]


質問 # 113
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers

  • A. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
  • B. The assertion sent to 5alesforce contains an assertion ID previously used.
  • C. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
  • D. The subject element is missing from the assertion sent to salesforce.

正解:B、D


質問 # 114
Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the apocopate approval in the Salesforce org.
Which three steps should the identity architect use to implement this requirement?
Choose 3 answers

  • A. Create an approval process for user object associated with the provisioning flow.
  • B. Create an approval process for a custom object associated with the provisioning flow.
  • C. Create a connected app for Concur in Salesforce.
  • D. Enable User Provisioning for the connected app.
  • E. Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.

正解:C、D、E

解説:
Explanation
User provisioning is a feature that allows Salesforce to create, update, or deactivate user accounts on a third-party system, such as Concur, based on user assignments in Salesforce1. To implement user provisioning for Concur with an approval process, the identity architect should use the following steps2:
Create a connected app for Concur in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To create a connected app for Concur, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type4.
Enable User Provisioning for the connected app. This step allows you to configure the user provisioning settings for the connected app, such as the provisioning API endpoint URL, the client ID and client secret, the mapping of user attributes, and the linkage rules5. You can also choose to require an approval process for user provisioning requests by selecting the Approval Required option6.
Create an approval process for UserProvisioningRequest object associated with the provisioning flow. A UserProvisioningRequest object represents a user provisioning request that is sent to or received from a third-party system7. An approval process specifies the steps necessary for a record to be approved and who must approve it at each step8. To create an approval process for UserProvisioningRequest object, you need to define the approval steps, assignees, actions, criteria, and email alerts9.
References:
User Provisioning for Connected Apps
Tutorial: Configure Salesforce for automatic user provisioning
Connected Apps
Create a Connected App
Enable User Provisioning for a Connected App
Require Approvals for User Provisioning Requests
UserProvisioningRequest
Approval Processes
Create an Approval Process


質問 # 115
......


Salesforce Certified Identity and Access Management Architect認定は、Salesforceアプリケーションへのアクセスを管理し、セキュリティを確保する専門知識を証明するためにIT業界で高く評価されています。また、Salesforceアーキテクトとしてキャリアを進めたいITプロフェッショナルにとっても必要不可欠な資格です。この認定は、Salesforceコンサルティング、実装、サポートサービスにおける幅広いキャリア機会を提供します。Salesforceアプリケーションの需要が高まる中、Salesforce Certified Identity and Access Management Architect認定は、常に最先端を行くために必要不可欠なITプロフェッショナルの資格です。

 

Identity and Access Management Designer無料認定試験資料は244問:https://www.passtest.jp/Salesforce/Identity-and-Access-Management-Architect-shiken.html

リアルなIdentity-and-Access-Management-Architectは100%カバーリアル試験問題を試そう:https://drive.google.com/open?id=1dLgZWlRwA8Ca73l4Zpk1T_nV5ktlcxaG