• ホーム
  • ブログ
  • 更新されたのは2025年08月は100%カバー率でIdentity-and-Access-Management-Architectリアルな試験問題で100%合格保証 [Q110-Q128]

更新されたのは2025年08月は100%カバー率でIdentity-and-Access-Management-Architectリアルな試験問題で100%合格保証 [Q110-Q128]

Share

更新されたのは2025年08月は100%カバー率でIdentity-and-Access-Management-Architectリアルな試験問題で100%合格保証

実際問題を使おうSalesforce問題集で100%無料で使えるIdentity-and-Access-Management-Architect試験問題集

質問 # 110
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

  • A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
  • B. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
  • C. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.
  • D. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.

正解:B、C

解説:
Explanation
Using the identity provider's certificate to digitally sign and encrypt the payload, and using a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion are two methods that can ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit. Option A is not a good choice because using Salesforce's certificate to encrypt the payload may not work, as Salesforce does not support encrypted SAML assertions. Option B is not a good choice because using Salesforce's certificate to digitally sign the SAML assertion may not be necessary, as Salesforce does not validate digital signatures on SAML assertions. Also, using a mobile device management client on the users' mobile devices may not be relevant, as it does not affect how the sensitive data is transmitted between the identity provider and Salesforce.
References: [Single Sign-On Implementation Guide], [Customizing User Authentication with Login Flows]


質問 # 111
The CIO of universal containers(UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize Oauth 2.0. UC has listed an architect to analyze all of the applications that use Oauth flows to. See where refresh Tokens can be applied. Which two OAuth flows should the architect consider in their evaluation? Choose 2 answers

  • A. User-Agent
  • B. Username-password
  • C. Web server
  • D. Jwt bearer token

正解:A、C

解説:
Explanation
The two OAuth flows that support refresh tokens are Web server and User-Agent. According to the Salesforce documentation2, "The web server authentication flow and user-agent flow both provide a refresh token that can be used to get a new access token." Therefore, option A and C are the correct answers.
References: Salesforce Documentation


質問 # 112
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so.
For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

  • A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
  • B. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
  • C. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.
  • D. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

正解:A


質問 # 113
Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using facebook, UC would like a customer account created automatically in their Accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?

  • A. Add an Apex callout in the registration handler of the authorization provider.
  • B. Use OAuth JWT flow to pass the data from Salesforce to the Accounting System.
  • C. Create a custom application on Heroku that manages the sign-on process from Facebook.
  • D. Use JIT Provisioning to automatically create the account in the accounting system.

正解:A


質問 # 114
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

  • A. Google is the service provider and Facebook is the identity provider
  • B. Salesforce is the service provider and Google is the identity provider
  • C. Salesforce is the service provider and Facebook is the identity provider
  • D. Facebook is the service provider and salesforce is the identity provider

正解:B、C


質問 # 115
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
1. They plan to implement Partner communities to provide access to their partner network .
2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?

  • A. Register partners in one org and access information from other orgs using APIs.
  • B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
  • C. Consolidate Partner related information in a single org and provide access through Salesforce community.
  • D. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

正解:B


質問 # 116
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Redirect the user to a custom page that allows the user to select an existing social identity for login.
  • B. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.
  • C. Use the custom registration handler to link social identities to Salesforce identities.
  • D. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.

正解:B、C


質問 # 117
Universal Containers has multiple Salesforce instances where users receive emails from different instances.
Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?

  • A. Identity Provider
  • B. External Identity
  • C. Multi-Factor Authentication
  • D. My Domain

正解:D

解説:
Explanation
My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforce domain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:
My Domain lets you work in multiple Salesforce orgs in the same browser. Without My Domain, you can only log in to one org at a time in the same browser.
My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.
My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.
References:
My Domain
[Customize Your Login Process with My Domain]


質問 # 118
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

  • A. Identity Connect will not support user provisioning in UC's current environment.
  • B. Identity Connect will only support SP-initiated SAML flows in UC's current environment.
  • C. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
  • D. Identity connect is not compatible with UC's current identity environment.

正解:A


質問 # 119
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers

  • A. Build a custom web page that uses the identity store and calls frontdoor.jsp
  • B. Implement the Openid protocol and configure an authentication provider
  • C. Build a custom Web service that is supported by Delegated Authentication.
  • D. Use a professional social media such as LinkedIn as an Authentication provider

正解:B、C

解説:
Explanation
The two options that an architect should recommend to UC are to build a custom web service that is supported by delegated authentication and to implement the OpenID protocol and configure an authentication provider. Delegated authentication is a feature that allows Salesforce to delegate user authentication to an external service instead of using Salesforce credentials3. A custom web service can be built to use the credentials stored in the custom identity store and validate them against Salesforce using SOAP or REST API3. OpenID is an open standard protocol that allows users to authenticate with various web services using an existing account4. An authentication provider can be configured in Salesforce to use OpenID and connect with the custom identity store5.
References: Delegated Authentication, OpenID, Authentication Providers


質問 # 120
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?

  • A. Configure a predefined authentication provider for Amazon.
  • B. Configure Amazon as a connected app.
  • C. Configure an OpenID Connect Authentication Provider for Amazon.
  • D. Create a custom external authentication provider for Amazon.

正解:C


質問 # 121
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?

  • A. Use Microsoft Access control Service as the Authentication provider.
  • B. Use Active Directory with Reverse Proxy as the Identity Provider.
  • C. Use Active Directory Federation Service (ADFS) as the Identity Provider.
  • D. Use Salesforce Identity Connect as the Identity Provider.

正解:D

解説:
Explanation
The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018.
Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile and permission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.
References: Salesforce Identity Connect Implementation Guide, Single Sign-On Implementation Guide


質問 # 122
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

  • A. Create a Custom Apex Registration Handler to handle new and existing users.
  • B. Use Delegated Authentication to call the Twitter login API to authenticate users.
  • C. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.
  • D. Configure an Authentication Provider for LinkedIn Social Media Accounts.

正解:A、D

解説:
Explanation
Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community. This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can control how user records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions can meet the requirement of UC to use social media credentials for its customer community.


質問 # 123
How should an Architect force users to authenticate with Two-factor Authentication (2FA) for Salesforce only when not connected to an internal company network?

  • A. Add the list of company's network IP addresses to the Login Range list under 2FA Setup.
  • B. Use an Apex Trigger on the UserLogin object to detect the user's IP address and prompt for 2FA if needed.
  • C. Apply the "Two-factor Authentication for User Interface Logins" permission and Login IP Ranges for all Profiles.
  • D. Use Custom Login Flows with Apex to detect the user's IP address and prompt for 2FA if needed.

正解:D


質問 # 124
Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

  • A. Use Google Authenticator as an additional part of the logical processes.
  • B. Set login IP ranges to the internal network for all of the app users profiles.
  • C. Disallow the use of single Sign-on for any users of the mobile app.
  • D. Require high assurance sessions in order to use the connected App

正解:A、D

解説:
Explanation
High assurance sessions are sessions that require a stronger level of identity verification, such as two-factor authentication or SAML assertions1. Google Authenticator is an app that generates verification codes on your mobile device that you can use as a second factor of authentication2. These measures can help prevent unauthorized access to the connected app by ensuring that the user is who they claim to be and that they have access to their mobile device. Disallowing the use of single sign-on (SSO) for the mobile app is not a recommendation because SSO can provide a seamless and secure user experience across multiple applications3. Setting login IP ranges to the internal network for the app users profiles is not a recommendation because it can limit the mobility and flexibility of the users who are commonly out of the office. References: 1: Session Security Levels 2: Google Authenticator 3: Connected Apps : [Restrict Login Access by IP Address]


質問 # 125
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company's internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?

  • A. Identity Provider, because the API calls are authenticated by Salesforce.
  • B. Service Provider, because Salesforce is the application for managing ideas.
  • C. Connected App, because Salesforce is connected with Employee portal via API.
  • D. An independent system, because Salesforce is not part of the SSO setup.

正解:D

解説:
Explanation
D is correct because Salesforce is an independent system that is not part of the SSO setup between the Employee portal and Active Directory. Salesforce does not act as an IdP or an SP for the SSO, nor does it use a connected app to integrate with the Employee portal. Salesforce only exposes its API to allow the Employee portal to access its ideas feature.
A is incorrect because Salesforce is not a service provider for the SSO. The SSO is between the Employee portal and Active Directory, not between the Employee portal and Salesforce.
B is incorrect because Salesforce is not a connected app for the SSO. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect1. The Employee portal does not use any of these protocols to integrate with Salesforce, but only uses its API.
C is incorrect because Salesforce is not an identity provider for the SSO. The IdP is the system that authenticates users and issues tokens or assertions to allow access to other systems. In this scenario, the IdP is Active Directory, not Salesforce.
References: 1: Oauth Authorization flows in Salesforce - Apex Hours


質問 # 126
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

  • A. Use the Salesforce Username as the SAML Identity Type.
  • B. Use the same request bindings as the first org.
  • C. Use a different Entity ID than the first org.
  • D. Use the same SAML Identity location as the first org.

正解:C

解説:
Explanation
The Entity ID is a unique identifier for a service provider or an identity provider in SAML SSO. It is used to differentiate between different service providers or identity providers that may share the same issuer or login URL. In Salesforce, the Entity ID is automatically generated based on the organization ID and can be viewed in the Single Sign-On Settings page1. If you have a custom domain set up, you can use https://
[customDomain].my.salesforce.com as the Entity ID2. If you want to use the same IdP for two Salesforce orgs, you need to use different Entity IDs for each org, otherwise the IdP will not be able to distinguish them and may send incorrect assertions. You can also use different certificates, issuers, or login URLs for each org, but using different Entity IDs is the simplest and recommended way3.


質問 # 127
Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?

  • A. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
  • B. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
  • C. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
  • D. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.

正解:A

解説:
Explanation
OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of a user. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:
Create a connected app for the third-party service in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.
Authorize the third-party service by sending authorization requests to the community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render the login page images based on the user's brand preference selected in the third-party service before authorization.
References:
OAuth 2.0
OAuth 2.0 Web Server Authentication Flow
Connected Apps
Create a Connected App
Experience ID
Authorize Apps with OAuth


質問 # 128
......

Identity-and-Access-Management-Architect問題集PDFでIdentity-and-Access-Management-Architectリアル試験問題解答:https://www.passtest.jp/Salesforce/Identity-and-Access-Management-Architect-shiken.html

実際に出るIdentity-and-Access-Management-Architect最新の問題集練習テスト問題集:https://drive.google.com/open?id=1TpY5Bm6zoKRrfB2PjheoB4bAklLhPd-0

関するブログ

もっと
Identity-and-Access-Management-Architect 無料問題集