Here you have the best Salesforce Certified Identity and Access Management Designer practice exam questions
Universal Containers (UC) has decided to build a new, highly sensitive application on the Lightning platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/password to authenticate to this application.
How can an Architect support fingerprints as a form of identification for Salesforce authentication?
The best way to support fingerprints as a form of identification for Salesforce authentication is to use Custom Login Flows with callouts to a third-party fingerprint scanning application. Custom login flows allow for more flexibility in integrating third-party authentication mechanisms, such as fingerprint scanning, into the Salesforce authentication process. This method enables the application to obtain the username and password first, and then trigger a callout to the third-party service to perform the fingerprint scan as an additional layer of security.
Universal Containers (UC) is successfully using Delegated Authentication for their Salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company web services be REST-ful and written in .Net.
Which two considerations should the UC Architect provide to the new CIO? (Choose two.)
Delegated Authentication in Salesforce requires web services that can interact with Salesforce systems. These services can be either SOAP-based or RESTful. Thus, a RESTful service written in .Net can be used for Delegated Authentication, making it compatible. Therefore, Delegated Authentication will continue to work both with REST services and a .Net service.
Universal Containers (UC) is setting up delegated authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risks of exposing the corporate login service on the internet and has asked that a reliable trust mechanism be put in place between the login service and Salesforce.
What mechanism should an Architect put in place to enable a trusted connection between the login service and Salesforce?
To ensure a trusted connection between the login service and Salesforce, mutual authentication using SSL should be enforced. This ensures both parties verify each other's identity before establishing a connection, preventing unauthorized access and ensuring data integrity. Additionally, setting up a proxy service for the login service in the DMZ (Demilitarized Zone) adds an extra layer of security by isolating the internal network from direct exposure to the internet, which addresses the security team's concern regarding the risks of exposing the corporate login service.
Universal Containers (UC) has decided to use Identity Connect as its Identity Provider. UC uses Active Directory (AD) and has a team that is very familiar and comfortable with managing AD groups. UC would like to use AD Groups to help configure Salesforce users.
Which three actions can AD Groups control through Identity Connect? (Choose three.)
Identity Connect allows the management of Salesforce users by synchronizing with Active Directory (AD) groups. This includes Public Group Assignment, Role Assignment, and Permission Sets Assignment because these can be mapped and controlled through corresponding AD group configurations. Therefore, the correct actions that AD Groups can control through Identity Connect are Public Group Assignment, Role Assignment, and Permission Sets Assignment.
The CIO of Universal Containers (UC) wants to start taking advantage of the refresh token capability for the UC applications that utilize OAuth 2.0. UC has enlisted an Architect to analyze all of the applications that use OAuth flows to see where refresh tokens can be applied.
Which two OAuth flows should the Architect consider in their evaluation? (Choose two.)
The Web Server and User-Agent OAuth flows both allow for the use of refresh tokens. The Web Server flow is designed for server-side applications and provides long-lived access by obtaining a refresh token, which can be used to get a new access token without user intervention. The User-Agent flow, typically used for single-page or mobile applications, also supports the issuance of a refresh token to maintain the user session without repeated logins. The JWT Bearer Token flow does not utilize refresh tokens, as it directly uses JWTs for authentication, and the Username-Password flow is deprecated and should be avoided.