Updated Mar-2023 Exam Materials for You to Prepare & Pass Identity-and-Access-Management-Designer Exam [Q53-Q77]

Rate this post

Updated Mar-2023 Exam Materials for You to Prepare & Pass Identity-and-Access-Management-Designer Exam.

Pass Your Identity-and-Access-Management-Designer Exam at the First Try with 100% Real Exam

Who should take the Identity-and-Access-Management-Designer exam

Salesforce Certified Identity and Access Management Designer (WI19) certification is an internationally-recognized validation that identifies persons who earn it as possessing skilled as a Salesforce Certified Identity and Access Management Designer (WI19). if a candidate wants significant improvement in career growth needs enhanced knowledge, skills, and talents. The Salesforce Identity-and-Access-Management-Designer Exam provides proof of this advanced knowledge and skill. If a candidate has knowledge of associated technologies and skills that are required to pass the Salesforce Identity-and-Access-Management-Designer Exam then he should take this exam.

Identity-and-Access-Management-Designer Exam topics

Candidates must know the exam topics before they start of preparation. Because it will really help them in hitting the core. Our Salesforce Identity-and-Access-Management-Designer exam dumps will include the following topics:

Salesforce as an Identity Provider 23%
Community (Partner and Customer) 5%
Salesforce Identity 7%
Identity Management Concepts 28%
Access Management Best Practices 15%

QUESTION 53
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

Require users to provide their RSA token along with their credentials.

Require users to supply their email and phone number, which gets validated.

Require users to enter a second password after the first Authentication

Require users to use a biometric reader as well as their password

QUESTION 54
Universal Containers has built a custom token-based Two-Factor Authentication system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-Factor login process for it, as well.
What is the recommended solution an Architect should consider?

Replace the custom 2FA system with an AppExchange App that supports on-premise applications and Salesforce.

Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.

QUESTION 55
Northern Trail Outfitters (NTO) uses Salesforce Experience Cloud sites (previously known as Customer Community) to provide a digital portal where customers can login using their Google account.
NTO would like to automatically create a case record for first time users logging into Salesforce Experience Cloud.
What should an Identity architect do to fulfill the requirement?

Configure an authentication provider for Social Login using Google and a custom registration handler.

Implement a Just-in-Time handler class that has logic to create cases upon first login.

Create an authentication provider for Social Login using Google and leverage standard registration handler.

Implement a login flow with a record create component for Case.

QUESTION 56
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.

Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.

Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

QUESTION 57
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user:
How can this requirement be met?

Use the updateUser method on the registration Handler Class.

Develop a scheduled job that calls out to Facebook on a nightly basis.

Use information in the signed Request that is received from facebook.

Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

QUESTION 58
Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication? Choose 2 answers

Salesforce license for sales users and Identity license for Marketing users

Salesforce license for sales users and External Identity license for Marketing users

Identity license for sales users and Identity connect license for Marketing users

Salesforce license for sales users and platform license for Marketing users.

QUESTION 59
Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC’s Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees.
In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

QUESTION 60
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?

Create tasks for users who need to update their data or accept the new community rules.

Create a custom landing page and email campaign asking all community members to login and verify their data.

Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.

Add a banner to the community Home page asking users to update their profile and accept the new community rules.

QUESTION 61
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers. What SAML SSO setting in Salesforce provides this capability?

Identity Provider Login URL.

Issuer.

Entity Id

SAML Identity Location.

QUESTION 62
An identity architect wants to secure Salesforce APIs using Security Assertion Markup Language (SAML). For secunty purposes, administrators will need to authorize the applications that will be consuming the APIs.
Which Salesforce OAuth authorization flow should be used7

OAuth 2-0 SAML Bearer Assertion Flow

OAuth 2.0 JWT Bearer Flow

SAML Assertion Flow

OAuth 2.0 User-Agent Flow

QUESTION 63
Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?

Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.

Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.

Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.

Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO.

QUESTION 64
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username – password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

Add the Employee portals IP address to the Trusted IP range for the connected App

Use a digital certificate signed by the employee portal Server.

Add the employee portals IP address to the login IP range on the user profile.

Use a dedicated profile for the user the Employee portal uses.

QUESTION 65
Universal containers (UC) would like to enable self – registration for their salesforcepartner community users.
UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

Modify the communitiesselfregcontroller to assign the profile and account.

Modify the selfregistration trigger to assign profile and account.

Configure registration for communities to use a custom visualforce page.

Configure registrationfor communities to use a custom apex controller.

QUESTION 66
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the “Authentication Method Reference” field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2 answers

AMR field shows the authentication methods used at IdP.

Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.

High-assurance sessions must be configured under Session Security Level Policies.

Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

QUESTION 67
Universal containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its customers on their mobile devices. The mobile app connects to salesforce to upload the e-signatures as a file attachment and uses Oauth protocol for both Authentication and authorization. What is the most recommended and secure Oauth scope setting that an architect should recommend?

Web

Custom_permissions

API

QUESTION 68
Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC’s Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers

Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.

Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.

Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.

Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.

QUESTION 69
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?

Create a Login Discovery page and provide a Login Discovery Handler Apex class.

Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.

Create an Authentication provider and implement a self-registration handler class.

Create a custom login flow that uses an Apex controller to verify the phone numbers with the company’s verification service.

QUESTION 70
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

Refresh token

API

full

Web

QUESTION 71
An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?

Ensure the Callback URL is correctly set in the Connected Apps settings.

Use a browser that has an add-on/extension that can inspect SAML.

Paste the SAML Assertion Validator in Salesforce.

Use the browser’s Development tools to view the Salesforce page’s markup.

QUESTION 72
The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

Use SAML Federated Authentication andblock access to reports when accessed through a Standard Assurance session.

Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.

Use SAML federatedAuthentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.

Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.

QUESTION 73
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?

Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.

If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.

Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user.

Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.

QUESTION 74
Universal Containers (UC) has a Customer Community that uses Facebook for of authentication. UC would like to ensure that changes in the Facebook profile are 65. reflected on the appropriate Customer Community user. How can this requirement be met?

Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Use information in the Signed Request that is received from Facebook.

Develop a scheduled job that calls out to Facebook on a nightly basis.

Use the updateUser() method on the Registration Handler class.

QUESTION 75
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement?
Choose 2 answers

Manage which connected apps a user has access to by assigning authentication providers to the users profile.

Assign the connected app to the customer community, and enable the users profile in the Community settings.

Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.

Set each of the Connected App access settings to Admin Pre-Approved.

QUESTION 76
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?

On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.

Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.

Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.

Allow partners to register through the IdP and create partner users in Salesforce through an API.

QUESTION 77
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers

Require users to provide their RSA token along with their credentials.

Require users to supply their email and phone number, which gets validated.

Require users to enter a second password after the first Authentication

Require users to use a biometric reader as well as their password