Salesforce Identity-and-Access-Management-Designer 問題集

質問 1：
A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.
What is recommended to ensure these requirements are met ?
A. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.
B. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-
C. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.
D. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.
正解：C

質問 2：
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users?
A. Use the permission set license to assign the mobile app permission to sales users
B. Add a new identity provider to authenticate and authorize mobile users.
C. Use connected apps Oauth policies to restrict mobile app access to authorized users.
D. Use a custom attribute on the user object to control access to the mobile app
正解：C

質問 3：
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?
A. Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
B. Configure user Provisioning for Connected Apps.
C. Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user provisioning and de-provisioning.
D. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
正解：B

質問 4：
Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track of regional shipping KPIs. UC internally uses a third-party cloud analytics tool for capacity planning and UC decided to provide access to this tool to a subset of GS employees. In addition to regional leads, the GS capacity planning team would benefit from access to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers
A. Identity Licence for GS Regional Leads and External Identity license for GS capacity Planners.
B. Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.
C. Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.
D. Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.
正解：B,C

質問 5：
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?
A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".
B. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".
C. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".
D. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".
正解：A

質問 6：
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
1. They plan to implement Partner communities to provide access to their partner network .
2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?
A. Register partners in one org and access information from other orgs using APIs.
B. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
D. Consolidate Partner related information in a single org and provide access through Salesforce community.
正解：B

質問 7：
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other Non Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?
A. Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
B. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other Non Salesforce internal apps.
C. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.
D. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.
正解：A

質問 8：
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?
A. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.
B. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.
C. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.
D. Ensure that there is an HTTPS connection between IDP and SP.
正解：A