Salesforce Identity-and-Access-Management-Designer 問題集

質問 1：
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?
A. Increase Password complexity requirements in Salesforce.
B. Lock sessions to the IP address from which they originated.
C. Implement Single Sign-on using a corporate Identity store.
D. Use the Salesforce Authenticator mobile app with two-step verification
正解：D

質問 2：
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers
A. Users leaving laptops unattended and not logging out of Salesforce.
B. Users choosing passwords that are the same as their Facebook password.
C. Users creating simple-to-guess password reset questions.
D. Users accessing Salesforce from a public Wi-Fi access point.
正解：B,D

質問 3：
Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers
A. Build a custom web page that uses the identity store and calls frontdoor.jsp
B. Implement the Openid protocol and configure an Authentication provider
C. Build a custom Web service that is supported by Delegated Authentication.
D. Use a professional social media such as LinkedIn as an Authentication provider
正解：B,C

質問 4：
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
A. Configure the embedded Web browser to use my domain URL.
B. Configure the salesforce1 app to use the my domain URL
C. Use the existing SAML SSO flow along with Web server flow
D. Use the existing SAML SSO flow along with user agent flow.
正解：B,D

質問 5：
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?
A. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
C. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.
D. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
正解：A,D

質問 6：
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?
A. Use the Salesforce Username as the SAML Identity Type.
B. Use the same request bindings as the first org.
C. Use a different Entity ID than the first org.
D. Use the same SAML Identity location as the first org.
正解：C

質問 7：
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?
A. RelayState
B. DisplayState
C. RedirectURL
D. StartURL
正解：A

質問 8：
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?
A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
B. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.
C. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.
D. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
正解：A