Free Salesforce Certified Identity and Access Management Architect (SU22) Exam Identity-and-Access-Management-Architect Exam Practice Test

Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.What is the potential impact to the architecture if NTO decides to implement this feature?

• Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.
• If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
• Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user.
• Passwordless authentication can not be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.

An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:1. Users should not have to login every time they use the app.2. The app should be able to make calls to the Salesforce REST API.3. End users should NOT see the OAuth approval page.How should the identity architect configure the Salesforce connected app to meet the requirements?

• Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to 'Admin Pre-Approved'.
• Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved'.
• Enable the Full Access Scope and then set the connected app access settings to 'Admin Pre-Approved'.
• Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to 'User may self authorize'.

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.Which two solutions should the IAM specialist recommend?Choose 2 answers

• Use Experience Builder to build branded Reset and Forgot Password pages.
• Build custom pages for branding requirements in Experience Cloud.
• Build custom site pages for reset and forgot password features.
• Login & Registration pages can be branded in the Community Administration settings.

A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification.Which feature should an identity architect recommend to meet the requirements?

• Integrate with social websites (Facebook, Linkedin. Twitter)
• Use an external Identity Provider
• Create a custom Lightning Web Component
• Use Login Discovery

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of 'classified'. They are only allowed to access the system when they own an open 'classified' case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open 'classified' case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open 'classified' case record criteria?

• Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open 'classified' cases.
• Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open 'classified' case, and remove it when the case is closed.
• Use custom SAML jit provisioning to dynamically query the user's open 'classified' cases when attempting to access the classified information system
• Use salesforce reports to identify users that currently owns open 'classified' cases and should be granted access to the classified information system.

A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.Once enabled, what role will Salesforce play?

• Facebook and Linkedln will be the SPs.
• Salesforce will be the service provider (SP).
• Salesforce will be the identity provider (IdP).
• Facebook and Linkedln will act as the IdPs and SPs.

Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?Choose 2 answers

• Enable My Domain and select 'Prevent login from https://login.salesforce.com'.
• Request Salesforce Support to enable delegated authentication.
• Once SSO is enabled, users are only able to login using Salesforce credentials.
• Assign user 'is Single Sign-on Enabled' permission via profile or permission set.

Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type 'Classified'. They are only allowed to access the system when they own an open 'Classified' case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open 'Classified' case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open 'classified' case record criteria?

• Use Salesforce reports to identify users that currently owns open 'Classified' cases and should be granted access to the Classified information system.
• Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open 'Classified' case, and remove it when the case is closed.
• Use Custom SAML JIT Provisioning to dynamically query the user's open 'Classified' cases when attempting to access the classified information system.
• Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open 'Classified' Cases.

Universal containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?

• Use the updateuser() method on the registration handler class.
• Use SAML just-in-time provisioning between Facebook and Salesforce
• Use information in the signed request that is received from Facebook.
• Develop a schedule job that calls out to Facebook on a nightly basis.

Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?Choose 2 answers

• Identity Connect
• Delegated Authentication
• Connected Apps
• Embedded Login