
Identity-and-Access-Management-Architect Pre-Exam Practice Tests | (Updated 245 Questions)
Valid Identity-and-Access-Management-Architect Exam Q&A PDF - One Year Free Update
Salesforce Certified Identity and Access Management Architect certification is ideal for professionals who are looking to advance their careers in the Salesforce ecosystem. Salesforce Certified Identity and Access Management Architect certification is highly valued by employers and clients as it demonstrates an individual's expertise in designing and implementing secure and effective IAM solutions. Salesforce Certified Identity and Access Management Architect certification also validates an individual's ability to integrate Salesforce with other systems and technologies.
Salesforce Identity-and-Access-Management-Architect certification exam is designed for professionals who have expertise in designing and deploying identity and access management solutions for Salesforce. Salesforce Certified Identity and Access Management Architect certification is ideal for those who want to demonstrate their skills and knowledge in managing authentication, authorization, and data security for Salesforce users and applications. Identity-and-Access-Management-Architect exam covers various topics, including identity models, user provisioning, access control, data security, and audit and compliance.
NEW QUESTION # 66
What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?
- A. Reference to a URL redirect parameter at the service provider.
- B. Reference to the login address URL of the service provider.
- C. Reference to a URL redirect parameter at the identity provider.
- D. Reference to the login address URL of the identity Provider.
Answer: A
Explanation:
Explanation
The 'Relaystate' parameter is an HTTP parameter that can be included as part of the SAML request and SAML response. In an SP-initiated sign-in flow, the SP can set the RelayState parameter in the SAML request with additional information about the request, such as the URL of the resource that the user is trying to access.
The IDP should just relay it back in the SAML response without any modification or inspection. Therefore, the
'Relaystate' parameter contains a reference to a URL redirect parameter at the service provider123.
References: 1: single sign on - What is exactly RelayState parameter used in SSO (Ex. SAML)? - Stack Overflow 2: java - How to send current URL as relay state while sending authentication request to IDP - Stack Overflow 3: Understanding SAML | Okta Developer
NEW QUESTION # 67
Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for Marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication?
Choose 2 answers
- A. Salesforce license for sales users and Identity license for Marketing users
- B. Salesforce license for sales users and External Identity license for Marketing users
- C. Salesforce license for sales users and platform license for Marketing users.
- D. Identity license for sales users and Identity connect license for Marketing users
Answer: A,C
NEW QUESTION # 68
A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
1. User Authenticates and Authorizes Access
2. Request an Access Token
3. Salesforce Grants an Access Token
4. Request an Authorization Code
5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?
- A. 4,5,2, 3, 1
- B. 1, 4, 5, 2, 3
- C. 4, 1, 5, 2, 3
- D. 2, 1, 3, 4, 5
Answer: C
Explanation:
Explanation
The web server flow is an OAuth 2.0 authorization code grant type, which follows this sequence of steps:
The client app requests an authorization code from Salesforce by redirecting the user to the authorization endpoint.
The user authenticates and authorizes access to the client app.
Salesforce grants an authorization code and redirects the user back to the client app.
The client app requests an access token from Salesforce by sending the authorization code to the token endpoint.
Salesforce grants an access token and a refresh token to the client app.
References: OAuth Authorization Flows, Authorize Apps with OAuth
NEW QUESTION # 69
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
- A. Use the existing SAML SSO flow along with Web server flow
- B. Use the existing SAML SSO flow along with user agent flow.
- C. Configure the salesforce1 app to use the my domain URL
- D. Configure the embedded Web browser to use my domain URL.
Answer: B,C
NEW QUESTION # 70
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers
- A. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
- B. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
- C. Setup Salesforce as an identity provider (IdP) for order Tracking.
- D. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
Answer: A,C
NEW QUESTION # 71
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?
- A. Increase Password complexity requirements in Salesforce.
- B. Lock sessions to the IP address from which they originated.
- C. Use the Salesforce Authenticator mobile app with two-step verification
- D. Implement Single Sign-on using a corporate Identity store.
Answer: C
Explanation:
Explanation
The Salesforce Authenticator mobile app adds an extra layer of security for online accounts with two-factor authentication. It allows users to respond to push notifications or use location services to verify their logins and other account activity1. This can help prevent phishing scams and unauthorized access.
References: Salesforce Authenticator, Salesforce Authenticator: Mobile App Security Features, Salesforce Authenticator
NEW QUESTION # 72
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?
- A. Use Apex trigger on case to dynamically assign permission Sets that Grant access when a user is assigned with an open "Classified" case, and remove it when the case is closed.
- B. Use Salesforce reports to identify users that currently own open "Classified" cases and should be granted access to the Classified information system.
- C. Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.
- D. Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.
Answer: C
Explanation:
Explanation
Custom SAML JIT Provisioning allows Salesforce to dynamically create or update user records in the classified information system based on the SAML assertion sent by Salesforce as the IdP. This way, the staff can access the system only when they have an open "Classified" case, and their access is revoked when they don't. Option A is incorrect because Salesforce reports are not a reliable way to grant or revoke access to the system, as they are not updated in real time and may not reflect the current status of the cases. Option B is incorrect because Apex triggers can only assign or remove permission sets within Salesforce, not in an external system. Option D is incorrect because a Common Connected App Handler using Apex is used to customize the behavior of a connected app, not to control access to an external system based on user attributes.
References: Custom SAML JIT Provisioning, Create a Custom Connected App Handler
NEW QUESTION # 73
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?
- A. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
- B. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
- C. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.
- D. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
Answer: D
NEW QUESTION # 74
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?
- A. Set up Identity Connect to Synchronize user data.
- B. Set up Salesforce as a SAML Idp with My Domain.
- C. Add each connected App to the App Launcher with a Start URL.
- D. Set up an Auth Provider for each External Application.
- E. Create a Connected App for each external application.
Answer: B,C,E
NEW QUESTION # 75
Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?
- A. The self-registration process will produce an error to the user.
- B. The self-registration process will create a person Account record.
- C. The self-registration page will create a new account record.
- D. The self-registration page will ask user to select an account.
Answer: A
NEW QUESTION # 76
A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: " Failed: Not approved for access." What is the most likely cause of this issue?
- A. The Users do not have the correct permission set assigned to them.
- B. The User of High Assurance sessions are required for the Connected App.
- C. The Salesforce Administrators have revoked the OAuth authorization.
- D. The Connected App settings "All users may self-authorize" is enabled.
Answer: A
NEW QUESTION # 77
Which two considerations should be made when implementing Delegated Authentication?
Choose 2 answers
- A. Just-in-time Provisioning can be configured for new users.
- B. Salesforce servers receive but do not validate a user's credentials.
- C. It can be used to authenticate API clients and mobile apps.
- D. It requires trusted IP ranges at the User Profile level.
- E. The authentication web service can include custom attributes.
Answer: A,C
NEW QUESTION # 78
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?
- A. Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.
- B. SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
- C. Just-in-Time (JIT) for both Provisioning and Deprovisioning.
- D. Provisioning API for both Provisioning and Deprovisioning.
Answer: C
Explanation:
Just-in-Time (JIT) provisioning and deprovisioning can be used to create, update, or deactivate users in Salesforce based on the information in the SAML assertion sent by the IdP. This way, the user lifecycle can be managed automatically without the need for a separate provisioning API. Reference: [Salesforce Help:
Just-in-Time Provisioning for SAML]
NEW QUESTION # 79
Universal containers wants to set up SSO for a selected group of users to access external applications from salesforce through App launcher. Which three steps must be completed in salesforce to accomplish the goal?
- A. Complete single Sign-on settings in security controls.
- B. Create connected apps for the external applications.
- C. Complete my domain and Identity provider setup.
- D. Create named credentials for each external system.
- E. Associate user profiles with the connected Apps.
Answer: B,C,E
NEW QUESTION # 80
Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers
- A. Resource deep linking
- B. App Launcher
- C. SSO from Salesforce Mobile App
- D. Login Forensics
Answer: A,C
NEW QUESTION # 81
Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.
How can the Architect meet these requirements?
- A. Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.
- B. Use a Salesforce Login Flow to call out to a web service and create the user on the fly.
- C. Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.
- D. Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.
Answer: D
NEW QUESTION # 82
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers
- A. Require users to supply their email and phone number, which gets validated.
- B. Require users to use a biometric reader as well as their password
- C. Require users to provide their RSA token along with their credentials.
- D. Require users to enter a second password after the first Authentication
Answer: B,C
Explanation:
Explanation
A is correct because requiring users to provide their RSA token along with their credentials is a form of two-factor authentication. An RSA token is a hardware device that generates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.
D is correct because requiring users to use a biometric reader as well as their password is another form of two-factor authentication. A biometric reader is a device that scans a user's fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.
B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.
C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.
References: 4: Multi-Factor Authentication - Salesforce 5: Salesforce Multi-Factor Authentication 6: Two Factor Authentication - Salesforce India 7: Customer 360 | Increase Productivity - Salesforce UK 8: Secure Salesforce Login Using Two-Factor Authentication and Salesforce ...
NEW QUESTION # 83
Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site.
Which two page types are valid login page types for the site?
Choose 2 answers
- A. lightning Experience Page
- B. Embedded Login Page
- C. Login Discovery Page
- D. Experience Builder Page
Answer: B,C
Explanation:
Explanation
Login Discovery Page and Embedded Login Page are two valid login page types for Experience Cloud sites.
Login Discovery Page allows users to choose their preferred login method, such as username/password, SSO, or social sign-on. Embedded Login Page allows users to log in from any site page without being redirected to a separate login page. References: Login Discovery Page, Embedded Login
NEW QUESTION # 84
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements?
Choose 2 answers
- A. salesforce Canvas
- B. App Launcher
- C. Identity Connect
- D. Connected Apps
Answer: A,B
Explanation:
Explanation
Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on and use Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connected Apps
NEW QUESTION # 85
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?
- A. Create a custom external authentication provider for Amazon.
- B. Configure Amazon as a connected app.
- C. Configure an OpenID Connect Authentication Provider for Amazon.
- D. Configure a predefined authentication provider for Amazon.
Answer: C
NEW QUESTION # 86
An Architect has configured a SAML-based SSO integration between Salesforce and an external Identity provider and is ready to test it. When the Architect attempts to log in to Salesforce using SSO, the Architect receives a SAML error. Which two optimal actions should the Architect take to troubleshoot the issue?
- A. Paste the SAML Assertion Validator in Salesforce.
- B. Use a browser that has an add-on/extension that can inspect SAML.
- C. Use the browser's Development tools to view the Salesforce page's markup.
- D. Ensure the Callback URL is correctly set in the Connected Apps settings.
Answer: A,B
NEW QUESTION # 87
Northern Trail Outfitters recently acquired a company. Each company will retain its Identity Provider (IdP).
Both companies rely extensively on Salesforce processes that send emails to users to take specific actions in Salesforce.
How should the combined companys' employees collaborate in a single Salesforce org, yet authenticate to the appropriate IdP?
- A. Have generated links append a querystnng parameter indicating the IdP. The login service will redirect to the appropriate IdP.
- B. Have generated links be prefixed with the appropriate IdP URL to invoke an IdP-initiated Security Assertion Markup Language flow when clicked.
- C. Enable each IdP as a login option in the MyDomain Authentication Service settings. Users will then click on the appropriate IdP button.
- D. Configure unique MyDomains for each company and have generated links use the appropriate MyDomam in the URL.
Answer: C
Explanation:
Explanation
To allow employees to collaborate in a single Salesforce org, yet authenticate to the appropriate IdP, the identity architect should enable each IdP as a login option in the MyDomain Authentication Service settings.
Users will then click on the appropriate IdP button. MyDomain is a feature that allows administrators to customize the Salesforce login URL with a unique domain name. Authentication Service is a setting that allows administrators to enable different authentication options for users, such as social sign-on or single sign-on with an external IdP. By enabling each IdP as a login option in the MyDomain Authentication Service settings, the identity architect can provide a user-friendly and secure way for employees to log in to Salesforce using their preferred IdP. References: MyDomain, Authentication Service
NEW QUESTION # 88
Northern Trail Outfitters (NTO) wants its customers to use phone numbers to log in to their new digital portal, which was designed and built using Salesforce Experience Cloud. In order to access the portal, the user will need to do the following:
1. Enter a phone number and/or email address
2. Enter a verification code that is to be sent via email or text.
What is the recommended approach to fulfill this requirement?
- A. Create a custom login page with an Apex controller. The controller has logic to send and verify the identity.
- B. Create a custom login flow that uses an Apex controller to verify the phone numbers with the company's verification service.
- C. Create a Login Discovery page and provide a Login Discovery Handler Apex class.
- D. Create an Authentication provider and implement a self-registration handler class.
Answer: C
NEW QUESTION # 89
Universal Containers (UC) uses Active Directory (AD) as their identity store for employees and must continue to do so for network access. UC is undergoing a major transformation program and moving all of their enterprise applications to cloud platforms including Salesforct, Workday, and SAP HANA. UC needs to implement an SSO solution for accessing all of the third-party cloud applications and the CIO is inclined to use Salesforce for all of their identity and access management needs.
Which two Salesforce license types does UC need for its employees'
Choose 2 answers
- A. Salesforce and Identity Connect licenses
- B. Company Community and Identity licenses
- C. Chatter Only and Identity licenses
- D. Identity and Identity Connect licenses
Answer: A,D
NEW QUESTION # 90
......
Salesforce Identity-and-Access-Management-Architect certification exam is designed to test an individual's knowledge and skills in the field of identity and access management architecture. Salesforce Certified Identity and Access Management Architect certification is intended for professionals who have experience in designing and implementing identity and access management solutions using Salesforce technologies. Identity-and-Access-Management-Architect exam is ideal for individuals who are responsible for ensuring the security and privacy of sensitive information in their organization.
Salesforce Certified Identity and Access Management Architect Free Update Certification Sample Questions: https://www.prepawayexam.com/Salesforce/braindumps.Identity-and-Access-Management-Architect.ete.file.html
Trend for Salesforce Identity-and-Access-Management-Architect pdf dumps before actual exam: https://drive.google.com/open?id=1Jur2pNRg6RFq3-JsGn6tQwboqPC9M08-