Login
Login

Identity-and-Access-Management-Architect Exam Questions

Total 255 Questions


Last Updated On : 17-Feb-2025



Preparing with Identity-and-Access-Management-Architect practice test is essential to ensure success on the exam. This Salesforce test allows you to familiarize yourself with the Identity-and-Access-Management-Architect exam questions format and identify your strengths and weaknesses. By practicing thoroughly, you can maximize your chances of passing the Salesforce certification exam on your first attempt.

Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO￾branded page. The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal.

Which approach should the identity architect recommend?


A. Create a full sandbox to replicate the portal site and update the branding accordingly.


B. Implement Experience ID in the code and extend the URLs and endpoints, as required.


C. Use Heroku to build the new brand site and embedded login to reuse identities.


D. Configure an additional community site on the same org that is dedicated for the new brand





B.   Implement Experience ID in the code and extend the URLs and endpoints, as required.

Explanation

To dynamically brand the portal so that users will be directed to the brand link they clicked on, the identity architect should recommend implementing Experience ID in the code and extending the URLs and endpoints, as required. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community).

Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors,or images, based on the Experience ID or other criteria. By implementing Experience ID in the code, the identity architect can provide a consistent and personalized brand experience for each user without creating multiple sites or sandboxes.

References: Experience ID, Dynamic Branding for Experience Cloud Sites

Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?


A. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.


B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.


C. Use a login flow to query custom SAML attributes and set permission sets.


D. Use a login flow to query standard SAML attributes and set permission sets.





B.   Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.

Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?


A. Identity Provider (IdP)


B. Resource Server


C. Service Provider (SP)


D. Client Application





C.   Service Provider (SP)

Explanation: To broker authentication from its enterprise SSO solution through Salesforce to third party applications using SAML, Salesforce Identity plays the role of a Service Provider (SP). A SP is an entity that relies on an Identity Provider (IdP) to authenticate and authorize users. In this scenario, the enterprise SSO solution is the IdP, Salesforce is the SP, and the third party applications are the Resource Servers or Client Applications. The SP receives a SAML assertion from the IdP and uses it to obtain an access token from the Resource Server or Client Application. References: SAML Single Sign-On Settings, Authorize Apps with OAuth

Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks Should the Architect point out? Choose 2 answers


A. Delegated Authentication is enabled or disabled for the entire Salesforce org.


B. UC will be required to develop and support a custom SOAP web service.


C. Salesforce users will be locked out of Salesforce if the web service goes down.


D. The web service must reside on a public cloud service, such as Heroku.





B.   UC will be required to develop and support a custom SOAP web service.

C.   Salesforce users will be locked out of Salesforce if the web service goes down.

Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?


A. Web Server flow


B. JWT Bearer Token flow


C. Username-Password flow


D. User Agent flow





B.   JWT Bearer Token flow

Universal containers want to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?


A. Access Tokens


B. Mobile pins


C. Refresh Tokens


D. Scopes





D.   Scopes

Explanation: The OAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopes can be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuth token and protect against unauthorized or excessive access.

In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?


A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.


B. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA


C. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.


D. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.





D.   Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.

Explanation: D is correct because using a self-signed certificate leads to higher maintenance for the trusting party, which is the client or browser that connects to the server. The trusting party needs to add the self-signed certificate to their truststore, which is a repository of trusted certificates, in order to establish a secure connection with the server. Otherwise, the trusting party will see a warning message or an error when accessing the server.
A is incorrect because using a self-signed certificate leads to higher maintenance for the trusted party, not lower. The trusted party needs to maintain multiple self-signed certificates from different servers in their truststore.
B is incorrect because using a self-signed certificate does not make the trusted party act as the trusted CA (Certificate Authority). The trusted CA is the entity that issues and validates certificates for servers. The trusted party only needs to trust the CA’s root certificate, which is usually pre-installed in their truststore.
C is incorrect because using a self-signed certificate leads to higher maintenance for the trusting party, not lower. The trusting party still needs to maintain a trusted CA cert in their truststore, which is the self-signed certificate itself.

IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?


A. Use the Salesforce Authenticator mobile app with two-step verification


B. Lock sessions to the IP address from which they originated.


C. Increase Password complexity requirements in Salesforce.


D. Implement Single Sign-on using a corporate Identity store.





A.   Use the Salesforce Authenticator mobile app with two-step verification

Explanation: The Salesforce Authenticator mobile app adds an extra layer of security for online accounts with two-factor authentication. It allows users to respond to push notifications or use location services to verify their logins and other account activity1. This can help prevent phishing scams and unauthorized access. References: Salesforce Authenticator, Salesforce Authenticator: Mobile App Security Features, Salesforce Authenticator

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers


A. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.


B. Enable the "Enforce Ip restrictions" settings in the connected App.


C. Enable the "All users may self-authorize" setting in the Connected App.


D. Enable the "High Assurance session required" setting in the Connected App.





A.   Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.

C.   Enable the "All users may self-authorize" setting in the Connected App.

A group of users try to access one of Universal Containers' Connected Apps and receive the following error message: " Failed: Not approved for access." What is the most likely cause of this issue?


A. The Connected App settings "All users may self-authorize" is enabled.


B. The Salesforce Administrators have revoked the OAuth authorization.


C. The Users do not have the correct permission set assigned to them.


D. The User of High Assurance sessions are required for the Connected App.





C.   The Users do not have the correct permission set assigned to them.

Explanation: The underlying mechanisms that the UC Architect must ensure are part of the product are Just-in-Time (JIT) provisioning and deprovisioning. JIT provisioning is a process that creates or updates user accounts in Salesforce when users log in with SAML single sign-on (SSO)6. JIT deprovisioning is a process that disables or deletes user accounts in Salesforce when users are removed from the identity provider (IdP). Both of these processes enable automated provisioning and deprovisioning of users without requiring manual intervention or synchronization. The other options are not valid mechanisms for provisioning and deprovisioning. SOAP API is an application programming interface that allows developers to create, retrieve, update, or delete records in Salesforce. However, SOAP API does not support JIT provisioning or deprovisioning, and requires custom code to implement. Provisioning API is not a standard term for Salesforce, and there is no such API that supports both provisioning and deprovisioning. References: Just-in-Time Provisioning for SAML, [Just-in-Time Deprovisioning], [SOAP API Developer Guide]QUESTION NO: 13
Containers (UC) has decided to implement a federated single Sign-on solution using a third-party Idp. In reviewing the third-party products, they would like to ensure the product supports the automated provisioning and deprovisioning of users. What are the underlining mechanisms that the UC Architect must ensure are part of the product?
A. SOAP API for provisioning; Just-in-Time (JIT) for Deprovisioning.
B. Just-In-time (JIT) for Provisioning; SOAP API for Deprovisioning.
C. Provisioning API for both Provisioning and Deprovisioning.
D. Just-in-Time (JIT) for both Provisioning and Deprovisioning. Answer: D
Just-in-Time (JIT) provisioning and deprovisioning can be used to create, update, or deactivate users in Salesforce based on the information in the SAML assertion sent by the IdP. This way, the user lifecycle can be managed automatically without the need for a separate provisioning API.


Page 5 out of 26 Pages
Previous
  • SalesForceExams.com is an independent platform and is not affiliated with Salesforce company. It is designed solely to provide practice questions for Salesforce certification exams.

Copyright © - All Rights Reserved