Login
Login

Identity-and-Access-Management-Architect Exam Questions

Total 255 Questions


Last Updated On : 17-Feb-2025



Preparing with Identity-and-Access-Management-Architect practice test is essential to ensure success on the exam. This Salesforce test allows you to familiarize yourself with the Identity-and-Access-Management-Architect exam questions format and identify your strengths and weaknesses. By practicing thoroughly, you can maximize your chances of passing the Salesforce certification exam on your first attempt.

Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers


A. Identity Connect


B. Delegated Authentication


C. Connected Apps


D. Embedded Login





B.   Delegated Authentication

D.   Embedded Login

Explanation: To register and authenticate new customers on the website using Salesforce Identity, the identity architect should use Delegated Authentication and Embedded Login. Delegated Authentication is a feature that allows Salesforce to delegate the authentication process to an external service, such as a custom website, instead of validating the username and password internally. Embedded Login is a feature that allows Salesforce to embed a login widget into any web page, such as a custom website, to enable users to log in with their Salesforce credentials. The other options are not relevant for this scenario. References: Delegated Authentication, Embedded Login

Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?


A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.


B. The user has not configured the salesforce1 mobile app to use my domain for login


C. The "Redirect to identity provider" option has not been selected the SAML configuration.


D. The user has not been granted the "Enable single Sign-on" permission





B.   The user has not configured the salesforce1 mobile app to use my domain for login

Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?


A. IdP-initiated SSO will NOT work.


B. Neither SP- nor IdP-initiated SSO will work.


C. Either SP- or IdP-initiated SSO will work.


D. SP-initiated SSO will NOT work





D.   SP-initiated SSO will NOT work

Explanation: This is because without My Domain, Salesforce will not know in advance what Identity Provider (IdP) to use for SSO, since it does not even know yet what Organization the user is trying to log in to1. SP-initiated SSO is the scenario where the user starts with a Salesforce link (login page, deep link, Outlook Sync URL, etc.) and then gets redirected to the IdP for authentication2. Without My Domain, SP-initiated SSO requires that the user do an IdP-initiated SSO at least once first so that Salesforce can set a cookie in their browser identifying the IdP1. The other options are not correct for this question because:
IdP-initiated SSO will work without My Domain, as long as the user starts SSO at the IdP and sends the identity information to Salesforce along with SAML protocol information that identifies the Organization and the IdP2.
Neither SP- nor IdP-initiated SSO will not work is false, as explained above. Either SP- or IdP-initiated SSO will work is false, as explained above.

Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?


A. The Oauth authorizations are being revoked by a nightly batch job.


B. The refresh token expiration policy is set incorrectly in salesforce


C. The app is requesting too many access Tokens in a 24-hour period


D. The users forget to check the box to remember their credentials.





B.   The refresh token expiration policy is set incorrectly in salesforce

Explanation: The most likely cause of the issue is that the refresh token expiration policy is set incorrectly in Salesforce. A refresh token is a credential that allows a connected app to obtain a new access token when the previous one expires1. The refresh token expiration policy determines how long a refresh token is valid for2. If the policy is set to a short duration, such as 24 hours, the users have to enter their credentials once a day to get a new refresh token. To prevent this, the policy should be set to a longer duration, such as “Refresh token is valid until revoked” or "Refresh token expires after 90 days of inactivity"2. References: OAuth 2.0 Refresh Token Flow, Manage OAuth Access Policies for a Connected App

Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers


A. Setup Salesforce as an identity provider (IdP) for order Tracking.


B. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,


C. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.


D. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.





A.   Setup Salesforce as an identity provider (IdP) for order Tracking.

D.   Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.

Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.

Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers


A. Manage which connected apps a user has access to by assigning authentication providers to the user’s profile.


B. Assign the connected app to the customer community, and enable the users profile in the Community settings.


C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.


D. Set each of the Connected App access settings to Admin Pre-Approved.





C.   Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.

D.   Set each of the Connected App access settings to Admin Pre-Approved.

Explanation: To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre- Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?


A. Ensure that users have the same email value in their user records in all of UC's salesforce orgs.


B. Ensure the same username is allowed in multiple orgs by contacting salesforce support.


C. Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.


D. Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.





C.   Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.

Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources.
What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?


A. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.


B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.


C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.


D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.





D.   Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Explanation: The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource access request. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user’s identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3. References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? – OneLogin

Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company’s internal website via SSO. It is set up to work with Site Minder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API. What is the role of Salesforce in the context of SSO, based on this scenario?


A. Service Provider, because Salesforce is the application for managing ideas.


B. Connected App, because Salesforce is connected with Employee portal via API.


C. Identity Provider, because the API calls are authenticated by Salesforce.


D. An independent system, because Salesforce is not part of the SSO setup.





D.   An independent system, because Salesforce is not part of the SSO setup.

Explanation: D is correct because Salesforce is an independent system that is not part of the SSO setup between the Employee portal and Active Directory. Salesforce does not act as an IdP or an SP for the SSO, nor does it use a connected app to integrate with the Employee portal.
Salesforce only exposes its API to allow the Employee portal to access its ideas feature. A is incorrect because Salesforce is not a service provider for the SSO. The SSO is between the Employee portal and Active Directory, not between the Employee portal and Salesforce.
B is incorrect because Salesforce is not a connected app for the SSO. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect1. The Employee portal does not use any of these protocols to integrate with Salesforce, but only uses its API.
C is incorrect because Salesforce is not an identity provider for the SSO. The IdP is the system that authenticates users and issues tokens or assertions to allow access to other systems. In this scenario, the IdP is Active Directory, not Salesforce.

Universal Containers (UC) is building a custom employee hut) application on Amazon Web Services (AWS) and would like to store their users' credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.
How should an identity architect configure AWS to authenticate and authorize Salesforce users?


A. Configure the custom employee app as a connected app.


B. Configure AWS as an OpenID Connect Provider.


C. Create a custom external authentication provider.


D. Develop a custom Auth server in AWS.





B.   Configure AWS as an OpenID Connect Provider.

Explanation: To authenticate and authorize Salesforce users with AWS, the identity architect should configure AWS as an OpenID Connect Provider. OpenID Connect is a protocol that allows users to sign in with an external identity provider, such as AWS, and access Salesforce resources. To enable this, the identity architect needs to configure an OpenID Connect Authentication Provider in Salesforce and link it to a connected app. The other options are not relevant for this scenario. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect


Page 6 out of 26 Pages
Previous
  • SalesForceExams.com is an independent platform and is not affiliated with Salesforce company. It is designed solely to provide practice questions for Salesforce certification exams.

Copyright © - All Rights Reserved