Welcome to TestSimulate

Pass Your Next Certification Exam Fast!

Everything you need to prepare, learn & pass your certification exam easily.

365 days free updates. First attempt guaranteed success.

  • Home
  • Blogs
  • Pass Salesforce Identity-and-Access-Management-Architect exam questions - convert Test Engine to PDF [Q90-Q112]

Pass Salesforce Identity-and-Access-Management-Architect exam questions - convert Test Engine to PDF [Q90-Q112]

Share

Pass Salesforce Identity-and-Access-Management-Architect exam questions - convert Test Engine to PDF

Pass Your Identity-and-Access-Management-Architect Exam Easily - Real Identity-and-Access-Management-Architect Practice Dump Updated Apr 02, 2024

NEW QUESTION # 90
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?

  • A. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
  • B. Identity connect is not compatible with UC's current identity environment.
  • C. Identity Connect will not support user provisioning in UC's current environment.
  • D. Identity Connect will only support SP-initiated SAML flows in UC's current environment.

Answer: C

Explanation:
Explanation
Identity Connect will not support user provisioning in UC's current environment. Identity Connect is a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.
Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC's current identity environment. Identity Connect supports both Idp-initiated and SP-initiated SAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.
References: 5: Identity Connect - Salesforce 6: SAML SSO Flows - Salesforce 7: Salesforce Connect:
Integration, Benefits, and Limitations


NEW QUESTION # 91
The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so.
For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

  • A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.
  • B. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.
  • C. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.
  • D. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

Answer: A


NEW QUESTION # 92
Universal containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?

  • A. Develop a schedule job that calls out to Facebook on a nightly basis.
  • B. Use SAML just-in-time provisioning between Facebook and Salesforce
  • C. Use information in the signed request that is received from Facebook.
  • D. Use the updateuser() method on the registration handler class.

Answer: D


NEW QUESTION # 93
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team.
What would be the recommended solution to grant mobile app access to sales users?

  • A. Use the permission set license to assign the mobile app permission to sales users
  • B. Use a custom attribute on the user object to control access to the mobile app
  • C. Add a new identity provider to authenticate and authorize mobile users.
  • D. Use connected apps Oauth policies to restrict mobile app access to authorized users.

Answer: D


NEW QUESTION # 94
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers. What SAML SSO setting in Salesforce provides this capability?

  • A. SAML Identity Location.
  • B. Entity Id
  • C. Issuer.
  • D. Identity Provider Login URL.

Answer: B

Explanation:
Explanation
The Entity Id is the SAML SSO setting in Salesforce that provides the capability to differentiate Salesforce from other service providers. The Entity Id is a unique identifier for the service provider that is sent to the identity provider as part of the SSO request4. The identity provider uses the Entity Id to determine which service provider configuration to use and which SAML assertion to send back5. The other options are not valid SAML SSO settings for this purpose. The Identity Provider Login URL is the URL of the identity provider's SSO service that Salesforce redirects the user to for authentication4. The Issuer is the unique identifier for the identity provider that is sent by the identity provider as part of the SAML response4. The SAML Identity Location is the location of the user's identity in the SAML assertion, either in the Subject element or in an Attribute element4.
References: Configure SSO with Salesforce as a SAML Service Provider, Set Up Single Sign-On for Your Internal Users


NEW QUESTION # 95
Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

  • A. Enable My Domain and select "Prevent login from https://login.salesforce.com".
  • B. Assign user "is Single Sign-on Enabled" permission via profile or permission set.
  • C. Request Salesforce Support to enable delegated authentication.
  • D. Once SSO is enabled, users are only able to login using Salesforce credentials.

Answer: A,B


NEW QUESTION # 96
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers

  • A. Verification Code
  • B. Scopes
  • C. Client ID
  • D. Refresh Token
  • E. Authorization Code

Answer: B,C,D


NEW QUESTION # 97
What item should an Architect consider when designing a Delegated Authentication implementation?

  • A. The web service should use the Salesforce Federation ID to identify the user.
  • B. The Web service should be secured with TLS using Salesforce trusted certificates.
  • C. The Web service should implement a custom password decryption method.
  • D. The Web service should be able to accept one to four input method parameters.

Answer: B

Explanation:
Explanation
The web service that is used for delegated authentication should be secured with TLS using Salesforce trusted certificates4. This ensures that the communication between Salesforce and the external authentication method is encrypted and authenticated. The other options are not relevant for designing a delegated authentication implementation. The web service does not need to accept one to four input method parameters, as it can accept any number of parameters as long as they are wrapped in a SOAP envelope5. The web service does not need to use the Salesforce Federation ID to identify the user, as it can use any identifier that is unique and consistent across systems6. The web service does not need to implement a custom password decryption method, as it can use any encryption or hashing algorithm that is supported by both systems7. References: Delegated Authentication, Enable 'Delegated Authentication', Delegated Authentication Flow in Salesforce, FAQs for Delegated Authentication


NEW QUESTION # 98
Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

  • A. Google is the identity provider
  • B. Salesforce is the service provider
  • C. Salesforce is the identity provider
  • D. Google is the service provider

Answer: C,D

Explanation:
Explanation
In an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup, Google is the service provider and Salesforce is the identity provider. A service provider is an application that provides a service to users and relies on an identity provider for authentication3. A connected app is a service provider that integrates an application with Salesforce using APIs4. An identity provider is an application that authenticates users and provides information about them to service providers3. The App Launcher is a feature that allows users to access Salesforce, connected, and on-premises apps from one location5. In this scenario, Google Apps are connected apps that provide services to Salesforce users, such as Gmail, Google Drive, and Google Calendar. Salesforce is the identity provider that authenticates users and allows them to access Google Apps with their Salesforce credentials using single sign-on (SSO)6.
References: Identity Provider Overview, Connected Apps Overview, App Launcher, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth


NEW QUESTION # 99
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?

  • A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.
  • B. Create custom metadata that stores user alerts and use a LWC to display alerts.
  • C. Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
  • D. Use Login Flows to add a screen that shows personalized alerts.

Answer: D

Explanation:
Explanation
Login Flows are custom post-authentication processes that can be used to add additional screens or logic after a user logs in to Salesforce. Login Flows can be used to show personalized alert messages to users based on their profile or other criteria before they land on the Experience Cloud site homepage. Login Flows require minimal customization and can be configured using Visual Workflow or Apex. References: Login Flows, Customizing User Authentication with Login Flows


NEW QUESTION # 100
A company with 15,000 employees is using Salesforce and would like to take the necessary steps to highlight or curb fraudulent activity.
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

  • A. Login History
  • B. Login Inspector
  • C. Login Forensics
  • D. Login Report

Answer: C

Explanation:
Explanation
To track login data and highlight or curb fraudulent activity, the identity architect should use Login Forensics.
Login Forensics is a tool that analyzes login history data and provides insights into user login patterns, such as average number of logins, login outliers, login anomalies, and login risk scores. Login Forensics can help identify suspicious or malicious login attempts and take preventive actions. References: Login Forensics, Login Forensics Implementation Guide


NEW QUESTION # 101
Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose
2 answers

  • A. Use open-ended security questions and complex password requirements
  • B. Use hidden fields populated via java script events in the self-registration page.
  • C. Require a captcha at the end of the self-registration process.
  • D. Primarily use lookup and picklist fields on the self registration page.

Answer: B,C

Explanation:
Explanation
To prevent unauthorized form submissions during the self-registration process, UC should require a captcha at the end of the self-registration process and use hidden fields populated via JavaScript events in the self-registration page. These methods will help to verify that the user is a human and not a bot, and also to validate the user's input against some predefined values. Option A is not a good choice because open-ended security questions and complex password requirements may frustrate the user and reduce the conversion rate.
Option B is not a good choice because lookup and picklist fields may not prevent bots from submitting the form, as they can be easily automated or bypassed.
References: Single Sign-On Implementation Guide, Customizing User Authentication with Login Flows


NEW QUESTION # 102
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?

  • A. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
  • B. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
  • C. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
  • D. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.

Answer: A


NEW QUESTION # 103
Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?

  • A. Configure OpenID Connect authentication provider.
  • B. Create a custom external authentication provider.
  • C. Contact Salesforce Support and enable delegate single sign-on.
  • D. Use certificate-based authentication.

Answer: B


NEW QUESTION # 104
Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

  • A. Salesforce is the service provider
  • B. Google is the service provider
  • C. Google is the identity provider
  • D. Salesforce is the identity provider

Answer: A


NEW QUESTION # 105
How should an identity architect automate provisioning and deprovisioning of users into Salesforce from an external system?

  • A. Use Security Assertion Markup Language Just-in-Time (SAML JIT) on incoming SAML assertions.
  • B. Call OpenID Connect (OIDC)-userinfo endpoint with a valid access token.
  • C. Call SOAP API upsertQ on user object.
  • D. Run registration handler on incoming OAuth responses.

Answer: D


NEW QUESTION # 106
Universal Containers (UC) wants to build a mobile application that twill be making calls to the Salesforce REST API. UC's Salesforce implementation relies heavily on custom objects and custom Apex code. UC does not want its users to have to enter credentials every time they use the app. Which two scope values should an Architect recommend to UC? Choose 2 answers.

  • A. Custom_permissions
  • B. Api
  • C. Full
  • D. Refresh_token

Answer: B,D


NEW QUESTION # 107
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

  • A. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
  • B. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
  • C. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.
  • D. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.

Answer: C

Explanation:
Explanation
The recommended solution for UC to enable a two-factor login process for Salesforce and their existing on-premise applications is to replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. Salesforce 2FA is a feature that requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. Salesforce 2FA can be enabled for both Salesforce and on-premise applications by using one of the following methods:
Use Salesforce Authenticator, a mobile app that generates verification codes or sends push notifications to users' devices.
Use a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, that generates verification codes based on a shared secret key.
Use a verification code sent by email or SMS to users' registered email address or phone number.
Use a U2F security key, such as YubiKey, that plugs into users' devices and provides a physical token.
By replacing the custom 2FA system with Salesforce 2FA, UC can benefit from the following advantages:
Improved security and compliance by using a standard and proven 2FA solution that protects against phishing, credential theft, and brute force attacks.
Reduced complexity and cost by eliminating the need to maintain a custom 2FA system and integrating it with Salesforce.
Enhanced user experience and convenience by providing multiple options for verifying identity and allowing users to remember trusted devices or browsers.
The other options are not recommended solutions for this scenario. Using the custom 2FA system for on-premise applications and native 2FA for Salesforce would create inconsistency and confusion for users who have to use different methods of verification for different applications. Replacing the custom 2FA system with an AppExchange app that supports on-premise applications and Salesforce would require UC to find an app that meets their specific needs and pay for its license and maintenance. Using custom login flows to connect to the existing custom 2FA system for use in Salesforce would require UC to write custom code and logic to invoke the custom 2FA system from Salesforce, which could introduce security and performance issues. References: [Two-Factor Authentication], [Salesforce Authenticator], [Third-Party Authenticator Apps], [Verification Code via Email or SMS], [U2F Security Keys], [Custom Login Flows]


NEW QUESTION # 108
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

  • A. Use the same request bindings as the first org.
  • B. Use the Salesforce Username as the SAML Identity Type.
  • C. Use the same SAML Identity location as the first org.
  • D. Use a different Entity ID than the first org.

Answer: D


NEW QUESTION # 109
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?

  • A. Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.
  • B. Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.
  • C. Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.
  • D. Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.

Answer: B


NEW QUESTION # 110
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number.
The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?

  • A. Integrate with social websites (Facebook, Linkedin. Twitter)
  • B. Use Login Discovery
  • C. Use an external Identity Provider
  • D. Create a custom Lightning Web Component

Answer: B

Explanation:
Explanation
Login Discovery allows the administrator to configure a custom login page that collects additional information from users, such as phone number, and use it for identity verification. Login Discovery can also be used to route users to different identity providers based on their input. References: Login Discovery, Customize Your Experience Cloud Site Login Process


NEW QUESTION # 111
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Use the custom registration handler to link social identities to Salesforce identities.
  • B. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
  • C. Redirect the user to a custom page that allows the user to select an existing social identity for login.
  • D. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.

Answer: A,D

Explanation:
Explanation
To allow customers to log in to the community with any of their social identities, such as Facebook, Google, or Twitter, the identity architect needs to use authentication providers for social sign-on. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. To ensure that Salesforce has only one user per customer, regardless of how many social identities they have, the identity architect needs to use the custom registration handler to link social identities to Salesforce identities. The custom registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider. The custom registration handler can also be used to insert or update personal details of the customers when they log in to Salesforce using their social identity.
References: Authentication Providers, Social Sign-On with Authentication Providers, Create a Custom Registration Handler


NEW QUESTION # 112
......

Identity-and-Access-Management-Architect Real Exam Questions and Answers FREE: https://www.testsimulate.com/Identity-and-Access-Management-Architect-study-materials.html

Related Blogs

more
Go To Identity-and-Access-Management-Architect Questions

Copyright © 2026 TESTSIMULATE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.