
2024 Latest Salesforce Identity-and-Access-Management-Architect Real Exam Dumps PDF
Identity-and-Access-Management-Architect Exam Dumps, Identity-and-Access-Management-Architect Practice Test Questions
To earn this certification, candidates must demonstrate their knowledge and skills in various areas, including identity architecture design, access management, data security, and governance. Successful candidates will also have experience with Salesforce's Identity and Access Management (IAM) solutions, such as SSO, OAuth, and Identity Connect.
Salesforce Identity-and-Access-Management-Architect exam is designed for professionals who have extensive knowledge and experience in managing identity and access in Salesforce environments. Salesforce Certified Identity and Access Management Architect certification is ideal for individuals who are responsible for designing, implementing, and managing identity and access solutions for Salesforce customers. Identity-and-Access-Management-Architect exam tests the candidate's knowledge in areas such as identity and access management architecture, integration, governance, and security.
NEW QUESTION # 32
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?
- A. Configure an Authentication Provider for LinkedIn Social Media Accounts.
- B. Use Delegated Authentication to call the Twitter login API to authenticate users.
- C. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.
- D. Create a Custom Apex Registration Handler to handle new and existing users.
Answer: A,D
NEW QUESTION # 33
Universal Containers (UC) has built a custom time tracking app for its employee. UC wants to leverage Salesforce Identity to control access to the custom app.
At a minimum, which Salesforce license is required to support this requirement?
- A. Identity Only
- B. External Identity
- C. Identity Verification
- D. Identity Connect
Answer: A
Explanation:
Explanation
To use Salesforce Identity to control access to the custom time tracking app, the identity architect should use the Identity Only license. The Identity Only license is a license type that enables users to access external applications that are integrated with Salesforce using single sign-on (SSO) or delegated authentication, but not access Salesforce objects or data. The other license types are not relevant for this scenario. References:
Identity Only License, User Licenses
NEW QUESTION # 34
A real estate company wants to provide its customers a digital space to design their interior decoration options.
To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead?
Choose 2 answers
- A. Apex coding skills are needed for registration handler to create and update users.
- B. Use declarative registration handler process builder/flow to create, update users and contacts.
- C. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.
- D. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community.
Answer: A,D
Explanation:
Explanation
Authentication provider configuration and Apex coding skills are two recommendations that the Salesforce IAM architect should make to the IT Lead. Authentication providers are used to configure social sign-on providers, such as Facebook, Twitter, and any OpenID Connect compliant provider. Apex coding skills are needed for registration handlers, which are custom classes that create and update users based on social sign-on data. References: Authentication Providers, Registration Handlers
NEW QUESTION # 35
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?
- A. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".
- B. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".
- C. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".
- D. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".
Answer: A
Explanation:
Explanation
JWT Bearer Flow is an OAuth 2.0 flow that allows a client app to obtain an access token without user interaction. It requires a certificate to sign the JWT and the API and Offline Access scopes to access the Salesforce REST API and refresh the token. The connected app must also be pre-approved by the admin to avoid the OAuth approval page. References: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration, Authorize an Org Using the JWT Flow
NEW QUESTION # 36
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers
- A. Public Group Assignment
- B. Custom permission assignment
- C. Permission sets assignment
- D. Role Assignment
- E. Granting report folder access
Answer: A,C,D
Explanation:
Explanation
AD groups can control public group assignment, role assignment, and permission set assignment through Identity Connect. Identity Connect is a tool that integrates Microsoft Active Directory (AD) user accounts with Salesforce user records1. It allows Salesforce admins to leverage the existing user data and group memberships in AD to automate user provisioning and deprovisioning in Salesforce. Identity Connect can map AD groups to Salesforce public groups, roles, and permission sets, and assign them to users based on their group membership2. This way, AD groups can control the access level and visibility of users in Salesforce.
AD groups cannot control granting report folder access or custom permission assignment through Identity Connect. These are not supported features of Identity Connect. Report folder access is controlled by the folder sharing settings in Salesforce. Custom permission assignment is controlled by the custom permission settings in Salesforce. References: Get to Know Identity Connect, Map Your Data, [Folder Sharing], [Custom Permissions]
NEW QUESTION # 37
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system.
Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.
Which authentication mechanism should an identity architect recommend to meet the requirements?
- A. Just-in-Time Provisioning
- B. Delegated Authentication
- C. OAuth Web-Server Flow
- D. Identity Connect
Answer: B
Explanation:
Explanation
Delegated Authentication is an authentication mechanism that allows Salesforce to delegate the authentication process to an external system via a SOAP webservice. The external system can manage the user administration, passwords, and authentication requests. The other options are either not suitable or not supported for this use case. References: Delegated Authentication, FAQs for Delegated Authentication
NEW QUESTION # 38
Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?
- A. Use the same SAML Identity location as the first org.
- B. Use the Salesforce Username as the SAML Identity Type.
- C. Use a different Entity ID than the first org.
- D. Use the same request bindings as the first org.
Answer: C
Explanation:
Explanation
The Entity ID is a unique identifier for a service provider or an identity provider in SAML SSO. It is used to differentiate between different service providers or identity providers that may share the same issuer or login URL. In Salesforce, the Entity ID is automatically generated based on the organization ID and can be viewed in the Single Sign-On Settings page1. If you have a custom domain set up, you can use https://
[customDomain].my.salesforce.com as the Entity ID2. If you want to use the same IdP for two Salesforce orgs, you need to use different Entity IDs for each org, otherwise the IdP will not be able to distinguish them and may send incorrect assertions. You can also use different certificates, issuers, or login URLs for each org, but using different Entity IDs is the simplest and recommended way3.
NEW QUESTION # 39
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?
- A. Salesforce Org 1
- B. Pingfederate
- C. Salesforce Org 2
- D. Financial System
Answer: A,B
Explanation:
Explanation
These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or OAuth tokens to the service providers (SPs). The SPs are the websites that host apps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ System are the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.
Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.
References: 5: Identity Providers and Service Providers - Salesforce 6: Salesforce as Service Provider and Identity Provider for SSO
NEW QUESTION # 40
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers
- A. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.
- B. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
- C. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
- D. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
Answer: A,D
Explanation:
Explanation
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions ... 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] :
[Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation
NEW QUESTION # 41
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
- A. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
- B. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
- C. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
- D. Configure an authentication provider to delegate authentication to the LDAP directory.
Answer: D
Explanation:
Explanation
Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues.
References: Login History
NEW QUESTION # 42
Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?
- A. The user has not configured the salesforce1 mobile app to use my domain for login
- B. The "Redirect to Identity Provider" option has been selected in the my domain configuration.
- C. The user has not been granted the "Enable single Sign-on" permission
- D. The "Redirect to identity provider" option has not been selected the SAML configuration.
Answer: A
NEW QUESTION # 43
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1
Choose 2 answers
- A. Modify the CommunitiesSelfRegController to assign the Profile and Account.
- B. Configure Registration for Communities to use a custom Apex Controller.
- C. Modify the SelfRegistration trigger to assign Profile and Account.
- D. Configure Registration for Communities to use a custom Visualforce Page.
Answer: A,B
Explanation:
Explanation
To enable self-registration for partner community users, UC should modify the CommunitiesSelfRegController class to assign the Profile and Account values based on the custom data elements captured from the partner user. UC should also configure Registration for Communities to use a custom Apex controller that extends the CommunitiesSelfRegController class and overrides the default registration logic3.
References:
Customize Self-Registration
NEW QUESTION # 44
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
- A. Configure the salesforce1 app to use the my domain URL
- B. Use the existing SAML SSO flow along with Web server flow
- C. Use the existing SAML SSO flow along with user agent flow.
- D. Configure the embedded Web browser to use my domain URL.
Answer: A,C
NEW QUESTION # 45
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups.
The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
- A. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
- B. Use a login flow to query custom SAML attributes and set permission sets.
- C. Use a login flow to query standard SAML attributes and set permission sets.
- D. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
Answer: D
NEW QUESTION # 46
Universal Containers (UC) operates in Asia, Europe and North America regions. There is one Salesforce org for each region. UC is implementing Customer 360 in Salesforce and has procured External Identity and Customer Community licenses in all orgs.
Customers of UC use Community to track orders and create inquiries. Customers also tend to move across regions frequently.
What should an identity architect recommend to optimize license usage and reduce maintenance overhead?
- A. Merge three orgs into one instance of Salesforce. This will no longer require maintaining three separate copies of the same customer.
- B. Contacts are required since Community access needs to be enabled. Maintenance is a necessary overhead that must be handled via data integration.
- C. Delete contact/ account records and deactivate user if user moves from a specific region; Sync will no longer be required.
- D. Enable Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region.
Answer: D
Explanation:
Explanation
To optimize license usage and reduce maintenance overhead for customers who use Community to track orders and create inquiries and tend to move across regions frequently, the identity architect should recommend enabling Contactless User in all orgs and downgrade users from Experience Cloud license to External Identity license once users have moved out of that region. Contactless User is a feature that allows users to access Experience Cloud sites without having a contact record associated with them. External Identity is a license type that enables users to access Experience Cloud sites using social sign-on or single sign-on, but not access Salesforce objects or data. By enabling Contactless User and downgrading users from Experience Cloud license to External Identity license, the identity architect can reduce the number of contacts and licenses needed for each region and avoid data duplication and synchronization issues. References: Contactless User, External Identity License, User Licenses
NEW QUESTION # 47
Containers (UC) has an existing Customer Community. UC wants to expand the self-registration capabilities such that customers receive a different community experience based on the data they provide during the registration process. What is the recommended approach an Architect Should recommend to UC?
- A. Create separate login flows corresponding to the different community user personas.
- B. Modify the Community pages to utilize specific fields on the User and Contact records.
- C. Create an After Insert Apex trigger on the user object to assign specific custom permissions.
- D. Modify the existing Communities registration controller to assign different profiles.
Answer: B
NEW QUESTION # 48
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorised access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend? Choose 2 answers
- A. Use login flow to bypass ip range restriction for the mobile app.
- B. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
- C. Remove existing restrictions on ip ranges for all types of user access.
- D. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
Answer: A,B
NEW QUESTION # 49
Universal Containers (UC) is building a custom Innovation platform on their Salesforce instance. The Innovation platform will be written completely in Apex and Visualforce and will use custom objects to store the Data. UC would like all users to be able to access the system without having to log in with Salesforce credentials. UC will utilize a third-party idp using SAML SSO. What is the optimal Salesforce licence type for all of the UC employees?
- A. External Identity Licence.
- B. Salesforce Platform Licence.
- C. Salesforce Licence.
- D. Identity Licence.
Answer: B
Explanation:
Explanation
The optimal Salesforce license type for all of the UC employees who will access the custom Innovation platform without logging in with Salesforce credentials is the Salesforce Platform license. The Salesforce Platform license allows users to access custom applications built on the Lightning Platform, such as Apex and Visualforce, and use standard objects such as accounts, contacts, reports, dashboards, and custom tabs. It also supports SSO with a third-party identity provider using SAML. Option A is not a good choice because the Identity license is designed for users who need to access Salesforce Identity features, such as identity provider, social sign-on, and user provisioning, but not for users who need to access custom applications. Option B is not a good choice because the Salesforce license is designed for users who need full access to standard CRM and Lightning Platform features, such as leads, opportunities, campaigns, forecasts, and contracts, but it may be unnecessary or expensive for users who only need to access custom applications. Option C is not a good choice because the External Identity license is designed for users who are external to the organization, such as customers or partners, but not for users who are internal employees.
References: Salesforce Help: User License Types, [Salesforce Help: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth]
NEW QUESTION # 50
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?
- A. Login Report
- B. Login Forensics
- C. Login History
- D. Login Inspector
Answer: B
NEW QUESTION # 51
Universal containers wants to implement single Sign-on for a salesforce org using an external identity provider and corporate identity store. What type of Authentication flow is required to support deep linking?
- A. Identity-provider-initiated SSO
- B. Service-provider-initiated SSO
- C. Web server Oauth SSO flow.
- D. Start URL on identity provider
Answer: B
Explanation:
Explanation
Service-provider-initiated SSO is required to support deep linking, which is the ability to direct users to a specific page within Salesforce from a different app. With service-provider-initiated SSO, the user requests a resource from Salesforce (the service provider), which then redirects the user to the identity provider for authentication. After the user is authenticated, the identity provider sends a SAML response back to Salesforce, which then grants access to the requested resource. Web server OAuth SSO flow is used for OAuth
2.0 authentication, not SAML. Identity-provider-initiated SSO is when the user logs in to the identity provider first and then selects a service provider to access. Start URL on identity provider is not a type of authentication flow, but a parameter that can be used to specify the landing page after SSO. References: Certification - Identity and Access Management Architect - Trailhead, Deep Linking, Single Sign On Deep Linking - Salesforce Developer Community
NEW QUESTION # 52
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?
- A. Salesforce Org 1
- B. Pingfederate
- C. Salesforce Org 2
- D. Financial System
Answer: A,B
NEW QUESTION # 53
......
Professionals who hold the Salesforce Certified Identity and Access Management Architect certification are recognized as experts in the field of identity and access management. Salesforce Certified Identity and Access Management Architect certification demonstrates a deep understanding of the Salesforce platform and its security capabilities, as well as the ability to design and implement secure solutions that meet the needs of organizations of all sizes and industries. With this certification, professionals can enhance their career prospects and unlock new opportunities in the rapidly growing field of Salesforce consulting and implementation.
PDF (New 2024) Actual Salesforce Identity-and-Access-Management-Architect Exam Questions: https://www.validbraindumps.com/Identity-and-Access-Management-Architect-exam-prep.html
Dumps Moneyack Guarantee - Identity-and-Access-Management-Architect Dumps UpTo 90% Off: https://drive.google.com/open?id=1nK185oEIenAeFbjvcP0-rXf3WxW5xTzH