
Prepare Identity-and-Access-Management-Architect Question Answers Free Update With 100% Exam Passing Guarantee [2024]
Dumps Real Salesforce Identity-and-Access-Management-Architect Exam Questions [Updated 2024]
NEW QUESTION # 109
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project.
After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements?
Choose 3 answers
- A. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.
- B. Select the "Configurable Self-Reg Page" option under Login & Registration.
- C. Enable "Allow customers and partners to self-register".
- D. Set jp an external login page and call Salesforce APIs for user creation.
- E. Customize me self-registration Apex handler to create only the user record.
Answer: B,C,E
Explanation:
Explanation
Enabling "Allow customers and partners to self-register" allows guests to create their own user accounts in the portal. Selecting the "Configurable Self-Reg Page" option allows the administrator to customize the self-registration page to capture the required fields. Customizing the self-registration Apex handler to create only the user record prevents the automatic creation of a contact record until verification. References: Enable Self-Registration, Customize Self-Registration
NEW QUESTION # 110
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers
- A. Under Login and Registration settings, ensure that the default account field is empty.
- B. Set organization-wide default sharing for Contact to Public Read Only.
- C. Contact Salesforce Support to enable person accounts.
- D. Contact Salesforce Support to enable business accounts.
- E. Enable access to person and business account record types under Public Access Settings.
Answer: A,C,E
NEW QUESTION # 111
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers
- A. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
- B. Setup Salesforce as an identity provider (IdP) for order Tracking.
- C. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
- D. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
Answer: B,D
Explanation:
Explanation
Single sign-on (SSO) is an authentication method that allows users to access multiple applications with one login and one set of credentials. SAML is an open standard for SSO that uses XML-based messages to exchange authentication and authorization information between an identity provider (IdP) and a service provider (SP). To fulfill the requirement, the following steps should be done:
Setup Salesforce as an identity provider (IdP) for order tracking. An IdP is the system that performs authentication and passes the user's identity and authorization level to the SP, which trusts the IdP and authorizes the user to access the requested resource. To set up Salesforce as an IdP, you need to enable the Identity Provider feature, download the IdP certificate, and configure the SAML settings.
Setup order tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion. A Canvas app is an application that can be embedded within a Salesforce page and interact with Salesforce data and APIs. To set up order tracking as a Canvas app, you need to create a connected app for order tracking in Salesforce, enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type. You also need to enable IdP initiated SAML assertion POST binding for the connected app, which allows Salesforce to initiate the SSO process by sending a SAML assertion to order tracking.
References:
[SAML Single Sign-On]
[Set Up Your Domain as an Identity Provider]
[Canvas Apps]
[Create a Connected App for Your Canvas App]
[IdP Initiated SAML Assertion POST Binding]
NEW QUESTION # 112
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?
- A. Use custom login flows with callouts to a third-party fingerprint scanning application.
- B. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
- C. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
- D. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
Answer: A
NEW QUESTION # 113
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?
- A. RedirectURL
- B. DisplayState
- C. RelayState
- D. StartURL
Answer: C
Explanation:
Explanation
The HTTP parameter that should be used when submitting a SAML request to the IdP to ensure the user is returned to the intended resource after authentication is RelayState. RelayState is an optional parameter that can be used to preserve some state information across the SSO process. For example, RelayState can be used to specify the URL of the resource that the user originally requested on the SP before being redirected to the IdP for authentication. After the IdP validates the user's identity and sends back a SAML response, it also sends back the RelayState parameter with the same value as it received from the SP. The SP then uses the RelayState value to redirect the user to the intended resource after validating the SAML response. The other options are not valid HTTP parameters for this purpose. RedirectURL, DisplayState, and StartURL are not standard SAML parameters and they are not supported by Salesforce as SP or IdP. References: [SAML SSO Flows], [RelayState Parameter]
NEW QUESTION # 114
Universal containers(UC) wants to integrate a third-party reward calculation system with salesforce to calculate rewards. Rewards will be calculated on a schedule basis and update back into salesforce. The integration between Salesforce and the reward calculation system needs to be secure. Which are the recommended best practices for using Oauth flows in this scenario? Choose 2 answers
- A. Oauth Username-password flow
- B. Oauth refresh token flow
- C. Oauthjwt bearer token flow
- D. Oauth SAML bearer assertion flow
Answer: C,D
NEW QUESTION # 115
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2 answers
- A. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
- B. AMR field shows the authentication methods used at IdP.
- C. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
- D. High-assurance sessions must be configured under Session Security Level Policies.
Answer: B,C
Explanation:
Explanation
The AMR field in the Login History shows the authentication methods used at the IdP level, such as password, MFA, or SSO. Both OIDC and SAML are supported protocols for SSO, but the IdP must implement the AMR attribute and pass it to Salesforce. References: Secure Your Users' Identity, Salesforce Multi-Factor Authentication (MFA) and Single Sign-on (SSO)
NEW QUESTION # 116
Northern Trail Outfitters (NTO) uses the Customer 360 Platform implemented on Salesforce Experience Cloud. The development team in charge has learned of a contactless user feature, which can reduce the overhead of managing customers and partners by creating users without contact information.
What is the potential impact to the architecture if NTO decides to implement this feature?
- A. Contactless user feature is available only with the External Identity license, which can restrict the Experience Cloud functionality available to the user.
- B. If contactless user is upgraded to Community license, the contact record is automatically created and linked to the user record, but not associated with an Account.
- C. Custom registration handler is needed to correctly assign External Identity or Community license for the newly registered contactless user.
- D. Passwordless authentication cannot be supported because the mobile phone receiving one-time password (OTP) needs to match the number on the contact record.
Answer: B
Explanation:
Explanation
According to the Salesforce documentation3, contactless user feature allows creating users without contact information, such as email address or phone number. This reduces the overhead of managing customers and partners who don't need or want to provide their contact information. However, if a contactless user is upgraded to a Community license, a contact record is automatically created and linked to the user record, but not associated with an account. This can impact the architecture of NTO's Customer 360 Platform, as they may need to associate contacts with accounts for reporting or other purposes.
NEW QUESTION # 117
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers
- A. The "api" OAuth scope in the connected app.
- B. The "web" OAuth scope in the connected app,
- C. The "edair_api" OAuth scope m the connected app.
- D. The Use Digital Signature option in the connected app.
Answer: A,D
NEW QUESTION # 118
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
- A. Use Login Flow in User Context to update role and permission sets.
- B. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
- C. Use Login Flow in System Context to update role and permission sets.
- D. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
Answer: B,C
Explanation:
Explanation
To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:
Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a Login Flow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity architect can update the agent role and permission sets based on the information from Active Directory or other criteria.
Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion. References: Login Flows, SAML Just-in-Time Provisioning, Auth.SamlJitHandler Interface
NEW QUESTION # 119
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?
- A. Web
- B. Full
- C. Visualforce
- D. API
Answer: A
Explanation:
Explanation
The web scope should be requested when using the OAuth token to meet this requirement. The web scope allows the user to log in to Salesforce and access the web UI. This is suitable for scenarios where the user is redirected from an external portal to Salesforce and needs to see the relevant pages. Option B is not a good choice because the full scope allows access to all data accessible by the user, including the web UI and the API. This may be unnecessary or insecure for this requirement. Option C is not a good choice because the API scope allows access to the Salesforce API only, not the web UI. This may not meet the requirement of presenting the user with relevant pages. Option D is not a good choice because the visualforce scope allows access to Visualforce pages only, not the entire web UI. This may limit the user's experience and functionality.
References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com
NEW QUESTION # 120
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to SSO set up My Domain for their Salesforce org.
How does that decision impact their SSO implementation?
- A. IdP-initiated SSO will NOT work.
- B. SP-initiated SSO will NOT work
- C. Neither SP- nor IdP-initiated SSO will work.
- D. Either SP- or IdP-initiated SSO will work.
Answer: B
Explanation:
Explanation
This is because without My Domain, Salesforce will not know in advance what Identity Provider (IdP) to use for SSO, since it does not even know yet what Organization the user is trying to log in to1. SP-initiated SSO is the scenario where the user starts with a Salesforce link (login page, deep link, Outlook Sync URL, etc.) and then gets redirected to the IdP for authentication2. Without My Domain, SP-initiated SSO requires that the user do an IdP-initiated SSO at least once first so that Salesforce can set a cookie in their browser identifying the IdP1. The other options are not correct for this question because:
IdP-initiated SSO will work without My Domain, as long as the user starts SSO at the IdP and sends the identity information to Salesforce along with SAML protocol information that identifies the Organization and the IdP2.
Neither SP- nor IdP-initiated SSO will not work is false, as explained above.
Either SP- or IdP-initiated SSO will work is false, as explained above.
References: Considerations for setting up My Domain and SSO - Salesforce, SAML SSO with Salesforce as the Service Provider
NEW QUESTION # 121
Universal containers (UC) does my domain enable in the context of a SAML SSO configuration? Choose 2 answers
- A. Resource deep linking
- B. SSO from salesforce1 mobile app.
- C. App launcher
- D. Login forensics
Answer: A,B
NEW QUESTION # 122
Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?
- A. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.
- B. Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.
- C. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.
- D. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO.
Answer: A
Explanation:
Explanation
The best option for UC to create the identities of its e-commerce users with the customer community is to use SAML JIT in the customer community to create users when a user tries to login to the community from the e-commerce site. SAML JIT (Just-in-Time) is a feature that allows Salesforce to create or update user accounts based on the information provided in a SAML assertion from an identity provider (IdP). This feature enables UC to avoid duplicating user registration on both applications and provide a seamless single sign-on (SSO) experience for its customers. The other options are not optimal for this scenario. Using the e-commerce REST API to create users when a user self-registers on the customer community would require the user to register twice, once on the e-commerce site and once on the customer community, which would degrade the customer experience. Using a nightly batch ETL job to sync users between the customer community and the e-commerce platform would introduce a delay in user creation and synchronization, which could cause errors or inconsistencies. Using the standard Salesforce API to create users in the community when a user is created in the e-commerce platform would require UC to write custom code and maintain API integration, which could increase complexity and cost. References: [Just-in-Time Provisioning for SAML], [Single Sign-On],
[SAML SSO Flows]
NEW QUESTION # 123
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:
1) Customer purchases the device.
2) Customer registers the device using their mobile app.
3) A case should automatically be created in Salesforce and associated with the customer's account in cases where the device registers issues with tracking.
Which OAuth flow should be used to meet these requirements?
- A. OAuth 2.0 Asset Token Flow
- B. OAuth 2.0 Username-Password Flow
- C. OAuth 2.0 User-Agent Flow
- D. OAuth 2.0 SAML Bearer Assertion Flow
Answer: A
Explanation:
Explanation
OAuth 2.0 Asset Token Flow is the flow that allows customers to register their devices with Salesforce and get an access token that can be used to create cases. The other flows are not suitable for this use case.
References: OAuth Authorization Flows Trailblazer Community Documentation
NEW QUESTION # 124
A web service is developed that allows secure access to customer order status on the Salesforce Platform. The service connects to Salesforce through a connected app with the web server flow. The following are the required actions for the authorization flow:
1. User Authenticates and Authorizes Access
2. Request an Access Token
3. Salesforce Grants an Access Token
4. Request an Authorization Code
5. Salesforce Grants Authorization Code
What is the correct sequence for the authorization flow?
- A. 4,5,2, 3, 1
- B. 4, 1, 5, 2, 3
- C. 1, 4, 5, 2, 3
- D. 2, 1, 3, 4, 5
Answer: B
Explanation:
Explanation
The web server flow is an OAuth 2.0 authorization code grant type, which follows this sequence of steps:
The client app requests an authorization code from Salesforce by redirecting the user to the authorization endpoint.
The user authenticates and authorizes access to the client app.
Salesforce grants an authorization code and redirects the user back to the client app.
The client app requests an access token from Salesforce by sending the authorization code to the token endpoint.
Salesforce grants an access token and a refresh token to the client app.
References: OAuth Authorization Flows, Authorize Apps with OAuth
NEW QUESTION # 125
Universal Containers (UC) uses Salesforce for its customer service agents. UC has a proprietary system for order tracking which supports Security Assertion Markup Language (SAML) based single sign-on. The VP of customer service wants to ensure only active Salesforce users should be able to access the order tracking system which is only visible within Salesforce.
What should be done to fulfill the requirement?
Choose 2 answers
- A. Setup Order Tracking as a Canvas app in Salesforce to POST IdP initiated SAML assertion.
- B. Customize Order Tracking to initiate a REST call to validate users in Salesforce after login.
- C. Setup Salesforce as an identity provider (IdP) for order Tracking.
- D. Set up the Corporate Identity store as an identity provider (IdP) for Order Tracking,
Answer: C,D
NEW QUESTION # 126
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having to enter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are still complaining that they have to enter their credentials once a day. What is the most likely cause of the issue?
- A. The refresh token expiration policy is set incorrectly in salesforce
- B. The app is requesting too many access Tokens in a 24-hour period
- C. The Oauth authorizations are being revoked by a nightly batch job.
- D. The users forget to check the box to remember their credentials.
Answer: A
Explanation:
Explanation
The most likely cause of the issue is that the refresh token expiration policy is set incorrectly in Salesforce. A refresh token is a credential that allows a connected app to obtain a new access token when the previous one expires1. The refresh token expiration policy determines how long a refresh token is valid for2. If the policy is set to a short duration, such as 24 hours, the users have to enter their credentials once a day to get a new refresh token. To prevent this, the policy should be set to a longer duration, such as "Refresh token is valid until revoked" or "Refresh token expires after 90 days of inactivity"2.
References: OAuth 2.0 Refresh Token Flow, Manage OAuth Access Policies for a Connected App
NEW QUESTION # 127
What is one of the roles of an Identity Provider in a Single Sign-on setup using SAML?
- A. Revoke token
- B. Consume token
- C. Create token
- D. Validate token
Answer: C
NEW QUESTION # 128
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers
- A. As part of the body of a Salesforce Knowledge article.
- B. The sidebar of a Salesforce Console as a console component.
- C. Included in the Call Control Tool that's part of Open CTI.
- D. In the mobile navigation menu on Salesforce for Android.
Answer: B,C
Explanation:
Explanation
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that's part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that's part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]
NEW QUESTION # 129
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?
- A. Use Login Flows to add a screen that shows personalized alerts.
- B. Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
- C. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.
- D. Create custom metadata that stores user alerts and use a LWC to display alerts.
Answer: A
Explanation:
Explanation
Login Flows are custom post-authentication processes that can be used to add additional screens or logic after a user logs in to Salesforce. Login Flows can be used to show personalized alert messages to users based on their profile or other criteria before they land on the Experience Cloud site homepage. Login Flows require minimal customization and can be configured using Visual Workflow or Apex. References: Login Flows, Customizing User Authentication with Login Flows
NEW QUESTION # 130
......
Salesforce Certified Identity and Access Management Architect certification exam is a challenging exam that requires candidates to have a deep understanding of the concepts and principles of identity and access management. Candidates will need to demonstrate their knowledge of authentication and authorization protocols, identity federation, access control, and other related topics. Identity-and-Access-Management-Architect exam consists of multiple-choice questions and is timed. Candidates will need to score at least 65% to pass the exam.
Identity-and-Access-Management-Architect Exam Dumps, Identity-and-Access-Management-Architect Practice Test Questions: https://www.troytecdumps.com/Identity-and-Access-Management-Architect-troytec-exam-dumps.html
Free Identity-and-Access-Management-Architect Exam Dumps to Pass Exam Easily: https://drive.google.com/open?id=1tkLBgUUgjasqLuTwWENII6tuPdFXI35F