The Up To Date Guide To Identity-and-Access-Management-Architect Free Practice Questions

NEW QUESTION 1
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.
Which Salesforce OAuth authorization flow should be used?

• A. OAuth 2.0 JWT Bearer How
• B. OAuth 2.0 Device Flow
• C. OAuth 2.0 User-Agent Flow
• D. OAuth 2.0 Asset Token Flow

Answer: B

Explanation:
The OAuth 2.0 Device Flow is a type of authorization flow that allows users to register an IoT device with limited display input or capabilities, such as a smart TV, a printer, or a smart speaker1. The device flow works as follows1:
The device displays or reads out a verification code and a verification URL to the user.
The user visits the verification URL on another device, such as a smartphone or a laptop, and enters the verification code.
The user logs in to Salesforce and approves the device.
The device polls Salesforce for an access token using the verification code.
Salesforce returns an access token to the device, which can then access Salesforce APIs.
References:
OAuth 2.0 Device Flow

NEW QUESTION 2
A company wants to provide its employees with a custom mobile app that accesses Salesforce. Users are required to download the internal native IOS mobile app from corporate intranet on their mobile device. The app allows flexibility to access other non-Salesforce internal applications once users authenticate with Salesforce. The apps self-authorize, and users are permitted to use the apps once they have logged into Salesforce.
How should an identity architect meet the above requirements with the privately distributed mobile app?

• A. Use connected app with OAuth and Security Assertion Markup Language (SAML) to access other non-Salesforce internal apps.
• B. Configure Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps.
• C. Use Salesforce as an identity provider (IdP) to access the mobile app and use the external IdP for other non-Salesforce internal apps.
• D. Create a new hybrid mobile app and use the connected app with OAuth to authenticate users for Salesforce and non-Salesforce internal apps.

Answer: B

Explanation:
Configuring Mobile App settings in connected app and Salesforce as identity provider for non-Salesforce internal apps is the best way to meet the requirements with the privately distributed mobile app. The Mobile App settings allow users to download the app from a private URL and use it with Salesforce credentials. The identity provider settings allow users to access other internal apps with SSO using Salesforce as the IdP. The other options are either not feasible or not optimal for this use case. References: Mobile App Settings, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth

NEW QUESTION 3
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

• A. The Federation ID must be a valid Salesforce Username
• B. The Federation ID must is case sensitive
• C. The Federation ID must be in the form of an email address.
• D. The Federation ID must be populated on the user record.

Answer: BD

Explanation:
The Federation ID is a field on the user object that is used to link a Salesforce user with an external identity provider. When using SAML SSO, Salesforce matches the Federation ID value with the NameID element in the SAML assertion to identify the user. To troubleshoot the issue of getting a generic SAML error message when accessing the other orgs, the architect should review the following considerations:
The Federation ID must be case sensitive, which means that the value in the user record must match exactly with the value in the SAML assertion. For example, if the Federation ID is “John.Doe”, then “john.doe” or “JOHN.DOE” will not work.
The Federation ID must be populated on the user record, which means that the user must have a value for this field in each org that they want to access via SSO. If the Federation ID is blank or missing, then Salesforce will not be able to match the user with the SAML assertion.

NEW QUESTION 4
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

• A. Google is the service provider and Facebook is the identity provider
• B. Salesforce is the service provider and Google is the identity provider
• C. Facebook is the service provider and salesforce is the identity provider
• D. Salesforce is the service provider and Facebook is the identity provider

Answer: BD

Explanation:
The two role combinations that are represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies on Google or Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.
References: Salesforce as Service Provider and Identity Provider for SSO

NEW QUESTION 5
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

• A. Entity id
• B. Issuer
• C. Identity provider login URL
• D. SAML identity location

Answer: A

Explanation:
The Entity ID is the SAML SSO setting in Salesforce that provides the capability to differentiate Salesforce from other service providers. The Entity ID is a unique identifier for the service provider that is sent in the SAML request and response messages1. The identity provider uses the Entity ID to determine which service provider is requesting or receiving authentication information2. You can customize the Entity ID for your Salesforce org or Experience Cloud site in the SAML Single Sign-On Settings page3. References: 1: SAML SSO Flows 2: Federated Authentication Using SAML to Log in to Salesforce Org 3: Step 2: Create a SA Single Sign-On Setting in Salesforce

NEW QUESTION 6
What item should an Architect consider when designing a Delegated Authentication implementation?

• A. The Web service should be secured with TLS using Salesforce trusted certificates.
• B. The Web service should be able to accept one to four input method parameters.
• C. The web service should use the Salesforce Federation ID to identify the user.
• D. The Web service should implement a custom password decryption method.

Answer: A

Explanation:
The web service that is used for delegated authentication should be secured with TLS using Salesforce trusted certificates4. This ensures that the communication between Salesforce and the external authentication method is encrypted and authenticated. The other options are not relevant for designing a delegated authentication implementation. The web service does not need to accept one to four input method parameters, as it can accept any number of parameters as long as they are wrapped in a SOAP envelope5. The web service does not need to use the Salesforce Federation ID to identify the user, as it can use any identifier that is unique and consistent across systems6. The web service does not need to implement a custom password decryption method, as it can use any encryption or hashing algorithm that is supported by both systems7. References: Delegated Authentication, Enable ‘Delegated Authentication’, Delegated Authentication Flow in Salesforce, FAQs fo Delegated Authentication

NEW QUESTION 7
Which two statements are capable of Identity Connect? Choose 2 answers

• A. Synchronization of Salesforce Permission Set Licence Assignments.
• B. Supports both Identity-Provider-Initiated and Service-Provider-Initiated SSO.
• C. Support multiple orgs connecting to multiple Active Directory servers.
• D. Automated user synchronization and de-activation.

Answer: BD

Explanation:
The two statements that are capabilities of Identity Connect are:
It supports both identity-provider-initiated and service-provider-initiated SSO. Identity Connect is a desktop application that integrates Salesforce with Microsoft Active Directory (AD) and enables single sign-on (SSO) between the two systems. Identity Connect supports both identity-provider-initiated SSO, which is when the user starts at the AD site and then is redirected to Salesforce with a SAML assertion, and service-provider-initiated SSO, which is when the user starts at the Salesforce site and then is redirected to AD for authentication.
It enables automated user synchronization and deactivation. Identity Connect allows administrators to synchronize user accounts and attributes between AD and Salesforce, either manually or on a scheduled basis. Identity Connect also allows administrators to deactivate user accounts in Salesforce when they are disabled or deleted in AD, which helps maintain security and compliance.
The other options are not capabilities of Identity Connect. Identity Connect does not support synchronization of Salesforce permission set license assignments, as these are not related to AD attributes. Identity Connect does not support multiple orgs connecting to multiple AD servers, as it can only connect one Salesforce org to one AD domain at a time. References: [Identity Connect], [Identity Connect Features], [Identity Connect User Synchronization], [Identity Connect Single Sign-On]

NEW QUESTION 8
Refer to the exhibit.

Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before Authorization.
what should an identity architect do to fulfill the above requirements?

• A. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
• B. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens.
• C. Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
• D. Authorize third-party service by sending authorization requests to thecommunity-url/services/oauth2/authonze/expid_value.

Answer: D

Explanation:
OAuth 2.0 is an open standard for authorization that allows a third-party application to obtain limited access to a protected resource on behalf of a user. To authorize a third-party service using OAuth 2.0 with the Salesforce Experience Cloud site, the identity architect should do the following steps:
Create a connected app for the third-party service in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect. To create a connected app, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable OAuth and configure the OAuth settings, such as the callback URL, the scopes, and the policies.
Authorize the third-party service by sending authorization requests to the
community-url/services/oauth2/authorize/expid_value. This is a special endpoint that allows you to specify an experience ID (expid) as a query parameter in the authorization request. The experience ID is a unique identifier for each experience (community or site) in Salesforce. By using this endpoint, you can dynamically render the login page images based on the user’s brand preference selected in the
third-party service before authorization.
References:
OAuth 2.0
OAuth 2.0 Web Server Authentication Flow
Connected Apps
Create a Connected App
Experience ID
Authorize Apps with OAuth

NEW QUESTION 9
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'

• A. Web Server OAuth SSO flow
• B. Service-Provider-Initiated SSO
• C. Identity-Provider-initiated SSO
• D. StartURL on Identity Provider

Answer: B

Explanation:
Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials4. There are two types of SSO flows that can be used with Salesforce as the service provider (SP) and an external identity provider (IdP)5:
Service-provider-initiated SSO: The user requests a resource from the SP, such as a Salesforce URL. The SP redirects the user to the IdP for authentication. The IdP authenticates the user and sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow supports deep linking, which means that the user can access a specific page within Salesforce without logging in again6.
Identity-provider-initiated SSO: The user logs in to the IdP and selects an app from a list of available apps. The IdP sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow does not support deep linking, which means that the user can only access the default landing page of Salesforce6.
References:
Single Sign-On
SAML SSO Flows
Deep Linking

NEW QUESTION 10
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers

• A. Add customers as contacts and add them to Experience Cloud site.
• B. Enable Welcome emails while configuring the Experience Cloud site.
• C. Allow Password reset using the API to update Experience Cloud site membership.
• D. Use Login Flows to allow users to reset password in Experience Cloud site.

Answer: CD

Explanation:
Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are not relevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites

NEW QUESTION 11
Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login. What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers

• A. Enable Facebook and Linkedin as Login options in the login section of the Community configuration.
• B. Create custom Registration Handlers to link Linkedin and facebook accounts to user records.
• C. Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.
• D. Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.

Answer: AB

Explanation:
The two recommended actions UC can take to achieve the functionality of allowing community users to register and log in with LinkedIn or Facebook credentials are:
Enable Facebook and LinkedIn as login options in the login section of the community configuration.
This action allows UC to configure Facebook and LinkedIn as authorization providers in Salesforce, which are external services that authenticate users and provide information about their identity and
attributes. By enabling these login options in the community configuration, UC can display Facebook and LinkedIn icons on the community login page and allow users to log in with their existing credentials from these services.
Create custom registration handlers to link LinkedIn and Facebook accounts to user records. This action allows UC to create Apex classes that implement the Auth.RegistrationHandler interface and define the logic for creating or updating user accounts in Salesforce when users log in with LinkedIn or Facebook. By creating custom registration handlers, UC can map the information from the authorization providers to the user fields in Salesforce, such as name, email, profile, or contact.
The other options are not recommended actions for this scenario. Storing the LinkedIn or Facebook user IDs in the Federation ID field on the Salesforce user record is not necessary or sufficient for enabling SSO with these services, as the Federation ID is used for SAML-based SSO, not OAuth-based SSO. Creating custom buttons for Facebook and LinkedIn using JavaScript/CSS on a custom Visualforce page is not advisable, as it would require custom code and UI development, which could increase complexity and maintenance efforts. Moreover, it would not leverage the built-in functionality of authorization providers and registration handlers that Salesforce provides. References: [Authorization Providers], [Enable Social Sign-On for Your Community], [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Federation ID]

NEW QUESTION 12
Universal Containers (UC) is planning to deploy a custom mobile app that will allow users to get e-signatures from its customers on their mobile devices. The mobile app connects to Salesforce to upload the e-signature as a file attachment and uses OAuth protocol for both authentication and authorization. What is the most recommended and secure OAuth scope setting that an Architect should recommend?

• A. Id
• B. Web
• C. Api
• D. Custom_permissions

Answer: D

Explanation:
The most recommended and secure OAuth scope setting for UC’s custom mobile app is custom_permissions. Custom_permissions are settings that can be used in Apex code or validation rules to check whether a user has access to a custom feature or functionality. Custom_permissions can also be used as OAuth scopes to limit the access of an external application, such as UC’s mobile app, to certain custom features or functionalities in Salesforce. By configuring custom_permissions as OAuth scopes in the connected app settings, UC can restrict the mobile app access to only the e-signature feature and protect against unauthorized or excessive access.
The other options are not recommended or secure OAuth scope settings for UC’s custom mobile app. Id is an OAuth scope that allows the mobile app to access basic information about the user and their org, such as name, email, profile picture, and instance URL. This scope does not provide any access to Salesforce data or features, such as uploading e-signatures. Web is an OAuth scope that allows the mobile app to access Salesforce data and features through a browser or web-view. This scope provides full access to Salesforce data and features, which could expose sensitive information or allow unwanted actions. Api is an OAuth scope that allows the mobile app to make REST or SOAP API calls to Salesforce using the access token. This scope also provides full access to Salesforce data and features, which could compromise security and compliance. References: [OAuth Scopes], [Connected Apps], [Custom Permissions]

NEW QUESTION 13
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

• A. The Identity Provider is also used to SSO into five other applications.
• B. The clock on the Identity Provider server is twenty minutes behind Salesforce.
• C. The Issuer Certificate from the Identity Provider expired two weeks ago.
• D. The default language for the Identity Provider and Salesforce are Different.

Answer: BC

Explanation:
The two issues outside of the Salesforce SSO settings that are most likely contributing to the SSO errors are the clock on the identity provider server being twenty minutes behind Salesforce and the issuer certificate from the identity provider expiring two weeks ago. These issues can cause SAML assertion errors, which prevent the user from logging in with SSO. A SAML assertion is an XML document that contains information about the user’s identity and attributes, and it is signed by the identity provider and sent to Salesforce as part of the SSO process4. If the clock on the identity provider server is not synchronized with Salesforce, the SAML assertion may be rejected as invalid or expired, as it has a time limit for validity5. If the issuer certificate from the identity provider is expired, the SAML assertion may not be verified by Salesforce, as it relies on the certificate to validate the signature6. The other options are not likely issues that cause SSO errors. The identity provider being used to SSO into five other applications does not affect its ability to SSO into Salesforce, as long as it supports multiple service providers and has a separate configuration for each one7. The default language for the identity provider and Salesforce being different does not affect the SSO process, as it does not impact the SAML assertion or its validation.
References: SAML Login Errors, Troubleshoot SAML Assertion Errors, SAML SSO with Salesforce as th Service Provider, Single Sign-On, [How to Troubleshoot a Single Sign-On Error]

NEW QUESTION 14
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

• A. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
• B. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• C. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• D. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure UserProvisioning for Connected Apps.

Answer: BD

Explanation:
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesfo Identity-and-Access-Management-Architect Questions … 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation

NEW QUESTION 15
Universal containers (UC) has an e-commerce website while customers can buy products, make payments, and manage their accounts. UC decides to build a customer Community on Salesforce and wants to allow the customers to access the community for their accounts without logging in again. UC decides to implement ansp-Initiated SSO using a SAML-BASED complaint IDP. In this scenario where salesforce is the service provider, which two activities must be performed in salesforce to make sp-Initiated SSO work? Choose 2 answers

• A. Configure SAML SSO settings.
• B. Configure Delegated Authentication
• C. Create a connected App
• D. Set up my domain

Answer: AD

Explanation:
To enable SP-initiated SSO using a SAML-based identity provider, UC needs to configure SAML SSO settings in Salesforce and set up a custom domain using My Domain feature. This allows UC to specify the identity provider information, such as the issuer, entity ID, certificate, and SAML assertion attributes. Delegated authentication is a different mechanism that allows Salesforce to delegate the authentication process to an external web service. A connected app is not required for SP-initiated SSO, but it is used for
IDP-initiated SSO or OAuth flows. References: Certification - Identity and Access Management Architect - Trailhead, [Set Up My Domain], [Configure SAML Settings for Single Sign-On]

NEW QUESTION 16
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

• A. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
• B. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
• C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
• D. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Answer: D

Explanation:
Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user’s identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3. References: 1: Customize User Authentication with Login Flows 2: Custom Login Flow Examples 3: Salesforce Multi-Factor Authentic

NEW QUESTION 17
A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the community site (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social-media credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead? Choose 2 answers

• A. Use declarative registration handler process builder/flow to create, update users and contacts.
• B. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers in community.
• C. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just-in-Time provisioning (JIT) and OAuth 2.0.
• D. Apex coding skills are needed for registration handler to create and update users.

Answer: BD

Explanation:
Authentication provider configuration and Apex coding skills are two recommendations that the Salesforce IAM architect should make to the IT Lead. Authentication providers are used to configure social sign-on providers, such as Facebook, Twitter, and any OpenID Connect compliant provider. Apex coding skills are needed for registration handlers, which are custom classes that create and update users based on social sign-on data. References: Authentication Providers, Registration Handlers

NEW QUESTION 18
......