Summer Sale - Special Discounts Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 63r59951

  1. Home
  2. Salesforce
  3. Identity and Access Management Designer
  4. Identity-and-Access-Management-Architect
  5. Salesforce Certified Identity and Access Management Architect (WI24) Questions and Answers

Identity-and-Access-Management-Architect Salesforce Certified Identity and Access Management Architect (WI24) Questions and Answers

Questions 4

Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers

Options:

A.

The Federation ID must be a valid Salesforce Username

B.

The Federation ID must is case sensitive

C.

The Federation ID must be in the form of an email address.

D.

The Federation ID must be populated on the user record.

Buy Now
Questions 5

A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities.

Which Salesforce OAuth authorization flow should be used?

Options:

A.

OAuth 2.0 JWT Bearer How

B.

OAuth 2.0 Device Flow

C.

OAuth 2.0 User-Agent Flow

D.

OAuth 2.0 Asset Token Flow

Buy Now
Questions 6

In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?

Options:

A.

RedirectURL

B.

RelayState

C.

DisplayState

D.

StartURL

Buy Now
Questions 7

The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?

Options:

A.

Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.

B.

Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.

C.

Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.

D.

Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.

Buy Now
Questions 8

Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

Options:

A.

The Identity Provider can authenticate multiple applications.

B.

The Identity Provider can authenticate multiple social media accounts.

C.

The Identity provider can store credentials for multiple applications.

D.

The Identity Provider can centralize enterprise password policy.

Buy Now
Questions 9

Universal Containers (UC) has a strict requirement to authenticate users to Salesforce using their mainframe credentials. The mainframe user store cannot be accessed from a SAML provider. UC would also like to have users in Salesforce created on the fly if they provide accurate mainframe credentials.

How can the Architect meet these requirements?

Options:

A.

Use a Salesforce Login Flow to call out to a web service and create the user on the fly.

B.

Use the SOAP API to create the user when created on the mainframe; implement Delegated Authentication.

C.

Implement Just-In-Time Provisioning on the mainframe to create the user on the fly.

D.

Implement OAuth User-Agent Flow on the mainframe; use a Registration Handler to create the user on the fly.

Buy Now
Questions 10

Universal containers (UC) would like to enable SAML-BASED SSO for a salesforce partner community. UC has an existing ldap identity store and a third-party portal. They would like to use the existing portal as the primary site these users access, but also want to allow seamless access to the partner community. What SSO flow should an architect recommend?

Options:

A.

User-Agent

B.

IDP-initiated

C.

Sp-Initiated

D.

Web server

Buy Now
Questions 11

Universal containers (UC) is setting up their customer Community self-registration process. They are uncomfortable with the idea of assigning new users to a default account record. What will happen when customers self-register in the community?

Options:

A.

The self-registration process will produce an error to the user.

B.

The self-registration page will ask user to select an account.

C.

The self-registration process will create a person Account record.

D.

The self-registration page will create a new account record.

Buy Now
Questions 12

Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?

Options:

A.

Use the updateUser method on the registration Handler Class.

B.

Develop a scheduled job that calls out to Facebook on a nightly basis.

C.

Use information in the signed Request that is received from facebook.

D.

Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Buy Now
Questions 13

Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?

Options:

A.

Use Active Directory with Reverse Proxy as the Identity Provider.

B.

Use Microsoft Access control Service as the Authentication provider.

C.

Use Active Directory Federation Service (ADFS) as the Identity Provider.

D.

Use Salesforce Identity Connect as the Identity Provider.

Buy Now
Questions 14

Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for to give its customers the ability to login with their Facebook and Twitter credentials.

Which two actions should an identity architect recommend to meet these requirements?

Choose 2 answers

Options:

A.

Create a custom external authentication provider for Facebook.

B.

Configure a predefined authentication provider for Facebook.

C.

Create a custom external authentication provider for Twitter.

D.

Configure a predefined authentication provider for Twitter.

Buy Now
Questions 15

A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.

What should an identity architect use to fulfill this requirement?

Options:

A.

Canvas App Integration

B.

OAuth Tokens

C.

Authentication Providers

D.

Connected App and OAuth scopes

Buy Now
Questions 16

Universal Containers (UC) has an existing Salesforce org configured for SP-Initiated SAML SSO with their Idp. A second Salesforce org is being introduced into the environment and the IT team would like to ensure they can use the same Idp for new org. What action should the IT team take while implementing the second org?

Options:

A.

Use the same SAML Identity location as the first org.

B.

Use a different Entity ID than the first org.

C.

Use the same request bindings as the first org.

D.

Use the Salesforce Username as the SAML Identity Type.

Buy Now
Questions 17

Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers

Options:

A.

Federation ID

B.

Salesforce User ID

C.

User Full Name

D.

User Email Address

E.

Salesforce Username

Buy Now
Questions 18

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

Options:

A.

Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

B.

Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

C.

Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system

D.

Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Buy Now
Questions 19

Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

Options:

A.

Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.

B.

Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

C.

Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.

D.

Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.

Buy Now
Questions 20

Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

Options:

A.

Login Inspector

B.

Login History

C.

Login Report

D.

Login Forensics

Buy Now
Questions 21

What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

Options:

A.

Reference to a URL redirect parameter at the identity provider.

B.

Reference to a URL redirect parameter at the service provider.

C.

Reference to the login address URL of the service provider.

D.

Reference to the login address URL of the identity Provider.

Buy Now
Questions 22

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.

Mow can a guest register using data previously collected during order placement?

Options:

A.

Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.

B.

Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.

C.

Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.

D.

Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.

Buy Now
Questions 23

A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.

Which three functions meet the Salesforce criteria for secure mfa?

Choose 3 answers

Options:

A.

username and password + SMS passcode

B.

Username and password + secunty key

C.

Third-party single sign-on with Mobile Authenticator app

D.

Certificate-based Authentication

E.

Lightning Login

Buy Now
Questions 24

A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:

1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.

2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.

3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.

3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce .

Which two options allow the Identity Architect to fulfill the requirements?

Choose 2 answers

Options:

A.

Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.

B.

Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.

C.

Redirect the user to a custom page that allows the user to select an existing social identity for login.

D.

Use the custom registration handler to link social identities to Salesforce identities.

Buy Now
Questions 25

The CMO of an advertising company has invited an Identity and Access Management (IAM) specialist to discuss Salesforce out-of-box capabilities for configuring the company*s login and registration experience on Salesforce Experience Cloud.

The CMO is looking to brand the login page with the company's logo, background color, login button color, and dynamic right-frame from an external URL.

Which two solutions should the IAM specialist recommend?

Choose 2 answers

Options:

A.

Use Experience Builder to build branded Reset and Forgot Password pages.

B.

Build custom pages for branding requirements in Experience Cloud.

C.

Build custom site pages for reset and forgot password features.

D.

Login & Registration pages can be branded in the Community Administration settings.

Buy Now
Questions 26

Universal Containers wants to implement SAML SSO for their internal Salesforce users using a third-party IdP. After some evaluation, UC decides not to set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

Options:

A.

SP-initiated SSO will not work.

B.

Neither SP- nor IdP-initiated SSO will work.

C.

Either SP- or IdP-initiated SSO will work.

D.

IdP-initiated SSO will not work.

Buy Now
Questions 27

Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?

Options:

A.

Create a Connected App that supports the JWT Bearer Token OAuth Flow.

B.

Create a Connected App that supports the Refresh Token OAuth Flow

C.

Create a Connected App that supports the Web Server OAuth Flow.

D.

Create a Connected App that supports the User-Agent OAuth Flow.

Buy Now
Questions 28

The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

Options:

A.

Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

B.

Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

C.

Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.

D.

Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Buy Now
Questions 29

When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?

Options:

A.

The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.

B.

Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.

C.

Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value.

D.

The Audience ID, which can be set in a shared cookie.

Buy Now
Questions 30

Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

Options:

A.

Use Delegated Authentication to call the Twitter login API to authenticate users.

B.

Configure an Authentication Provider for LinkedIn Social Media Accounts.

C.

Create a Custom Apex Registration Handler to handle new and existing users.

D.

Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Buy Now
Questions 31

Universal Containers (UC) is building an integration between Salesforce and a legacy web applications using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers

Options:

A.

Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.

B.

Utilize Authorization Providers to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

C.

Utilize Canvas OAuth flow to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

D.

Create a registration handler Apex class to allow the third-party appliction to authenticate itself against Salesforce as the Idp.

Buy Now
Questions 32

A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:

1. They plan to implement Partner communities to provide access to their partner network .

2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.

3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.

4. They would like to provide a single login for their partners.

How should an Identity Architect solution this requirement with limited custom development?

Options:

A.

Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.

B.

Consolidate Partner related information in a single org and provide access through Salesforce community.

C.

Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.

D.

Register partners in one org and access information from other orgs using APIs.

Buy Now
Questions 33

Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

Options:

A.

Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.

B.

Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.

C.

Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.

D.

Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Buy Now
Questions 34

Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?

Options:

A.

Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.

B.

Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.

C.

Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.

D.

Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.

Buy Now
Questions 35

Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers

Options:

A.

Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.

B.

Enable the "Enforce Ip restrictions" settings in the connected App.

C.

Enable the "All users may self-authorize" setting in the Connected App.

D.

Enable the "High Assurance session required" setting in the Connected App.

Buy Now
Questions 36

Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

Options:

A.

Refresh token

B.

API

C.

full

D.

Web

Buy Now
Questions 37

Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC?

Options:

A.

Create a Canvas app and use Signed Requests to authenticate the users.

B.

Rewrite the web application as a set of Visualforce pages and Apex code.

C.

Configure the web application as an item in the Salesforce App Launcher.

D.

Add the web application as a ConnectedApp using OAuth User-Agent flow.

Buy Now
Exam Code: Identity-and-Access-Management-Architect
Exam Name: Salesforce Certified Identity and Access Management Architect (WI24)
Last Update: Apr 15, 2024
Questions: 245

PDF + Testing Engine

$74.7  $165.99
buy now Identity-and-Access-Management-Architect pdf + testing engine

Testing Engine

$51.75  $114.99
buy now Identity-and-Access-Management-Architect testing engine

PDF (Q&A)

$47.25  $104.99
buy now Identity-and-Access-Management-Architect pdf