[Jul-2023] The Best Identity and Access Management Designer Identity-and-Access-Management-Architect Professional Exam Questions
Try 100% Updated Identity-and-Access-Management-Architect Exam Questions [2023]
To become a Salesforce Certified Identity and Access Management Architect, candidates must pass the Identity-and-Access-Management-Architect Exam. This certification is best suited for experienced IT professionals who have a deep understanding of Salesforce identity and access management concepts and principles. The exam consists of multiple-choice questions and takes approximately three hours to complete. Candidates must score at least 65% to pass the exam.
To become a Salesforce Certified Identity and Access Management Architect, candidates must pass a rigorous certification exam. The exam consists of multiple-choice questions and is timed for three hours. Candidates must score at least 65% to pass the exam and earn the certification.
NEW QUESTION # 21
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?
- A. Identity provider login URL
- B. Issuer
- C. Entity id
- D. SAML identity location
Answer: C
NEW QUESTION # 22
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.
Which two features should be utilized to provide users with login and identity services for the third-party application?
Choose 2 answers
- A. Use Delegated Authentication.
- B. Use the App Launcher with single sign-on (SSO).
- C. External a Data source with Named Principal identity type.
- D. Use a connected app.
Answer: B,D
NEW QUESTION # 23
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers
- A. Create a Connected App.
- B. Set up My Domain.
- C. Configure Delegated Authentication.
- D. Configure SAML SSO settings.
Answer: B,D
NEW QUESTION # 24
Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?
- A. SAML Assertion flow with a Bearer Token.
- B. Web Server flow with a Refresh Token.
- C. User Agent flow with a Refresh Token.
- D. Mobile Agent flow with a Bearer Token.
Answer: C
NEW QUESTION # 25
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.
Which two options should an identity architect recommend to meet the requirement?
Choose 2 answers
- A. Salesforce Identity Connect
- B. Configure Cloud Provider Load Balancer
- C. Active Directory Password Sync Plugin
- D. Salesforce Trigger & Field on Contact Object
Answer: A,C
NEW QUESTION # 26
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?
- A. Require the use of Salesforce security Tokens on password.
- B. Enforce mutual Authentication between systems using SSL.
- C. Set up a proxy server for the login service in the DMZ.
- D. Include client ID and client secret in the login header callout.
Answer: A
NEW QUESTION # 27
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider?
Choose 2 answers
- A. A custom registration handier can be set.
- B. A custom error URL can be set.
- C. The default authentication provider certificate can be set.
- D. The default login user can be set.
Answer: A,B
NEW QUESTION # 28
Under which scenario Web Server flow will be used?
- A. Used for web applications when server-side code needs to interact with APIS.
- B. Used for verifying Access protected resources.
- C. Used for server-side components when page needs to be rendered.
- D. Used for mobile applications and testing legacy Integrations.
Answer: A
NEW QUESTION # 29
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers
- A. Field-Level Security
- B. Roles
- C. Public Groups
- D. Profiles and Permission Sets
- E. Sharing Rules
Answer: B,C,D
NEW QUESTION # 30
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?
- A. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
- B. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.
- C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system
- D. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
Answer: A
NEW QUESTION # 31
Universal Containers (UC) has implemented SAML-based Single Sign-On to provide seamless access to its Salesforce Orgs, financial system, and CPQ system. Below is the SSO implementation landscape.
What role combination is represented by the systems in this scenario''
- A. Salesforce Org1 and PingFederate are acting as Identity Providers.
- B. Financial System and CPQ System are the only Service Providers.
- C. Salesforce Org1 and Salesforce Org2 are acting as Identity Providers.
- D. Salesforce Org1 and Salesforce Org2 are the only Service Providers.
Answer: A
NEW QUESTION # 32
Universal Containers (UC) wants to integrate a third-party Reward Calculation system with Salesforce to calculate Rewards. Rewards will be calculated on a schedule basis and update back into Salesforce. The integration between Salesforce and the Reward Calculation System needs to be secure. Which are two recommended practices for using OAuth flow in this scenario. choose 2 answers
- A. OAuth Username-Password Flow
- B. OAuth Refresh Token FLow
- C. OAuth SAML Bearer Assertion FLow
- D. OAuth JWT Bearer Token FLow
Answer: C,D
NEW QUESTION # 33
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers
- A. Create and update methods.
- B. Implement SesslonManagement Class.
- C. Implement Auth.SamlJitHandler Interface.
- D. Implement RegistrationHandler Interface.
Answer: A,C
NEW QUESTION # 34
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project.
After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements?
Choose 3 answers
- A. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.
- B. Enable "Allow customers and partners to self-register".
- C. Set jp an external login page and call Salesforce APIs for user creation.
- D. Select the "Configurable Self-Reg Page" option under Login & Registration.
- E. Customize me self-registration Apex handler to create only the user record.
Answer: B,D,E
NEW QUESTION # 35
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'
- A. StartURL on Identity Provider
- B. Identity-Provider-initiated SSO
- C. Web Server OAuth SSO flow
- D. Service-Provider-Initiated SSO
Answer: D
NEW QUESTION # 36
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups.
The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
- A. Use a login flow to query standard SAML attributes and set permission sets.
- B. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
- C. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
- D. Use a login flow to query custom SAML attributes and set permission sets.
Answer: C
NEW QUESTION # 37
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API.
Additionally UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers
- A. Web
- B. API
- C. Refresh token
- D. full
Answer: B,C
NEW QUESTION # 38
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?
- A. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
- B. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.
- C. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.
- D. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
Answer: D
NEW QUESTION # 39
Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?
- A. Web Server Authentication Flow
- B. JWT Bearer Token Flow
- C. Username and Password Flow
- D. User Agent Flow
Answer: D
NEW QUESTION # 40
What item should an Architect consider when designing a Delegated Authentication implementation?
- A. The Web service should be able to accept one to four input method parameters.
- B. The Web service should implement a custom password decryption method.
- C. The web service should use the Salesforce Federation ID to identify the user.
- D. The Web service should be secured with TLS using Salesforce trusted certificates.
Answer: D
NEW QUESTION # 41
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as passwords as possible.
What should an identity architect recommend?
- A. Setup Salesforce as an Authentication Provider to the existing IdP.
- B. Setup Salesforce as an IdP to authenticate against the LDAP directory.
- C. Setup Salesforce as a Service Provider to the existing IdP.
- D. Use Salesforce connect to synchronize LDAP passwords to Salesforce.
Answer: C
NEW QUESTION # 42
Northern Trail Outfitters (NTO) has an existing custom business-to-consumer (B2C) website that does NOT support single sign-on standards, such as Security Assertion Markup Language (SAMi) or OAuth. NTO wants to use Salesforce Identity to register and authenticate new customers on the website.
Which two Salesforce features should an identity architect use in order to provide username/password authentication for the website?
Choose 2 answers
- A. Delegated Authentication
- B. Connected Apps
- C. Embedded Login
- D. Identity Connect
Answer: A,C
NEW QUESTION # 43
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind?
Choose 2 answers
- A. AMR field shows the authentication methods used at IdP.
- B. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
- C. High-assurance sessions must be configured under Session Security Level Policies.
- D. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
Answer: A,B
NEW QUESTION # 44
An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute.
What should the IAM do to fulfill this requirement?
- A. Confirm performance considerations with Salesforce Customer Support due to high peaks.
- B. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case.
- C. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce.
- D. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider.
Answer: A
NEW QUESTION # 45
......
The Salesforce Identity-and-Access-Management-Architect certification is a valuable credential for professionals who want to demonstrate their expertise in managing access and identity within the Salesforce ecosystem. The certification exam is designed to test candidates on a wide range of topics, including identity management, access management, single sign-on, and security protocols. Those who pass the exam will earn the title of Salesforce Certified Identity and Access Management Architect, which is recognized throughout the industry as a mark of expertise and professionalism.
Identity-and-Access-Management-Architect Exam Questions Get Updated [2023] with Correct Answers: https://practicetorrent.exam4pdf.com/Identity-and-Access-Management-Architect-dumps-torrent.html

