DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Salesforce Identity and Access Management Architect Exam Questions and Answers PDF | SPOTO

SPOTO's latest exam dumps on the homepage, with a 100% pass rate! SPOTO delivers authentic Cisco CCNA, CCNP study materials, CCIE Lab solutions, PMP, CISA, CISM, AWS, and Palo Alto exam dumps. Our comprehensive study materials are meticulously aligned with the latest exam objectives. With a proven track record, we have enabled thousands of candidates worldwide to pass their IT certifications on their first attempt. Over the past 20+ years, SPOTO has successfully placed numerous IT professionals in Fortune 500 companies.
Take other online exams
Question #1
What information does the 'Relaystate' parameter contain in sp - Initiated Single Sign - on?
A. Reference to a URL redirect parameter at the identity provider
B. Reference to a URL redirect parameter at the service provider
C. Reference to the login address URL of the service provider
D. Reference to the login address URL of the identity Provider
View answer
Correct Answer: B
Question #2
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?
A. Login Inspector
B. Login History
C. Login Report
D. Login Forensics
View answer
Correct Answer: D
Question #3
A financial enterprise is planning to set up a user authentication mechanism to login to the Salesforce system. Due to regulatory requirements, the CIO of the company wants user administration, including passwords and authentication requests, to be managed by an external system that is only accessible via a SOAP webservice.Which authentication mechanism should an identity architect recommend to meet the requirements?
A. OAuth Web-Server Flow
B. Identity Connect
C. Delegated Authentication
D. Just-in-Time Provisioning
View answer
Correct Answer: C
Question #4
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site. NTO wants to make sure it renders login page images dynamically based on the user's brand preference selected in Heroku before A
A. For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex
B. Create multiple login screens using Experience Builder and use Login Flows at runtime to route to different login screens
C. Authorize third-party service by sending authorization requests to the community- url/services/oauth2/authorize/cookie_value
D. Authorize third-party service by sending authorization requests to the community- url/services/oauth2/authonze/expid_value
View answer
Correct Answer: D
Question #5
Universal containers wants to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?
A. Access Tokens
B. Mobile pins
C. Refresh Tokens
D. Scopes
View answer
Correct Answer: D
Question #6
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.Which two features should be utilized to provide users with login and identity services for the third-party application?Choose 2 answers
A. Use the App Launcher with single sign-on (SSO)
B. External a Data source with Named Principal identity type
C. Use a connected app
D. Use Delegated Authentication
View answer
Correct Answer: AC
Question #7
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in. What should be used to fulfill this requirement?
A. Use the Activations feature to meet the compliance requirement to track device information
B. Use the Login History object to track information about devices from which users log in
C. Use Login Flows to capture device from which users log in and store device and user information in a custom object
D. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information
View answer
Correct Answer: A
Question #8
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API. One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.Which OAuth flow should be used to fulfill the requirement?
A. JWT Bearer Flow
B. Web Server Flow
C. User Agent Flow
D. Username-Password Flow
View answer
Correct Answer: A
Question #9
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help. Which two considerations should the architect keep in mind? Choose 2 answers
A. AMR field shows the authentication methods used at IdP
B. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP
C. High-assurance sessions must be configured under Session Security Level Policies
D. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP
View answer
Correct Answer: AB
Question #10
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Archite
A. Check the Refresh Token policy defined in the Salesforce Connected App
B. Validate that the users are checking the box to remember their passwords
C. Verify that the Callback URL is correctly pointing to the new URI Scheme
D. Confirm that the access Token's Time-To-Live policy has been set appropriately
View answer
Correct Answer: A
Question #11
Universal containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers
A. The web service needs to include Source IP as a method parameter
B. UC should whitelist all salesforce ip ranges on their corporate firewall
C. The web service can be written using either the soap or rest protocol
D. Delegated Authentication is enabled for the system administrator profile
E. The return type of the Web service method should be a Boolean value
View answer
Correct Answer: ABE
Question #12
Which two security risks can be mitigated by enabling Two-Factor Authentication (2FA) in Salesforce? Choose 2 answers
A. Users leaving laptops unattended and not logging out of Salesforce
B. Users accessing Salesforce from a public Wi-Fi access point
C. Users choosing passwords that are the same as their Facebook password
D. Users creating simple-to-guess password reset questions
View answer
Correct Answer: BC
Question #13
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.Which two Salesforce tools should an identity architect recommend to satisfy the requirements?Choose 2 answers
A. salesforce Canvas
B. Identity Connect
C. Connected Apps
D. App Launcher
View answer
Correct Answer: AD
Question #14
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 ans
A. Configure SAML SSO settings
B. Create a Connected App
C. Configure Delegated Authentication
D. Set up My Domain
View answer
Correct Answer: AD
Question #15
A global fitness equipment manufacturer is planning to sell fitness tracking devices and has the following requirements:1) Customer purchases the device. 2) Customer registers the device using their mobile app. 3) A case should automatically be created in Salesforce and associated with the customers account in cases where the device registers issues with tracking.Which OAuth flow should be used to meet these requirements?
A. OAuth 2
B. OAuth 2
C. OAuth 2
D. OAuth 2
View answer
Correct Answer: A
Question #16
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML. What rote does Salesforce Identity play in its relationship with the enterprise SSO system?
A. Identity Provider (IdP)
B. Resource Server
C. Service Provider (SP)
D. Client Application
View answer
Correct Answer: C
Question #17
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record. What should be enabled in Salesforce as a prerequisite?
A. My Domain
B. Identity Provider
C. Multi-Factor Authentication
D. External Identity
View answer
Correct Answer: A
Question #18
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.Which two connected app options need to be configured to fulfill this use case?Choose 2 answers
A. Set Permitted Users to "Admin approved users are pre-authorized"
B. Set Permitted Users to "All users may self-authorize"
C. Set the Session Timeout value to 3 months
D. Set the Refresh Token Policy to expire refresh token after 3 months
View answer
Correct Answer: BD
Question #19
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?
A. Add the Employee portals IP address to the Trusted IP range for the connected App
B. Use a digital certificate signed by the employee portal Server
C. Add the employee portals IP address to the login IP range on the user profile
D. Use a dedicated profile for the user the Employee portal uses
View answer
Correct Answer: A
Question #20
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives wou
A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload
B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices
C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload
D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion
View answer
Correct Answer: AC
Question #21
Universal Containers (UC) has a Desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and salesforce should be seamless. What Authorization flow should the Architect recommend?
A. JWT Bearer Token flow
B. Web Server Authentication Flow
C. User Agent Flow
D. Username and Password Flow
View answer
Correct Answer: C
Question #22
Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales uses to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple passwo
A. Salesforce license for sales users and Identity license for Marketing users
B. Salesforce license for sales users and External Identity license for Marketing users
C. Identity license for sales users and Identity connect license for Marketing users D
View answer
Correct Answer: AD
Question #23
Universal Containers (UC) is successfully using Delegated Authentication for their Salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company web services be REST-ful and written in .Net. Which two considerations should the UC Architect provide to the new CIO? (Choose two.)
A. Delegated Authentication will continue to work with REST services
B. Delegated Authentication will continue to work with a
C. Delegated Authentication will not work with REST services
D. Delegated Authentication will not work with a
View answer
Correct Answer: BC
Question #24
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.Which of the foll
A. External Apps License
B. Partner Community License
C. Partner Community Login License
D. Customer Community plus Login License
View answer
Correct Answer: D
Question #25
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider. Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
A. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets
B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets
C. Use a login flow to query custom SAML attributes and set permission sets
D. Use a login flow to query standard SAML attributes and set permission sets
View answer
Correct Answer: B
Question #26
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.The chief security officer is rolling out an org wide compliance policy to enforce re- venfication of devices if an employee has not logged in from that device in the last week.Which connected app setting should be leveraged to
A. Scope - Deny refresh_token scope for this connected app
B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days
C. Session Policy - Set timeout value of the connected app to 7 days
D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date
View answer
Correct Answer: B
Question #27
A manufacturer wants to provide registration for an Internet of Things (IoT) device with limited display input or capabilities. Which Salesforce OAuth authorization flow should be used?
A. OAuth 2
B. OAuth 2
C. OAuth 2
D. OAuth 2
View answer
Correct Answer: B
Question #28
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.Which two options should the identity architect recommend to support dynamic branding for the site?Choose 2 answers
A. To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template
B. To use dynamic branding, the community must be built with the Customer Account Portal template
C. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand
D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites
View answer
Correct Answer: BC
Question #29
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
A. Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce
B. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter
C. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value
D. The Audience ID, which can be set in a shared cookie
View answer
Correct Answer: B
Question #30
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers
A. The Identity Provider is also used to SSO into five other applications
B. The clock on the Identity Provider server is twenty minutes behind Salesforce
C. The Issuer Certificate from the Identity Provider expired two weeks ago
D. The default language for the Identity Provider and Salesforce are Different
View answer
Correct Answer: BC

View The Updated Salesforce Exam Questions

SPOTO Provides 100% Real Salesforce Exam Questions for You to Pass Your Salesforce Exam!

Get Salesforce Practice Test

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.