• Home
  • Blogs
  • Verified Identity-and-Access-Management-Architect dumps Q&As - 2024 Latest Identity-and-Access-Management-Architect Download [Q54-Q73]

Verified Identity-and-Access-Management-Architect dumps Q&As - 2024 Latest Identity-and-Access-Management-Architect Download [Q54-Q73]

Share

Verified Identity-and-Access-Management-Architect dumps Q&As - 2024 Latest Identity-and-Access-Management-Architect Download

Dumps Questions [2024] Pass for Identity-and-Access-Management-Architect Exam


Salesforce Identity-and-Access-Management-Architect Exam is a valuable certification for professionals who want to advance their careers in the Salesforce ecosystem. Salesforce Certified Identity and Access Management Architect certification is recognized by Salesforce and is an essential requirement for professionals seeking senior-level positions in identity and access management. Identity-and-Access-Management-Architect exam is designed to test the knowledge and skills of professionals in designing and implementing complex identity and access management solutions. By obtaining this certification, professionals can demonstrate their expertise and credibility in the field of identity and access management in Salesforce.


Salesforce Identity-and-Access-Management-Architect Certification Exam is designed for individuals who are interested in becoming experts in managing access and identities within the Salesforce platform. Salesforce Certified Identity and Access Management Architect certification exam is intended for experienced administrators, developers, and architects who have a deep understanding of the Salesforce platform and its security model. To earn this certification, candidates must demonstrate their ability to design and implement complex identity and access management solutions that meet the needs of their organization.

 

NEW QUESTION # 54
Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

  • A. The flow will not provide an Oauth refresh token back to the server.
  • B. The web application should be hosted on a secure server.
  • C. The flow involves passing the user credentials back and forth.
  • D. The web server must be able to protect consumer privacy

Answer: B,D

Explanation:
Explanation
The web application should be hosted on a secure server and the web server must be able to protect consumer privacy are two considerations that an architect should point out to UC. To integrate an external web app with the Salesforce API, UC can use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type4. With this flow, the server hosting the web app must be able to protect the connected app's identity, defined by the client ID and client secret4. The web application should be hosted on a secure server to ensure that the communication between the web app and Salesforce is encrypted and protected from unauthorized access or tampering6. The web server must be able to protect consumer privacy to comply with data protection laws and regulations, such as GDPR or CCPA . The web server should implement best practices for storing and handling user data, such as encryption, hashing, salting, and anonymization. The flow involves passing the user credentials back and forth is not a correct consideration, as the web server flow does not require the user credentials to be passed between the web app and Salesforce. Instead, it uses an authorization code that is exchanged for an access token and a refresh token4. The flow will not provide an OAuth refresh token back to the server is also not a correct consideration, as the web server flow does provide a refresh token that can be used to obtain new access tokens without user interaction4. References: OAuth 2.0 Web Server Flow for Web App Integration, Secure Your Web Application, [General Data Protection Regulation (GDPR)], [California Consumer Privacy Act (CCPA)],
[Data Protection Best Practices]


NEW QUESTION # 55
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user:
How can this requirement be met?

  • A. Use the updateUser method on the registration Handler Class.
  • B. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.
  • C. Develop a scheduled job that calls out to Facebook on a nightly basis.
  • D. Use information in the signed Request that is received from facebook.

Answer: A

Explanation:
Explanation
The best option for UC to ensure that changes in the Facebook profile are reflected on the appropriate customer community user is to use the updateUser method on the registration handler class. A registration handler class is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating a user account when a user logs in with an external authentication provider, such as Facebook. The updateUser method is a method in the registration handler class that takes a user ID and a JSON string as parameters and updates the user record with the information from the JSON string. This method can be used to update the user's profile, email, name, or other attributes based on the changes in the Facebook profile. The other options are not optimal for this scenario. Developing a scheduled job that calls out to Facebook on a nightly basis would introduce a delay in updating the user information and require custom code and API integration. Using information in the signed request that is received from Facebook would only provide limited information about the user, such as name, email, and locale, and not reflect any changes made after the initial login. Using SAML Just-in-Time provisioning between Facebook and Salesforce would require UC to configure Facebook as a SAML identity provider, which is not supported by Facebook. References:
[Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Facebook Signed Request],
[Facebook as SAML Identity Provider]


NEW QUESTION # 56
Universal Containers (UC) uses Salesforce as a CRM and identity provider (IdP) for their Sales Team to seamlessly login to intemaJ portals. The IT team at UC is now evaluating Salesforce to act as an IdP for its remaining employees.
Which Salesforce license is required to fulfill this requirement?

  • A. Identity Connect
  • B. External Identity
  • C. Identity Verification
  • D. Identity Only

Answer: D


NEW QUESTION # 57
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers

  • A. Use Login Flow in User Context to update role and permission sets.
  • B. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
  • C. Use Login Flow in System Context to update role and permission sets.
  • D. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer: C,D

Explanation:
Explanation
To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:
Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a Login Flow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity architect can update the agent role and permission sets based on the information from Active Directory or other criteria.
Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion. References: Login Flows, SAML Just-in-Time Provisioning, Auth.SamlJitHandler Interface


NEW QUESTION # 58
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number.
The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?

  • A. Use an external Identity Provider
  • B. Use Login Discovery
  • C. Integrate with social websites (Facebook, Linkedin. Twitter)
  • D. Create a custom Lightning Web Component

Answer: B

Explanation:
Explanation
Login Discovery allows the administrator to configure a custom login page that collects additional information from users, such as phone number, and use it for identity verification. Login Discovery can also be used to route users to different identity providers based on their input. References: Login Discovery, Customize Your Experience Cloud Site Login Process


NEW QUESTION # 59
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?

  • A. SAML Metadata file importer
  • B. Identity Provider Metadata download
  • C. Connected App Manager
  • D. Security Assertion Markup Language Validator

Answer: D

Explanation:
Explanation
Security Assertion Markup Language (SAML) Validator is a tool that allows administrators to test and troubleshoot SAML single sign-on configurations. It can show which part of the login assertion is failing and provide error messages and suggestions. SAML Metadata file importer and Identity Provider Metadata download are features that allow administrators to import or download metadata files for SAML configurations. Connected App Manager is a tool that allows administrators to manage connected apps in Salesforce. References: SAML Validator, SAML Single Sign-On Settings, Connected App Manager


NEW QUESTION # 60
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

  • A. Configure an Authentication Provider for LinkedIn Social Media Accounts.
  • B. Create a Custom Apex Registration Handler to handle new and existing users.
  • C. Use Delegated Authentication to call the Twitter login API to authenticate users.
  • D. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Answer: A,B

Explanation:
Explanation
Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community. This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can control how user records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions can meet the requirement of UC to use social media credentials for its customer community.


NEW QUESTION # 61
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

  • A. Set up an Auth Provider for each External Application.
  • B. Set up Salesforce as a SAML Idp with My Domain.
  • C. Add each connected App to the App Launcher with a Start URL.
  • D. Create a Connected App for each external application.
  • E. Set up Identity Connect to Synchronize user data.

Answer: B,C,D


NEW QUESTION # 62
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO-branded page.
The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?

  • A. Create a full sandbox to replicate the portal site and update the branding accordingly.
  • B. Use Heroku to build the new brand site and embedded login to reuse identities.
  • C. Implement Experience ID in the code and extend the URLs and endpomts, as required.
  • D. Configure an additional community site on the same org that is dedicated for the new brand.

Answer: C


NEW QUESTION # 63
Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization. Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?

  • A. State
  • B. Scope
  • C. Callback_uri
  • D. Redirect_uri

Answer: D


NEW QUESTION # 64
A large consumer company is planning to create a community and will requ.re login through the customers social identity. The following requirements must be met:
1. The customer should be able to login with any of their social identities, however salesforce should only have one user per customer.
2. Once the customer has been identified with a social identity, they should not be required to authonze Salesforce.
3. The customers personal details from the social sign on need to be captured when the customer logs into Salesforce using their social Identity.
3. If the customer modifies their personal details in the social site, the changes should be updated in Salesforce
.
Which two options allow the Identity Architect to fulfill the requirements?
Choose 2 answers

  • A. Use authentication providers for social sign-on and use the custom registration handler to insert or update personal details.
  • B. Use the custom registration handler to link social identities to Salesforce identities.
  • C. Use Login Flows to call an authentication registration handler to provision the user before logging the user into the community.
  • D. Redirect the user to a custom page that allows the user to select an existing social identity for login.

Answer: A,B


NEW QUESTION # 65
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

  • A. Facebook is the service provider and salesforce is the identity provider
  • B. Salesforce is the service provider and Google is the identity provider
  • C. Google is the service provider and Facebook is the identity provider
  • D. Salesforce is the service provider and Facebook is the identity provider

Answer: B,D

Explanation:
Explanation
The two role combinations that are represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies on Google or Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.
References: Salesforce as Service Provider and Identity Provider for SSO


NEW QUESTION # 66
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?

  • A. Enable Single Logout with a secure logout URL.
  • B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
  • C. Use a HTTP POST to request the refresh token for the current user.
  • D. Use a HTTP POST to make a call to the revoke token endpoint.

Answer: D

Explanation:
Explanation
To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario. References: Revoke OAuth Tokens, OAuth 2.0 Token Revocation


NEW QUESTION # 67
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

  • A. Use a self-signed certificate for salesforce and a self-signed cert for the external system
  • B. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
  • C. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
  • D. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system

Answer: A,B


NEW QUESTION # 68
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

  • A. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
  • B. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
  • C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
  • D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

Answer: B,C


NEW QUESTION # 69
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

  • A. Identity store
  • B. Identity provider
  • C. Authentication store
  • D. Service provider

Answer: B


NEW QUESTION # 70
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO-branded page.
The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?

  • A. Create a full sandbox to replicate the portal site and update the branding accordingly.
  • B. Implement Experience ID in the code and extend the URLs and endpoints, as required.
  • C. Use Heroku to build the new brand site and embedded login to reuse identities.
  • D. Configure an additional community site on the same org that is dedicated for the new brand.

Answer: B

Explanation:
Explanation
To dynamically brand the portal so that users will be directed to the brand link they clicked on, the identity architect should recommend implementing Experience ID in the code and extending the URLs and endpoints, as required. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community). Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the Experience ID or other criteria. By implementing Experience ID in the code, the identity architect can provide a consistent and personalized brand experience for each user without creating multiple sites or sandboxes.
References: Experience ID, Dynamic Branding for Experience Cloud Sites


NEW QUESTION # 71
Northern Trail Outfitters (NTO) has a requirement to ensure all user logins include a single multi-factor authentication (MFA) prompt. Currently, users are allowed the choice to login with a username and password or via single sign-on against NTO's corporate Identity Provider, which includes built-in MFA.
Which configuration will meet this requirement?

  • A. Enable "MFA for User Interface Logins" for your organization from Setup -> Identity Verification.
  • B. Create a custom login flow that enforces MFA and assign it to a permission set. Then assign the permission set to all employees.
  • C. Create and assign a permission set to all employees that includes "MFA for User Interface Logins."
  • D. For all employee profiles, set the Session Level Required at Login to High Assurance and add the corporate identity provider to the High Assurance list for the org's Session Security Levels.

Answer: A


NEW QUESTION # 72
Which three different attributes can be used to identify the user in a SAML 65> assertion when Salesforce is acting as a Service Provider? Choose 3 answers

  • A. Salesforce User ID
  • B. User Email Address
  • C. Federation ID
  • D. Salesforce Username
  • E. User Full Name

Answer: B,C,D

Explanation:
Explanation
The three different attributes that can be used to identify the user in a SAML assertion when Salesforce is acting as a Service Provider are Federation ID, User Email Address, and Salesforce Username. According to the Salesforce documentation, "Salesforce supports three attributes for identifying users in a SAML assertion:
Federation ID, User Email Address, and Salesforce Username." Therefore, option A, D, and E are the correct answers.
References: [SAML Assertion Attributes]


NEW QUESTION # 73
......


Salesforce Identity-and-Access-Management-Architect certification exam is a valuable credential for professionals who are responsible for designing and implementing identity and access management solutions using Salesforce technologies. By earning this certification, individuals can demonstrate their expertise in this important area, as well as their commitment to maintaining the security and privacy of sensitive information within their organization.

 

Updated Salesforce Study Guide Identity-and-Access-Management-Architect Dumps Questions: https://www.itpass4sure.com/Identity-and-Access-Management-Architect-practice-exam.html

Valid Identity-and-Access-Management-Architect exam with Salesforce Real Exam Questions: https://drive.google.com/open?id=1tJyVJSJbRYMuQO__g_klCi6gxpWJYwWL

Related Blogs

more
Salesforce Identity-and-Access-Management-Architect Certification Practice Exam

Download the free demo questions to have a try. Get the latest and most valid practice questions for your exam preparation. The high quality and high pass rate will help you 100% pass.

Latest Update

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ITPASS4SURE.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor. Privacy Policy