What Exact Identity-and-Access-Management-Architect Exams Is

NEW QUESTION 1
Universal Containers want users to be able to log in to the Salesforce mobile app with their Active Directory password. Employees are unable to use mobile VPN.
Which two options should an identity architect recommend to meet the requirement? Choose 2 answers

• A. Active Directory Password Sync Plugin
• B. Configure Cloud Provider Load Balancer
• C. Salesforce Trigger & Field on Contact Object
• D. Salesforce Identity Connect

Answer: AD

Explanation:
Active Directory Password Sync Plugin allows users to log in to Salesforce with their Active Directory password without using a VPN. Salesforce Identity Connect synchronizes users and groups between Active Directory and Salesforce and enables single sign-on. References: Active Directory Password Sync Plugin, Salesforce Identity Connect

NEW QUESTION 2
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

• A. Add each connected App to the App Launcher with a Start URL.
• B. Set up an Auth Provider for each External Application.
• C. Set up Salesforce as a SAML Idp with My Domain.
• D. Set up Identity Connect to Synchronize user data.
• E. Create a Connected App for each external application.

Answer: ACE

Explanation:
These are the steps required to enable Salesforce as a SAML Identity Provider and use the App Launcher to access external applications. According to the Salesforce documentation1, you need to:
Enable Salesforce as a SAML Identity Provider with My Domain2.
Create a Connected App for each external application that you want to integrate with Salesforce3.
Add each Connected App to the App Launcher with a Start URL that points to the external application1.
Option B is incorrect because setting up an Auth Provider is not necessary for SAML SSO. Auth Providers are used for OAuth SSO, which is a different protocol4. Option D is incorrect because Identity Connect is a tool for synchronizing user data between Active Directory and Salesforce, which is not related to SSO or App Launcher5.
References: 1: App Launcher - Salesforce 2: Enable Salesforce as a SAML Identity Provider 3: Connec Apps Overview 4: Identity Providers and Service Providers - Salesforce 5: Identity Connect Overview

NEW QUESTION 3
Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login. What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers

• A. Enable Facebook and Linkedin as Login options in the login section of the Community configuration.
• B. Create custom Registration Handlers to link Linkedin and facebook accounts to user records.
• C. Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.
• D. Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.

Answer: AB

Explanation:
The two recommended actions UC can take to achieve the functionality of allowing community users to register and log in with LinkedIn or Facebook credentials are:
Enable Facebook and LinkedIn as login options in the login section of the community configuration.
This action allows UC to configure Facebook and LinkedIn as authorization providers in Salesforce, which are external services that authenticate users and provide information about their identity and
attributes. By enabling these login options in the community configuration, UC can display Facebook and LinkedIn icons on the community login page and allow users to log in with their existing credentials from these services.
Create custom registration handlers to link LinkedIn and Facebook accounts to user records. This action allows UC to create Apex classes that implement the Auth.RegistrationHandler interface and define the logic for creating or updating user accounts in Salesforce when users log in with LinkedIn or Facebook. By creating custom registration handlers, UC can map the information from the authorization providers to the user fields in Salesforce, such as name, email, profile, or contact.
The other options are not recommended actions for this scenario. Storing the LinkedIn or Facebook user IDs in the Federation ID field on the Salesforce user record is not necessary or sufficient for enabling SSO with these services, as the Federation ID is used for SAML-based SSO, not OAuth-based SSO. Creating custom buttons for Facebook and LinkedIn using JavaScript/CSS on a custom Visualforce page is not advisable, as it would require custom code and UI development, which could increase complexity and maintenance efforts. Moreover, it would not leverage the built-in functionality of authorization providers and registration handlers that Salesforce provides. References: [Authorization Providers], [Enable Social Sign-On for Your Community], [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Federation ID]

NEW QUESTION 4
Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?

• A. Identity Provider (IdP)
• B. Resource Server
• C. Service Provider (SP)
• D. Client Application

Answer: C

Explanation:
To broker authentication from its enterprise SSO solution through Salesforce to third party applications using SAML, Salesforce Identity plays the role of a Service Provider (SP). A SP is an entity that relies on an Identity Provider (IdP) to authenticate and authorize users. In this scenario, the enterprise SSO solution is the IdP, Salesforce is the SP, and the third party applications are the Resource Servers or Client Applications. The SP receives a SAML assertion from the IdP and uses it to obtain an access token from the Resource Server or Client Application. References: SAML Single Sign-On Settings, Authorize Apps with OAuth

NEW QUESTION 5
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

• A. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.
• B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
• C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
• D. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.

Answer: C

Explanation:
Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider, such as a SAML-based IdP. This eliminates the need for manual or batch user provisioning in Salesforce and minimizes license usage. To use JIT provisioning, the identity architect needs to configure the SAML settings in Salesforce and include the user attributes in the SAML assertion sent by the IdP. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

NEW QUESTION 6
Universal containers (UC) uses an internal company portal for their employees to collaborate. UC decides to use salesforce ideas and provide the ability for employees to post ideas from the company portal. They use SAML-BASED SSO to get into the company portal and would like to leverage it to access salesforce. Most of the users don't exist in salesforce and they would like the user records created in salesforce communities the first time they try to access salesforce. What recommendation should an architect make to meet this requirement?

• A. Use on-the-fly provisioning
• B. Use just-in-time provisioning
• C. Use salesforce APIs to create users on the fly
• D. Use Identity connect to sync users

Answer: B

Explanation:
Just-in-time provisioning is a feature that allows Salesforce to create user accounts automatically when users log in for the first time via an external identity provider. This way, UC can avoid creating user records manually or synchronizing them with another system. On-the-fly provisioning is not a valid term in Salesforce. Salesforce APIs can be used to create users programmatically, but they are not related to SSO. Identity Connect is a tool that can sync users between Salesforce and Active Directory, but it is not required for SSO.
References: Certification - Identity and Access Management Architect - Trailhead, [Just-in-Time Provisioning for SAML and OpenID Connect]

NEW QUESTION 7
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers

• A. To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
• B. To use dynamic branding, the community must be built with the Customer Account Portal template.
• C. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
• D. An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.

Answer: BC

Explanation:
Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the user’s profile or preferences. To use dynamic branding, the community must be built with the Customer Account Portal template, which supports this feature. An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand and trigger the dynamic branding logic.
References: Dynamic Branding for Experience Cloud Sites, Create a Customer Account Portal

NEW QUESTION 8
Universal Containers (UC) wants to provide single sign-on (SSO) for a business-to-consumer (B2C) application using Salesforce Identity.
Which Salesforce license should UC utilize to implement this use case?

• A. Identity Only
• B. Salesforce Platform
• C. External Identity
• D. Partner Community

Answer: C

Explanation:
External Identity is the license that enables SSO for B2C applications using Salesforce Identity. It also provides self-registration, social sign-on, and user profile management features. References: Certification - Identity and Access Management Architect - Trailhead

NEW QUESTION 9
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers

• A. Manage which connected apps a user has access to by assigning authentication providers to the user’s profile.
• B. Assign the connected app to the customer community, and enable the users profile in the Community settings.
• C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
• D. Set each of the Connected App access settings to Admin Pre-Approved.

Answer: CD

Explanation:
To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre-Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

NEW QUESTION 10
architect is troubleshooting some SAML-based SSO errors during testing. The Architect confirmed that all of the Salesforce SSO settings are correct. Which two issues outside of the Salesforce SSO settings are most likely contributing to the SSO errors the Architect is encountering? Choose 2 Answers

• A. The Identity Provider is also used to SSO into five other applications.
• B. The clock on the Identity Provider server is twenty minutes behind Salesforce.
• C. The Issuer Certificate from the Identity Provider expired two weeks ago.
• D. The default language for the Identity Provider and Salesforce are Different.

Answer: BC

Explanation:
The two issues outside of the Salesforce SSO settings that are most likely contributing to the SSO errors are the clock on the identity provider server being twenty minutes behind Salesforce and the issuer certificate from the identity provider expiring two weeks ago. These issues can cause SAML assertion errors, which prevent the user from logging in with SSO. A SAML assertion is an XML document that contains information about the user’s identity and attributes, and it is signed by the identity provider and sent to Salesforce as part of the SSO process4. If the clock on the identity provider server is not synchronized with Salesforce, the SAML assertion may be rejected as invalid or expired, as it has a time limit for validity5. If the issuer certificate from the identity provider is expired, the SAML assertion may not be verified by Salesforce, as it relies on the certificate to validate the signature6. The other options are not likely issues that cause SSO errors. The identity provider being used to SSO into five other applications does not affect its ability to SSO into Salesforce, as long as it supports multiple service providers and has a separate configuration for each one7. The default language for the identity provider and Salesforce being different does not affect the SSO process, as it does not impact the SAML assertion or its validation.
References: SAML Login Errors, Troubleshoot SAML Assertion Errors, SAML SSO with Salesforce as th Service Provider, Single Sign-On, [How to Troubleshoot a Single Sign-On Error]

NEW QUESTION 11
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
* 1. They plan to implement Partner communities to provide access to their partner network .
* 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
* 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
* 4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?

• A. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
• B. Consolidate Partner related information in a single org and provide access through Salesforce community.
• C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
• D. Register partners in one org and access information from other orgs using APIs.

Answer: A

Explanation:
SAML federation allows partners to log in to multiple Salesforce orgs with a single identity provider. The partner login can be created for the country of their operation and then federated to other orgs using SAML assertions. References: SAML Single Sign-On Overview, Federated Authentication Using SAML

NEW QUESTION 12
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow. Application users will authenticate using username and password. They should not be forced to approve API access in the mobile app or reauthenticate for 3 months.
Which two connected app options need to be configured to fulfill this use case?
Choose 2 answers

• A. Set Permitted Users to "Admin approved users are pre-authorized".
• B. Set Permitted Users to "All users may self-authorize".
• C. Set the Session Timeout value to 3 months.
• D. Set the Refresh Token Policy to expire refresh token after 3 months.

Answer: BD

Explanation:
To fulfill the use case of creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow, where users will authenticate using username and password and not be forced to approve API access or reauthenticate for 3 months, the identity architect should configure two connected app options:
Set Permitted Users to “All users may self-authorize”. Permitted Users is a setting that controls how users can access a connected app. By setting it to “All users may self-authorize”, the identity architect can allow users to access the connected app without requiring administrator approval or API access confirmation.
Set the Refresh Token Policy to expire refresh token after 3 months. Refresh Token Policy is a setting that controls how long a refresh token can be used to obtain a new access token without requiring user authentication. By setting it to expire refresh token after 3 months, the identity architect can allow users to access the connected app for 3 months without reauthenticating, as long as they use the app at least once every 90 days. References: Connected Apps, OAuth 2.0 User-Agent Flow

NEW QUESTION 13
Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? Choose 2 answers

• A. Google is the service provider and Facebook is the identity provider
• B. Salesforce is the service provider and Google is the identity provider
• C. Facebook is the service provider and salesforce is the identity provider
• D. Salesforce is the service provider and Facebook is the identity provider

Answer: BD

Explanation:
The two role combinations that are represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies on Google or Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.
References: Salesforce as Service Provider and Identity Provider for SSO

NEW QUESTION 14
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?

• A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.
• B. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
• C. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
• D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.

Answer: D

Explanation:
Self-registration allows guests to create their own user accounts and access the community. The
self-registration page can be customized to collect order details and use them to retrieve customer data from the org. References: Customize Self-Registration

NEW QUESTION 15
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the third-party app?

• A. Use a connected app with user provisioning flow.
• B. Create Canvas app in Salesforce for third-party app to provision users.
• C. Redirect users to the third-party app for registration.
• D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

Answer: A

Explanation:
To have users provisioned via a service endpoint before users access their app from Salesforce, the identity architect should recommend using a connected app with user provisioning flow. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols. A user provisioning flow is a custom post-authentication process that can be used to create or update users in the external application using a service endpoint when users access the connected app from Salesforce. This approach can provide automatic user provisioning with limited changes to the third-party app. References: Connected Apps, User Provisioning for Connected Apps

NEW QUESTION 16
......