Pass4sure Identity-and-Access-Management-Architect Questions are updated and all Identity-and-Access-Management-Architect answers are verified by experts. Once you have completely prepared with our Identity-and-Access-Management-Architect exam prep kits you will be ready for the real Identity-and-Access-Management-Architect exam without a problem. We have Update Salesforce Identity-and-Access-Management-Architect dumps study guide. PASSED Identity-and-Access-Management-Architect First attempt! Here What I Did.
Salesforce Identity-and-Access-Management-Architect Free Dumps Questions Online, Read and Test Now.
NEW QUESTION 1
Universal Containers (UC) wants to build a custom mobile app for their field reps to create orders in salesforce. After the first time the users log in, they must be able to access salesforce upon opening the mobile app without being prompted to log in again. What Oauth flows should be considered to support this requirement?
- A. Web Server flow with a Refresh Token.
- B. Mobile Agent flow with a Bearer Token.
- C. User Agent flow with a Refresh Token.
- D. SAML Assertion flow with a Bearer Token.
Answer: AC
Explanation:
The OAuth 2.0 user-agent flow and the OAuth 2.0 web server flow are both suitable for building a custom mobile app that can access Salesforce data without prompting the user to log in again1. Both of these flows use a refresh token that can be used to obtain a new access token when the previous one expires2. The
user-agent flow uses the Canvas JavaScript SDK to obtain an OAuth token by using the login function in the SDK2. The web server flow redirects the user to the Salesforce OAuth authorization endpoint and then obtains an OAuth access token by making a POST request to the Salesforce OAuth token endpoint2. The mobile agent flow and the SAML assertion flow are not valid OAuth flows for Salesforce3.
References: OAuth Authorization Flows, Mastering Salesforce Canvas Apps, Access Data with API Integration
NEW QUESTION 2
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one of the the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs. Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers
- A. The Federation ID must be a valid Salesforce Username
- B. The Federation ID must is case sensitive
- C. The Federation ID must be in the form of an email address.
- D. The Federation ID must be populated on the user record.
Answer: BD
Explanation:
The Federation ID is a field on the user object that is used to link a Salesforce user with an external identity provider. When using SAML SSO, Salesforce matches the Federation ID value with the NameID element in the SAML assertion to identify the user. To troubleshoot the issue of getting a generic SAML error message when accessing the other orgs, the architect should review the following considerations:
The Federation ID must be case sensitive, which means that the value in the user record must match exactly with the value in the SAML assertion. For example, if the Federation ID is “John.Doe”, then “john.doe” or “JOHN.DOE” will not work.
The Federation ID must be populated on the user record, which means that the user must have a value for this field in each org that they want to access via SSO. If the Federation ID is blank or missing, then Salesforce will not be able to match the user with the SAML assertion.
NEW QUESTION 3
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?
- A. My Domain
- B. External Identity
- C. Identity Provider
- D. Multi-Factor Authentication
Answer: A
Explanation:
My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforce domain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:
My Domain lets you work in multiple Salesforce orgs in the same browser. Without My Domain, you can only log in to one org at a time in the same browser.
My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.
My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.
References:
My Domain
[Customize Your Login Process with My Domain]
NEW QUESTION 4
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers
- A. The subject element is missing from the assertion sent to salesforce.
- B. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
- C. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
- D. The assertion sent to 5alesforce contains an assertion ID previously used.
Answer: CD
Explanation:
A SAML SSO ‘Replay Detected and Assertion Invalid’ error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected. References: SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On
NEW QUESTION 5
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?
- A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.
- B. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
- C. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
- D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
Answer: D
Explanation:
Self-registration allows guests to create their own user accounts and access the community. The
self-registration page can be customized to collect order details and use them to retrieve customer data from the org. References: Customize Self-Registration
NEW QUESTION 6
Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization. Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?
- A. Redirect_uri
- B. State
- C. Scope
- D. Callback_uri
Answer: A
Explanation:
Threedirect_uri parameter is used to specify the URL that the user should be redirected to after OAuth
authorization1. The redirect_uri should match the one that was registered with the OAuth client application2. By using the redirect_uri parameter, the user can be redirected to the original requested page instead of the Ideas home page.
NEW QUESTION 7
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?
- A. Identity store
- B. Authentication store
- C. Identity provider
- D. Service provider
Answer: C
Explanation:
The role of Active Directory in this scenario is an identity provider. An identity provider is an application that authenticates users and provides information about them to service providers6. A service provider is an application that provides a service to users and relies on an identity provider for authentication6. In this scenario, the employee portal is a service provider that provides collaboration features to employees and relies on Active Directory for authentication. Active Directory is an identity provider that authenticates employees using their corporate credentials and sends information about them to the employee portal7.
References: Identity Provider Overview, Configure SSO to Salesforce Using Microsoft AD FS as the Identit
Provider
NEW QUESTION 8
Universal containers want to build a custom mobile app connecting to salesforce using Oauth, and would like to restrict the types of resources mobile users can access. What Oauth feature of Salesforce should be used to achieve the goal?
- A. Access Tokens
- B. Mobile pins
- C. Refresh Tokens
- D. Scopes
Answer: D
Explanation:
The OAuth feature of Salesforce that should be used to restrict the types of resources mobile users can access is scopes. Scopes are parameters that specify the level of access that the mobile app requests from Salesforce when it obtains an OAuth token. Scopes can be used to limit the access to certain resources or actions, such as API calls, full access, web access, or refresh token. By configuring scopes in the connected app settings, Universal Containers can control what the mobile app can do with the OAuth token and protect against unauthorized or excessive access.
References: [OAuth Scopes], [Connected Apps], [OAuth Authorization Flows]
NEW QUESTION 9
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants to understand which authentication and verification methods meet the Salesforce criteria for secure authentication.
Which three functions meet the Salesforce criteria for secure mfa? Choose 3 answers
- A. username and password + SMS passcode
- B. Username and password + secunty key
- C. Third-party single sign-on with Mobile Authenticator app
- D. Certificate-based Authentication
- E. Lightning Login
Answer: BCE
Explanation:
Multi-factor authentication (MFA) is a security feature that requires users to verify their identity with two or more factors when they log in to Salesforce4. Salesforce supports several types of authentication and verification methods that meet the criteria for secure MFA, such as5:
Username and password + security key: A security key is a physical device that plugs into a USB port or connects wirelessly to your computer or mobile device. It generates a unique code that you use to verify your identity when you log in to Salesforce5.
Third-party single sign-on with Mobile Authenticator app: Single sign-on (SSO) is an authentication method that allows users to access multiple applications with one login and one set of credentials. A mobile authenticator app is an app that generates temporary codes or sends push notifications that you use to verify your identity when you log in to Salesforce via SSO5.
Lightning Login: Lightning Login is an authentication method that allows users to log in to Salesforce without entering a password. Instead, users scan a QR code with their mobile device or click an email
link that they receive when they try to log in. Then they use their fingerprint, face ID, or PIN to verify their identity on their mobile device5.
References:
Multi-Factor Authentication
Authentication and Verification Methods
NEW QUESTION 10
Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers
- A. Modify the communitiesselfregcontroller to assign the profile and account.
- B. Modify the selfregistration trigger to assign profile and account.
- C. Configure registration for communities to use a custom visualforce page.
- D. Configure registration for communities to use a custom apex controller.
Answer: AC
Explanation:
To enable self-registration for their Salesforce partner community users, UC should modify the communities’ self-registration controller to assign the profile and account based on the custom data elements from the partner user1. UC should also configure registration for communities to use a custom Visualforce page to capture the custom data elements from the partner user2. Therefore, option A and C are the correct answers.
References: Salesforce Partner Community, Partner Community Registration Guide
NEW QUESTION 11
Universal Containers wants to implement Single Sign-on for a Salesforce org using an external Identity Provider and corporate identity store.
What type of authentication flow is required to support deep linking'
- A. Web Server OAuth SSO flow
- B. Service-Provider-Initiated SSO
- C. Identity-Provider-initiated SSO
- D. StartURL on Identity Provider
Answer: B
Explanation:
Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials4. There are two types of SSO flows that can be used with Salesforce as the service provider (SP) and an external identity provider (IdP)5:
Service-provider-initiated SSO: The user requests a resource from the SP, such as a Salesforce URL. The SP redirects the user to the IdP for authentication. The IdP authenticates the user and sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow supports deep linking, which means that the user can access a specific page within Salesforce without logging in again6.
Identity-provider-initiated SSO: The user logs in to the IdP and selects an app from a list of available apps. The IdP sends a SAML response to the SP. The SP validates the SAML response and grants access to the user5. This type of SSO flow does not support deep linking, which means that the user can only access the default landing page of Salesforce6.
References:
Single Sign-On
SAML SSO Flows
Deep Linking
NEW QUESTION 12
Universal containers (UC) has implemented SAML -based single Sign-on for their salesforce application. UC is using PingFederate as the Identity provider. To access salesforce, Users usually navigate to a bookmarked link to my domain URL. What type of single Sign-on is this?
- A. Sp-Initiated
- B. IDP-initiated with deep linking
- C. IDP-initiated
- D. Web server flow.
Answer: A
Explanation:
The type of single sign-on that UC is using is SP-initiated, which means that the service provider (Salesforce) initiates the SSO process by sending a SAML request to the identity provider (PingFederate) when the user navigates to the My Domain URL3. Therefore, option A is the correct answer. References: SAML SSO with Salesforce as the Service Provider
NEW QUESTION 13
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.1 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow? Choose 3 answers
- A. Verification URL
- B. Client Secret
- C. Access Token
- D. Scopes
Answer: BCD
Explanation:
The OAuth 2.0 Web Server Flow requires the client secret to authenticate the web application to Salesforce. The access token is used to access the Salesforce resources on behalf of the user. The scopes define the permissions and access levels for the web application. References: OAuth 2.0 Web Server Authentication Flow, Digging Deeper into OAuth 2.0 on Force.com
NEW QUESTION 14
Which two capabilities does My Domain enable in the context of a SAML SSO configuration? Choose 2 answers
- A. App Launcher
- B. Resource deep linking
- C. SSO from Salesforce Mobile App
- D. Login Forensics
Answer: BC
Explanation:
These are two capabilities that My Domain enables in the context of a SAML SSO configuration. My Domain is a feature that lets you customize your Salesforce domain name and login page1. Resource deep linking is the ability to access a specific page or resource within Salesforce directly from a link, without having to navigate through the app2. SSO from Salesforce Mobile App is the ability to log in to the Salesforce Mobile App using your SSO credentials, without having to enter your username and password3. My Domain enables these capabilities by allowing you to specify your identity provider (IdP) and SSO settings for your unique domain name, and by providing a custom login URL that can be used for deep linking and mobile app login1. The other options are not correct for this question because:
App Launcher is a feature that lets you access all your connected apps from one place in Salesforce. It does not require My Domain or SAML SSO to work, although it can be enhanced by using them.
Login Forensics is a feature that analyzes login behavior and identifies anomalous or suspicious logins.
It does not require My Domain or SAML SSO to work, although it can be used with them.
References: My Domain, Deep Linking into Salesforce, Salesforce Mobile App Basics, [App Launc [Login Forensics]
NEW QUESTION 15
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
- A. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.
- B. Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
- C. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value.
- D. The Audience ID, which can be set in a shared cookie.
Answer: A
Explanation:
Configuring an authentication provider to delegate authentication to the LDAP directory ensures that users can only log in to Salesforce if they are active in the LDAP directory. This prevents terminated employees from accessing Salesforce with their old credentials. References: Authentication Providers, Delegated Authentication Single Sign-On
NEW QUESTION 16
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?
- A. Use a HTTP POST to request the refresh token for the current user.
- B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
- C. Use a HTTP POST to make a call to the revoke token endpoint.
- D. Enable Single Logout with a secure logout URL.
Answer: C
Explanation:
To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario. References: Revoke OAuth Tokens, OAuth 2.0 Token Revocation
NEW QUESTION 17
Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers
- A. Refresh token
- B. API
- C. full
- D. Web
Answer: AB
Explanation:
The two OAuth scopes that UC should configure in the connected app are:
Refresh token. This scope allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. This scope enables UC to provide an optimal experience for its mobile users by reducing the number of login prompts and authentication failures.
API. This scope allows the mobile app to make REST API calls to Salesforce using the access token.
The REST API allows the mobile app to access or manipulate data and metadata in Salesforce using HTTP methods. This scope enables UC to build a custom mobile app that can connect to Salesforce and perform various operations on Salesforce resources.
References: [OAuth Scopes], [Connected Apps], [Refresh Token], [REST API]
NEW QUESTION 18
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers
- A. As part of the body of a Salesforce Knowledge article.
- B. In the mobile navigation menu on Salesforce for Android.
- C. The sidebar of a Salesforce Console as a console component.
- D. Included in the Call Control Tool that's part of Open CTI.
Answer: CD
Explanation:
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that’s part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that’s part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]
NEW QUESTION 19
Universal containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC's security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?
- A. Include client ID and client secret in the login header callout.
- B. Set up a proxy server for the login service in the DMZ.
- C. Require the use of Salesforce security Tokens on password.
- D. Enforce mutual Authentication between systems using SSL.
Answer: D
Explanation:
To enable a trusted connection between the login services and Salesforce, UC should enforce mutual authentication between systems using SSL. Mutual authentication is a process in which both parties in a communication verify each other’s identity using certificates7. SSL (Secure Sockets Layer) is a protocol that provides secure communication over the Internet using encryption and certificates8. By using mutual authentication with SSL, UC can ensure that only authorized login services can access Salesforce and vice versa. This can prevent unauthorized access, impersonation, or phishing attacks.
References: Mutual Authentication, SSL (Secure Sockets Layer)
NEW QUESTION 20
......
Recommend!! Get the Full Identity-and-Access-Management-Architect dumps in VCE and PDF From Certshared, Welcome to Download: https://www.certshared.com/exam/Identity-and-Access-Management-Architect/ (New 246 Q&As Version)