
[UPDATED 2026] Free Salesforce Identity-and-Access-Management-Architect Exam Questions Self-Assess Preparation
Identity-and-Access-Management-Architect Free Sample Questions to Practice One Year Update
NEW QUESTION # 60
Universal Containers is creating a mobile application that will be secured by Salesforce Identity using the OAuth 2.0 user-agent flow (this flow uses the OAuth 2.0 implicit grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers
- A. Client ID
- B. Verification Code
- C. Authorization Code
- D. Scopes
- E. Refresh Token
Answer: A,D,E
NEW QUESTION # 61
Universal Containers (UC) has implemented SAML-based SSO solution for use with their multi-org Salesforce implementation, utilizing one ofthe the orgs as the Identity Provider. One user is reporting that they can log in to the Identity Provider org but get a generic SAML error message when accessing the other orgs.
Which two considerations should the architect review to troubleshoot the issue? Choose 2 answers
- A. The Federation ID must be populated on the user record.
- B. The Federation ID must is case sensitive
- C. The Federation ID must be a valid Salesforce Username
- D. The Federation ID must be in the form of an email address.
Answer: A,B
Explanation:
The Federation ID is a field on the user object that is used to link a Salesforce user with an external identity provider. When using SAML SSO, Salesforce matches the Federation ID value with the NameID element in the SAML assertion to identify the user. To troubleshoot the issue of getting a generic SAML error message when accessing the other orgs, the architect should review the following considerations:
* The Federation ID must be case sensitive, which means that the value in the user record must match exactly with the value in the SAML assertion. For example, if the Federation ID is "John.Doe", then
"john.doe" or "JOHN.DOE" will not work.
* The Federation ID must be populated on the user record, which means that the user must have a value for this field in each org that they want to access via SSO. If the Federation ID is blank or missing, then Salesforce will not be able to match the user with the SAML assertion.
NEW QUESTION # 62
Universal Containers (UC) would like its community users to be able to register and log in with Linkedin or Facebook Credentials. UC wants users to clearly see Facebook &Linkedin Icons when they register and login.
What are the two recommended actions UC can take to achieve this Functionality? Choose 2 answers
- A. Store the Linkedin or Facebook user IDs in the Federation ID field on the Salesforce User record.
- B. Enable Facebook and Linkedin as Login options in the login section of the Community configuration.
- C. Create custom buttons for Facebook and inkedin using JAVAscript/CSS on a custom Visualforce page.
- D. Create custom Registration Handlers to link Linkedin and facebook accounts to user records.
Answer: B,D
NEW QUESTION # 63
Containers (UC) uses an internal system for recruiting and would like to have thecandidates' info available in the Salesforce automatically when they are selected. UC decides to use OAuth to connect to Salesforce from the recruiting system and would like to do the authentication using digital certificates. Which two OAuth flows shouldbe considered to meet the requirement? Choose 2 answers
- A. Refresh Token flow
- B. JWT Bearer Token flow
- C. SAML Bearer Assertion flow
- D. Web Service flow
Answer: B,C
Explanation:
JWT Bearer Token flow and SAML Bearer Assertion flow are two OAuth flows that can be usedto authenticate to Salesforce using digital certificates. JWT Bearer Token flow allows a connected app to request an access token from Salesforce by using a JSON Web Token (JWT) that is signed with a digital certificate.
SAML Bearer Assertion flow allowsa connected app to request an access token from Salesforce by using a SAML assertion that is signed with a digital certificate. These two flows can meet therequirement of UC to use OAuth and digital certificates to connect to Salesforce from the recruiting system.
NEW QUESTION # 64
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorized access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend? Choose 2 answers
- A. Use login flow to bypass ip range restriction for the mobile app.
- B. Remove existing restrictions on ip ranges for all types of user access.
- C. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
- D. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
Answer: C,D
Explanation:
Explanation
Relaxing the IP restriction in the connected app settings for the Salesforce1 mobile app and relaxing the IP restriction with a second factor in the connected app settings for Salesforce1 mobile app are two options that an architect should recommend. These options allow UC employees to access the Salesforce1 mobile app from any location, while still maintaining some level of security. Relaxing the IP restriction means that users can log in to the connected app from outside the trusted IP ranges defined in their profiles1. Adding a second factor means that users need to provide an additional verification method, such as a verification code or a security key, to access the app2. Using a login flow to bypass IP range restriction for the mobile app is not a recommended option because it can create a complex and inconsistent user experience3. Removing existing restrictions on IP ranges for all types of user access is not a recommended option because it can expose UC's data and applications to unauthorized access4. References: 1: Restrict Access to Trusted IP Ranges for a Connected App 2: Require Multi-Factor Authentication for Connected Apps 3: [Custom Login Flows] 4:
[Restrict Login Access by IP Address]
NEW QUESTION # 65
An Identity and Access Management (IAM) Architect is recommending Identity Connect to integrate Microsoft Active Directory (AD) with Salesforce for user provisioning, deprovisioning and single sign-on (SSO).
Which feature of Identity Connect is applicable for this scenano?
- A. When configured, Identity Connect acts as an identity provider to both Active Directory and Salesforce, thus providing SSO as a default feature.
- B. When Identity Connect is in place, if a user is deprovisioned in an on-premise AD, the user's Salesforce session Is revoked Immediately.
- C. Identity Connect can be deployed as a managed package on salesforce org, leveraging High Availability of Salesforce Platform out-of-the-box.
- D. If the number of provisioned users exceeds Salesforce licence allowances, identity Connect will start disabling the existing Salesforce users in First-in, First-out (FIFO) fashion.
Answer: B
NEW QUESTION # 66
An insurance company has a connected app in its Salesforce environment that is used to integrate with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?
- A. Update the Security Assertion Markup Language Just-in-Time (SAML JIt; handler in Salesforce for user provisioning and de-provisioning.
- B. Configure user Provisioning for Connected Apps.
- C. Build an Apex trigger on the useriogin object to make asynchronous callouts to Google APIs.
- D. Build a custom REST endpoint in Salesforce that Google Workspace can poll against.
Answer: B
NEW QUESTION # 67
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.
NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.
What role does identity Connect play in the outlined requirements?
- A. Identity Provider
- B. User Management
- C. Service Provider
- D. Single Sign-On
Answer: B
NEW QUESTION # 68
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every userthat is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to every org. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance. What approach should an Architect recommend to UC?
- A. Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
- B. Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don't set up JIT user provisioning for other orgs.
- C. Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don't set up JIT user provisioning for other orgs.
- D. Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
Answer: D
Explanation:
The best approach to simplify the authentication process and reduce cost and maintenance is to configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs. This way, users can log in to any of thefive orgs using their UC1 credentials, and their user accounts will be automatically created or updated in the other orgs based on the information from UC11. This eliminates the need to purchase a third-party Identity Provider or manually provision users in advance. The other options are not optimal forthis requirement because:
* Purchasing a third-party Identity Provider for all five Salesforce orgs would incur additional cost and maintenance, and would not leverage the existing user base in UC1.
* Not setting up JIT user provisioning for other orgs would require manually creating or updating user accounts in each org, which would be time-consuming and error-prone. References: Salesforce as an Identity Provider, Identity Providers and Service Providers, Just-in-Time Provisioning for SAML
NEW QUESTION # 69
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?
- A. JWT Bearer Token Flow
- B. Web Server Flow
- C. User Agent Flow
- D. OpenID Connect
Answer: D
Explanation:
Explanation
OpenID Connect is an authentication protocol that allows a service provider to obtain user attributes in an ID token from an IdP. The other flows are OAuth 2.0 flows that are used for authorization, not authentication.
References: Configure an Authentication Provider Using OpenID Connect, Integrate Service Providers as Connected Apps with OpenID Connect
NEW QUESTION # 70
Northern Trail Outfitters (NTO) employees use a customon-premise helpdesk application to request, approve, notify, and track access granted to various on-premises and cloud applications, including Salesforce.
Salesforce is currently used to authenticate users.
How should NTO provision Salesforce users as soon as they are approved in the helpdesk application with the approved profiles and permission sets?
- A. Use a login flow to query the helpdesk to validate user status.
- B. Build an integration that performs a remote call-in to the Salesforce SOAP or REST API.
- C. Use Salesforce Connect to integrate with the helpdesk application.
- D. Have the helpdesk initiate an IdP-initiated Just-m-Time provisioning Security Assertion Markup Language flow.
Answer: B
Explanation:
Building an integration that performs a remote call-in to theSalesforce SOAP or REST API is the best way to provision Salesforce users as soon as they are approved in the helpdesk application. The API allows creating and updating user records with the approved profiles and permission sets. The other options are either not suitable or not sufficient for this use case. References: User SOAP API Developer Guide, User REST API Developer Guide
NEW QUESTION # 71
Universal Containers (UC) wants its closed Won opportunities to be synced to a Data Warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is Secure. What Certificate is sent along with the Outbound Message?
- A. The CA-Signed Certificate from the Certificate and Key Management menu.
- B. The default Client Certificate or a Certificate from Certificate and Key Management menu.
- C. The Self-Signed Certificates from the Certificate & Key Management menu.
- D. The default Client Certificate from the Develop--> API Menu.
Answer: D
NEW QUESTION # 72
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless expenence. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?
- A. Configure Salesforce for Delegated Authentication.
- B. Configure SSO to use the third party portal as an identity provider.
- C. Add the third-party portal as a connected app.
- D. Create a custom external authentication provider.
Answer: B
NEW QUESTION # 73
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers
- A. Require users to supply their email and phone number, which gets validated.
- B. Require users to provide their RSA token along with their credentials.
- C. Require users to enter a second password after the first Authentication
- D. Require users to use a biometric reader as well as their password
Answer: B,D
NEW QUESTION # 74
Universal Containers (UC) built an integration for their employees to post, view, and vote for ideas in Salesforce from an internal Company portal. When ideas are posted in Salesforce, links to the ideas are created in the company portal pages as part of the integration process. The Company portal connects to Salesforce using OAuth. Everything is working fine, except when users click on links to existing ideas, they are always taken to the Ideas home page rather than the specific idea, after authorization. Which OAuth URL parameter can be used to retain the original requested page so that a user can be redirected correctly after OAuth authorization?
- A. Redirect_uri
- B. State
- C. Scope
- D. Callback_uri
Answer: A
Explanation:
Explanation
The redirect_uri parameter is used to specify the URL that the user should be redirected to after OAuth authorization1. The redirect_uri should match the one that was registered with the OAuth client application2.
By using the redirect_uri parameter, the user can be redirected to the original requested page instead of the Ideas home page.
NEW QUESTION # 75
Universal Containers (UC) has a classified information system that its call center team uses only when they are working on a case with a record type "Classified". They are only allowed to access the system when they own an open "Classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "Classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying the access to the classified information system based on the open "classified" case record criteria?
- A. Use Apex trigger on case to dynamically assign permission Sets that Grant access when an user is assigned with an open "Classified" case, and remove it when the case is closed.
- B. Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.
- C. Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.
- D. Use Salesforce reports to identify users that currently owns open "Classified" cases and should be granted access to the Classified information system.
Answer: B
NEW QUESTION # 76
A client is planning to rollout multi-factor authentication (MFA) to its internal employees and wants tounderstand which authentication and verification methods meet the Salesforce criteria for secure authentication.
Which three functions meet the Salesforce criteria for secure mfa?
Choose 3 answers
- A. Username and password + secunty key
- B. Certificate-based Authentication
- C. Third-party single sign-on with Mobile Authenticator app
- D. username and password + SMS passcode
- E. Lightning Login
Answer: A,C,E
Explanation:
Multi-factor authentication (MFA) is a security feature that requires users to verify their identity with two or more factors when they log in to Salesforce4. Salesforcesupports several types of authentication and verification methods that meet the criteria for secure MFA, such as5:
* Username and password + security key: A security key is a physical device that plugs into a USB port or connects wirelessly to your computeror mobile device. It generates a unique code that you use to verify your identity when you log in to Salesforce5.
* Third-party single sign-on with Mobile Authenticator app: Single sign-on (SSO) is an authentication method that allows users to access multiple applications with one login and one set of credentials. A mobile authenticator app is an app that generates temporary codes or sends push notifications that you use to verify your identity when you log in to Salesforce via SSO5.
* Lightning Login: Lightning Login is an authentication method that allows users to log in to Salesforce without entering a password. Instead, users scan a QR code with their mobile device or click an email link that they receive when they try to log in. Then they use their fingerprint, face ID, or PIN to verifytheir identity on their mobile device5.
References:
Multi-Factor Authentication
Authentication and Verification Methods
NEW QUESTION # 77
Universal Containers (UC) is building a customer community and will allow customers to authenticate using Facebook credentials. The First time the user authenticating using Facebook, UC would like acustomer account created automatically in their accounting system. The accounting system has a web service accessible to Salesforce for the creation of accounts. How can the Architect meet these requirements?
- A. Create a custom application on Heroku that manages the sign-on process from Facebook.
- B. Use OAuth JWT flow to pass the data fromSalesforce to the Accounting System.
- C. Use JIT Provisioning to automatically create the account in the accounting system.
- D. Add an Apex callout in the registration handler of the authorization provider.
Answer: D
Explanation:
The best option for UC to meet the requirements is to add an Apex callout in the registration handler of the authorization provider. An authorization provider is a configuration in Salesforce that allows usersto log in with an external authentication provider, such as Facebook. A registration handler is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating a user account when a user logs in with anexternal authentication provider. An Apex callout is a method that invokes an external web service from Apex code. By adding an Apex callout in the registration handler, UC can create a customer account in their accounting system by calling the web servicethat is accessible to Salesforce. This option enables UC to automate the account creation process and integrate with their existing accounting system. The other options are not optimal for this scenario. Creating a custom application on Heroku that manages the sign-on process from Facebook would require UC to develop and maintain a separate application and infrastructure, which could increase complexity and cost. Using JIT provisioning to automatically create the account in the accounting system would require UC to configure Facebook as a SAML identity provider, which is not supported by Facebook. Using OAuth JWT flow to pass the data from Salesforce to the accounting system would require UC to obtain anOAuth token from the accounting system and use it tomake API calls, which could introduce security and performance issues. References: [Authorization Providers],
[Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Apex Callouts], [Facebook as SAML Identity Provider], [OAuth 2.0 JWTBearer Flow for Server-to-Server Integration]
NEW QUESTION # 78
An architect needs to set up a Facebook Authentication provider as login option for a salesforce customer Community. What portion of the authentication provider setup associates a Facebook user with a salesforce user?
- A. Federation ID
- B. User info endpoint URL
- C. Consumer key and consumer secret
- D. Apex registration handler
Answer: D
Explanation:
Explanation
D is correct because Apex registration handler is the portion of the authentication provider setup that associates a Facebook user with a Salesforce user when customers use their Facebook credentials to log in to the customer community. Apex registration handler is an Apex class that handles the logic for creating or updating a user record based on the information received from Facebook. A is incorrect because consumer key and consumer secret are portions of the authentication provider setup that identify and authenticate UC's customer community with Facebook, not associate a Facebook user with a Salesforce user. B is incorrect because Federation ID is an attribute that can be used to identify a user in a SAML assertion when UC uses SAML-based SSO with Facebook, not when UC uses social sign-on with Facebook. C is incorrect because user info endpoint URL is a portion of the authentication provider setup that specifies the URL to obtain the user information from Facebook, not associate a Facebook user with a Salesforce user. Verified References:
[Apex Registration Handler], [Consumer Key and Secret], [Federation ID], [User Info Endpoint URL]
NEW QUESTION # 79
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?
- A. Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.
- B. Use the createUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
- C. Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
- D. Use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
Answer: D
Explanation:
Explanation
To automatically create new employee users in Salesforce with an appropriate profile that maps to their Active Directory Department, the identity architect should use the updateUser method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider, such as Active Directory. The updateUser method is a method in the Auth.RegistrationHandler interface that defines how to update an existing user in Salesforce based on the information from the external identity provider. The identity architect can use this method to assign the appropriate profile to the user based on their department attribute. References: Just-in-Time Provisioning for SAML and OpenID Connect, Create a Custom Registration Handler
NEW QUESTION # 80
What are three capabilities of Delegated Authentication? Choose 3 answers
- A. It can connect to SOAP services.
- B. It can connect to REST services.
- C. It can be assigned by Permission Sets.
- D. It can be assigned by Custom Permissions.
- E. It can be assigned by Profiles.
Answer: A,B,C
NEW QUESTION # 81
Which three types of attacks would a 2-Factor Authentication solution help garden against?
- A. Key logging attacks
- B. Man-in-the-middle attacks
- C. Phishing attacks
- D. Network perimeter attacks
- E. Dictionary attacks
Answer: A,D,E
NEW QUESTION # 82
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the third-party app?
- A. Create Canvas app in Salesforce for third-party app to provision users.
- B. Redirect users to the third-party app for registration.
- C. Use a connected app with user provisioning flow.
- D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.
Answer: C
NEW QUESTION # 83
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?
- A. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
- B. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.
- C. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.
- D. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
Answer: C
Explanation:
Explanation
The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource access request. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user's identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3. References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? - OneLogin
NEW QUESTION # 84
......
Real exam questions are provided for Identity and Access Management Designer tests, which can make sure you 100% pass: https://www.prepawaypdf.com/Salesforce/Identity-and-Access-Management-Architect-practice-exam-dumps.html
Download Identity-and-Access-Management-Architect exam with Salesforce Identity-and-Access-Management-Architect Real Exam Questions: https://drive.google.com/open?id=1gcvMXuKLzGmAy7TujGjQZWlF8DzjCHlS