Total 255 Questions
Last Updated On : 2-Jun-2025
Preparing with Identity-and-Access-Management-Architect practice test is essential to ensure success on the exam. This Salesforce SP25 test allows you to familiarize yourself with the Identity-and-Access-Management-Architect exam questions format and identify your strengths and weaknesses. By practicing thoroughly, you can maximize your chances of passing the Salesforce certification spring 2025 release exam on your first attempt. Surveys from different platforms and user-reported pass rates suggest Identity-and-Access-Management-Architect practice exam users are ~30-40% more likely to pass.
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party application?
(Choose 2 answers)
A. Use the App Launcher with single sign-on (SSO).
B. External a Data source with Named Principal identity type.
C. Use a connected app.
D. Use Delegated Authentication.
Explanation:
When Salesforce acts as an Identity Provider (IdP), it can issue identity tokens to other service providers, such as a third-party application. To facilitate SSO between Salesforce and the third-party application, you must register the app as a Connected App in Salesforce. This allows Salesforce to securely authenticate and pass tokens to the third-party application. The App Launcher with SSO allows users to access these integrated apps directly from the Salesforce UI, providing a seamless login experience. External data sources and Delegated Authentication do not fulfill this requirement as they are for different use cases like data integration or LDAP authentication.
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?
A. Add the Employee portals IP address to the Trusted IP range for the connected App
B. Use a digital certificate signed by the employee portal Server.
C. Add the employee portals IP address to the login IP range on the user profile.
D. Use a dedicated profile for the user the Employee portal uses.
Explanation:
To restrict Salesforce API access only to a specific server (like the Employee portal), it's best to control access at the Connected App level. Setting the Trusted IP Ranges on the connected app ensures that only requests originating from that IP (the portal server) can authenticate using that app. This approach offers a more secure and scalable control than IP ranges on user profiles, which are broader and less precise for OAuth-based integrations. A digital certificate is not applicable for the Username-Password OAuth flow in this context.
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?
A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.
Explanation:
Sensitive attributes in SAML assertions should be protected both from tampering and unauthorized viewing. Digitally signing with the IdP's certificate ensures the assertion's authenticity and integrity, while encrypting with Salesforce's certificate ensures confidentiality. For highly sensitive data, you can avoid including them in the SAML assertion entirely and instead retrieve them securely after login using custom login flows and Apex callouts. This double-layered approach is ideal for safeguarding PII and other sensitive information.
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resource after authentication?
A. RedirectURL
B. RelayState
C. DisplayState
D. StartURL
Explanation:
In SP-Initiated SAML flows, the RelayState parameter is used to maintain context or redirect users back to the originally requested resource after authentication is complete. When a user starts at the Service Provider, they are redirected to the IdP for authentication. The RelayState parameter ensures they are returned to the correct resource (e.g., a specific dashboard or page) after successful login.
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce. Which OAuth flow should the architect recommend?
A. OAuth 2.0 Asset Token Flow
B. OAuth 2.0 Device Authentication Row
C. OAuth 2.0 JWT Bearer Token Flow
D. OAuth 2.0 SAML Bearer Assertion Flow
Explanation:
The JWT Bearer Token Flow is ideal for server-to-server integrations where the sensor system (acting as a client) needs to authenticate without user interaction. This flow allows trusted devices to authenticate by presenting a signed JWT, ensuring secure and efficient access to Salesforce. The Device Authentication Flow is for input-constrained user devices, not autonomous sensors. Asset Token Flow is specific to IP-connected devices with a user present, which is not the case here.
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? (Choose 2 answers)
A. A custom registration handier can be set.
B. A custom error URL can be set.
C. The default login user can be set.
D. The default authentication provider certificate can be set.
Explanation:
When configuring an Authentication Provider for Experience Cloud:
✑ Custom registration handler (A) is required to map external identities to Salesforce users.
✑ Custom error URL (B) ensures users see branded error pages.
Options C (default login user) and D (default certificate) are not configurable features of authentication providers. Salesforce’s Experience Cloud setup guides highlight these as mandatory steps.
Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?
A. Ensure that users have the same email value in their user records in all of UC's salesforce orgs.
B. Ensure the same username is allowed in multiple orgs by contacting salesforce support.
C. Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.
D. Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.
Explanation:
Federation ID is the key identifier used in SAML-based SSO for mapping users. If multiple Salesforce orgs need to be accessed via a single IdP, users must have the same Federation ID across all orgs. Username or alias are irrelevant in SAML mappings. Email is used for communication but not for SSO matching.
A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue?
A. The use of high assurance sections are required for the connected App
B. The users do not have the correct permission set assigned to them.
C. The connected App setting "All users may self-authorize" is enabled.
D. The salesforce administrators gave revoked the Oauth authorization.
Explanation:
When users get the “Not approved for access” error on a Connected App, the most common cause is that they haven’t been granted access via a Permission Set. Connected Apps use OAuth policies and Permission Set assignments to determine which users can authorize the app. The other options may cause access issues but not this specific error.
Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce. What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?
A. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.
B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.
C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.
D. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.
Explanation:
Just-in-Time (JIT) provisioning allows new Salesforce users to be created automatically during the SAML login process, using data passed in the assertion. This is perfect for environments where only some employees need access to Salesforce and manual provisioning would be inefficient. It helps optimize license use by creating users only when they need access.
Which three are features of federated Single sign-on solutions? (Choose 3 Answers)
A. It establishes trust between Identity Store and Service Provider.
B. It federates credentials control to authorized applications.
C. It solves all identity and access management problems.
D. It improves affiliated applications adoption rates.
E. It enables quick and easy provisioning and deactivating of users.
Explanation:
Federated SSO:
✑ Establishes trust (A) via certificates/protocols (e.g., SAML).
✑ Improves adoption (D) by reducing password fatigue.
✑ Simplifies user lifecycle (E) via central management.
Option B (federating credential control) is incorrect (SSO doesn’t delegate credentials), and C (solves all IAM problems) is hyperbolic. Industry standards like SAML/OAuth focus on these core benefits.
| Page 1 out of 26 Pages |
Master OAuth flows – JWT for server auth, Web Server for user apps. (30% of exam!)
SAML SSO deep dive – Know SP-initiated vs. IdP-initiated and JIT provisioning.
Hybrid identity = key – Salesforce Connect + external auth (OAuth/Named Credentials).
Security FIRST – MFA, CSP, and session policies trump basic setups.
Event monitoring – Track logins, breaches, and suspicious activity.
Copyright © - All Rights Reserved