Identity-and-Access-Management-Architect Exam Questions

A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal. Which two features should be utilized to provide users with login and identity services for the third-party application? Choose 2 answers

A. Use the App Launcher with single sign-on (SSO).

B. External a Data source with Named Principal identity type.

C. Use a connected app.

D. Use Delegated Authentication.

Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

A. Add the Employee portals IP address to the Trusted IP range for the connected App

B. Use a digital certificate signed by the employee portal Server.

C. Add the employee portals IP address to the login IP range on the user profile.

D. Use a dedicated profile for the user the Employee portal uses.

Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

A. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.

B. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.

C. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.

D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.

In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?

A. RedirectURL

B. RelayState

C. DisplayState

D. StartURL

A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce. Which OAuth flow should the architect recommend?

A. OAuth 2.0 Asset Token Flow

B. OAuth 2.0 Device Authentication Row

C. OAuth 2.0 JWT Bearer Token Flow

D. OAuth 2.0 SAML Bearer Assertion Flow

Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site. Which two options should be utilized in creating an authentication provider? Choose 2 answers

A. A custom registration handier can be set.

B. A custom error URL can be set.

C. The default login user can be set.

D. The default authentication provider certificate can be set.

Universal containers (UC) has multiple salesforce orgs and would like to use a single identity provider to access all of their orgs. How should UC'S architect enable this behavior?

A. Ensure that users have the same email value in their user records in all of UC's salesforce orgs.

B. Ensure the same username is allowed in multiple orgs by contacting salesforce support.

C. Ensure that users have the same Federation ID value in their user records in all of UC's salesforce orgs.

D. Ensure that users have the same alias value in their user records in all of UC's salesforce orgs.

A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access". what is most likely to cause of the issue?

A. The use of high assurance sections are required for the connected App.

B. The users do not have the correct permission set assigned to them.

C. The connected App setting "All users may self-authorize" is enabled.

D. The salesforce administrators gave revoked the Oauth authorization.

Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce. What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

A. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.

C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.

D. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.

Which three are features of federated Single sign-on solutions? Choose 3 Answers

A. It establishes trust between Identity Store and Service Provider.

B. It federates credentials control to authorized applications.

C. It solves all identity and access management problems.

D. It improves affiliated applications adoption rates.

E. It enables quick and easy provisioning and deactivating of users.