Identity-and-Access-Management-Architect Practice Test Questions

Explanation:

To enforce two-factor authentication (2FA) only when users log in from outside the internal company network, you need dynamic control based on the user's IP address. Salesforce's Custom Login Flow feature provides exactly that flexibility. By writing an Apex login flow, you can inspect the incoming IP address—comparing it against internal IP range criteria—and decide whether to require an extra 2FA step. This method is supported by Salesforce and is the recommended pattern for conditional authentication based on login context.

Option B, configuring login IP ranges under 2FA setup, doesn’t trigger selective 2FA; instead, it broadly restricts or allows login access. Option C is invalid because triggers on UserLogin run after authentication, making them ineffective for gating 2FA during login. Option D applies 2FA for all UI logins and uses IP ranges per profile to restrict access—rather than enforcing 2FA only for external network access. Therefore, the only viable, supported way is via a Custom Login Flow.

Explanation:

To enable self-registration for partner community users, UC should modify the CommunitiesSelfRegController class to assign the Profile and Account values based on the custom data elements captured from the partner user. UC should also configure Registration for Communities to use a custom Apex controller that extends the CommunitiesSelfRegController class and overrides the default registration logic3.

Explanation:

External Identity is the license that enables SSO for B2C applications using Salesforce Identity. It also provides self-registration, social sign-on, and user profile management features.

References:

Certification - Identity and Access Management Architect - Trailhead

Explanation:

Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user’s identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3.

References:

👉 1: Customize User Authentication with Login Flows
👉 2: Custom Login Flow Examples
👉 3: Salesforce Multi- Factor Authentication

Explanation:

To dynamically update the agent role and permission sets using Active Directory as the corporate identity provider and Salesforce as the CRM for customer care agents, who use SAML based sign-on to login to Salesforce, the identity architect should use two mechanisms:

Use Login Flow in System Context to update role and permission sets. A Login Flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. A System Context is a mode that allows a Login Flow to run as an administrator user with full access to Salesforce data and metadata. By using a Login Flow in System Context, the identity architect can update the agent role and permission sets based on the information from Active Directory or other criteria.

Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets. A SAML JIT handler class is a class that implements the Auth.SamlJitHandler interface and defines how to handle SAML assertions for Just-in-Time (JIT) provisioning. JIT provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. By using a SAML JIT handler class run as an admin user, the identity architect can update the agent role and permission sets based on the information from the SAML assertion.

References:

Login Flows, SAML Just-in- Time Provisioning, Auth.SamlJitHandler Interface

Explanation:

The contactless user feature allows organizations to create external users in Experience Cloud without requiring an associated Contact record. However, this has key licensing and functionality implications:

Option A (Incorrect) – While a custom registration handler can be used for advanced logic, it is not mandatory for assigning licenses. Salesforce allows contactless users to be created directly with an External Identity license, and admins can manually assign licenses without Apex.

Option B (Incorrect) – If a contactless user is upgraded to a Community license, Salesforce does not automatically create a Contact record. The admin must manually link the user to a Contact if needed.

Option C (Correct) – The contactless user feature only works with External Identity licenses, not standard Community licenses. This means:
👉 Users with External Identity licenses have limited access compared to full Community users (e.g., no access to standard Community features like Chatter or record sharing).
👉 If NTO wants full Experience Cloud functionality, they must convert these users to Community licenses and link them to Contacts.

Option D (Incorrect) – Passwordless authentication (e.g., OTP) can still work via email, even without a Contact record. While phone-based OTP requires a phone number, email-based methods do not.

Why C is the Best Answer?

The primary architectural impact is that contactless users require External Identity licenses, which restrict functionality compared to full Community licenses. If NTO relies on standard Experience Cloud features, they may need additional steps (like license upgrades and Contact linking) to ensure full access.

References:

Enable Contactless Users — Salesforce Help

Explanation:

The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.

Explanation:

The SAML assertion OAuth flow allows a connected app to use a SAML assertion to request an OAuth access token to call Salesforce APIs. This flow provides an alternative for orgs that are currently using SAML to access Salesforce and want to access the web services API in the same way3. This flow can be used for inbound OAuth-enabled integration clients that want to use SAML-based single sign-on for authentication.

References:

OAuth 2.0 SAML Bearer Assertion Flow for Previously Authorized Apps, Access Data with API Integration, Error ‘Invalid assertion’ in OAuth 2.0 SAML Bearer Flow

Explanation:

Universal Containers (UC) will build a custom Innovation platform entirely in Apex and Visualforce, using custom objects. They plan to authenticate employees via a third-party Identity Provider (IdP) with SAML SSO; employees shouldn't use Salesforce credentials. For this scenario, the Salesforce Platform License is optimal. It supports Apex, Visualforce, custom objects, reports, dashboards, Flows, and SAML-based SSO, ensuring employees have the tools they need without full CRM access.

👉 Option A (Identity License) isn't sufficient. Identity licenses are focused on authentication and single sign-on and do not support Visualforce, Apex, or access to custom objects.

👉 Option B (Salesforce License) is overkill—this full-featured CRM license grants access to standard Sales Cloud objects like Leads, Opportunities, and Cases, which the Innovation platform doesn’t need.

👉 Option C (External Identity License) is for external users (e.g., partners or customers) and lacks access to custom Apex/Visualforce or internal apps.

Therefore, the Platform License neatly fits the requirement: SSO login via SAML, ability to use Apex/VF and custom objects, without unnecessary licensing features.

References:

Standard User & Platform Licence Overview — Salesforce Help

Explanation:

OAuth Device Flow is a protocol that allows users to authenticate their devices, such as fitness trackers, smart TVs, or printers, with an external identity provider and access Salesforce resources. The device flow involves displaying a verification code and a URL on the device, which the user can use to log in and authorize the device from another device, such as a smartphone or a computer.

References:

OAuth Device Flow, OAuth 2.0 Device Flow