All About Accurate Identity-and-Access-Management-Architect Questions Pool

NEW QUESTION 1
Universal containers (UC) employees have salesforce access from restricted ip ranges only, to protect against unauthorized access. UC wants to rollout the salesforce1 mobile app and make it accessible from any location.
Which two options should an architect recommend? Choose 2 answers

• A. Relax the ip restriction in the connect app settings for the salesforce1 mobile app
• B. Use login flow to bypass ip range restriction for the mobile app.
• C. Relax the ip restriction with a second factor in the connect app settings for salesforce1 mobile app
• D. Remove existing restrictions on ip ranges for all types of user access.

Answer: AC

Explanation:
Relaxing the IP restriction in the connected app settings for the Salesforce1 mobile app and relaxing the IP restriction with a second factor in the connected app settings for Salesforce1 mobile app are two options that an architect should recommend. These options allow UC employees to access the Salesforce1 mobile app from any location, while still maintaining some level of security. Relaxing the IP restriction means that users can log in to the connected app from outside the trusted IP ranges defined in their profiles1. Adding a second factor means that users need to provide an additional verification method, such as a verification code or a security key, to access the app2. Using a login flow to bypass IP range restriction for the mobile app is not a recommended option because it can create a complex and inconsistent user experience3. Removing existing restrictions on IP ranges for all types of user access is not a recommended option because it can expose UC’s data and applications to unauthorized access4. References: 1: Restrict Access to Trusted IP Ranges for a Connected App 2: Require Multi-Factor Authentication for Connected Apps 3: [Custom Login Flows] 4: [Restrict Login Access by IP Address]

NEW QUESTION 2
An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.
Which two licenses are needed to meet this requirement? Choose 2 answers

• A. External Identity Licenses
• B. Identity Connect Licenses
• C. Email Verification Credits
• D. SMS verification Credits

Answer: AD

Explanation:
External Identity Licenses are required to enable external users to access Salesforce resources via a CIAM solution. Email Verification Credits and SMS Verification Credits are required to enable email or mobile phone number verification for user authentication. Identity Connect Licenses are not required for this scenario, as Identity Connect is a tool for synchronizing user data between Salesforce and Active Directory.
References: External Identity Implementation Guide, Identity Connect Implementation Guide

NEW QUESTION 3
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?

• A. Select "Admin approved users are pre-authorized" and assign specific profiles.
• B. Create custom scopes and assign to the connected app.
• C. Define a permission set that grants access to the app and assign to authorized users.
• D. Leverage external objects and data classification policies.

Answer: B

Explanation:
To limit the level of access to the data of the protected resource in a flexible way, the identity architect should create custom scopes and assign them to the connected app. Custom scopes are permissions that define the specific data that an external application can access or modify in Salesforce. Custom scopes can be created using Apex or Metadata API and assigned to a connected app using OAuth 2.0 or SAML protocols. Custom scopes can provide more granular control over data access than standard scopes, which are predefined by Salesforce. References: Custom Scopes, Create and Assign Custom Scopes

NEW QUESTION 4
Which tool should be used to track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours?

• A. Login Inspector
• B. Login History
• C. Login Report
• D. Login Forensics

Answer: D

Explanation:
To track login data, such as the average number of logins, who logged in more than the average number of times and who logged in during non-business hours, the identity architect should use Login Forensics. Login Forensics is a tool that analyzes login data and provides insights into user behavior and login patterns. Login Forensics can help identify anomalies, risks, and trends in user login activity. Login Forensics can also generate reports and dashboards to visualize the login data. References: Login Forensics, Analyze Login Data with Login Forensics

NEW QUESTION 5
Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in. NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers

• A. Delegated Authentication will not work with a.net service.
• B. Delegated Authentication will continue to work with rest services.
• C. Delegated Authentication will continue to work with a.net service.
• D. Delegated Authentication will not work with rest services.

Answer: CD

Explanation:
Delegated Authentication will continue to work with a .NET service as long as it is wrapped in a web service that Salesforce can consume1. Delegated Authentication will not work with REST services because it requires a SOAP-based web service23. Therefore, option C and D are the correct answers.
References: Salesforce Documentation, DEV Community, Salesforce Developer Community

NEW QUESTION 6
Universal containers (UC) would like to enable self - registration for their salesforce partner community users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate profile and account values. Which two actions should the architect recommend to UC? Choose 2 answers

• A. Modify the communitiesselfregcontroller to assign the profile and account.
• B. Modify the selfregistration trigger to assign profile and account.
• C. Configure registration for communities to use a custom visualforce page.
• D. Configure registration for communities to use a custom apex controller.

Answer: AC

Explanation:
To enable self-registration for their Salesforce partner community users, UC should modify the communities’ self-registration controller to assign the profile and account based on the custom data elements from the partner user1. UC should also configure registration for communities to use a custom Visualforce page to capture the custom data elements from the partner user2. Therefore, option A and C are the correct answers.
References: Salesforce Partner Community, Partner Community Registration Guide

NEW QUESTION 7
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to 65« set up My Domain for their Salesforce org. How does that decision impact their SSO implementation?

• A. IdP-initiated SSO will NOT work.
• B. Neither SP- nor IdP-initiated SSO will work.
• C. Either SP- or IdP-initiated SSO will work.
• D. SP-initiated SSO will NOT work

Answer: D

Explanation:
This is because without My Domain, Salesforce will not know in advance what Identity Provider (IdP) to use for SSO, since it does not even know yet what Organization the user is trying to log in to1. SP-initiated SSO is the scenario where the user starts with a Salesforce link (login page, deep link, Outlook Sync URL, etc.) and then gets redirected to the IdP for authentication2. Without My Domain, SP-initiated SSO requires that the user do an IdP-initiated SSO at least once first so that Salesforce can set a cookie in their browser identifying the IdP1. The other options are not correct for this question because:
IdP-initiated SSO will work without My Domain, as long as the user starts SSO at the IdP and sends the identity information to Salesforce along with SAML protocol information that identifies the Organization and the IdP2.
Neither SP- nor IdP-initiated SSO will not work is false, as explained above.
Either SP- or IdP-initiated SSO will work is false, as explained above.
References: Considerations for setting up My Domain and SSO - Salesforce, SAML SSO with Salesforce as the Service Provider

NEW QUESTION 8
Universal Containers (UC) rolling out a new Customer Identity and Access Management Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers

• A. Manage which connected apps a user has access to by assigning authentication providers to the user’s profile.
• B. Assign the connected app to the customer community, and enable the users profile in the Community settings.
• C. Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
• D. Set each of the Connected App access settings to Admin Pre-Approved.

Answer: CD

Explanation:
To limit user access to only a subset of service providers per customer type, the identity architect should use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps. Connected apps are frameworks that enable external applications to integrate with Salesforce using APIs and standard protocols, such as OpenID Connect. By setting each of the Connected App access settings to Admin Pre-Approved, the identity architect can control which users can access which connected apps by assigning profiles or permission sets to the connected apps. The other options are not relevant for this scenario. References: Connected Apps, Manage Connected Apps

NEW QUESTION 9
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

• A. Financial System
• B. Pingfederate
• C. Salesforce Org 2
• D. Salesforce Org 1

Answer: BD

Explanation:
These are the systems that are acting as identity providers (IdPs) in the SSO scenario. An IdP is a trusted provider that enables a customer to use single sign-on (SSO) to access other websites5. In this case, Pingfederate and Salesforce Org 1 are the IdPs that authenticate the users and issue SAML assertions or
OAuth tokens to the service providers (SPs). The SPs are the websites that host apps and rely on the IdPs for authentication5. In this case, Salesforce Org 2, Financial System, and CPQ System are the SPs that receive the SAML assertions or OAuth tokens from the IdPs and grant access to the users.
Option A is incorrect because Financial System is not an IdP, but an SP. It does not authenticate the users, but receives SAML assertions from Pingfederate. Option C is incorrect because Salesforce Org 2 is not an IdP, but an SP. It does not authenticate the users, but receives OAuth tokens from Salesforce Org 1.
References: 5: Identity Providers and Service Providers - Salesforce 6: Salesforce as Service Provider an Identity Provider for SSO

NEW QUESTION 10
Universal Containers (UC) implemented SSO to a third-party system for their Salesforce users to access the App Launcher. UC enabled “User Provisioning” on the Connected App so that changes to user accounts can be synched between Salesforce and the third-party system. However, UC quickly notices that changes to user roles in Salesforce are not getting synched to the third-party system. What is the most likely reason for this behavior?

• A. User Provisioning for Connected Apps does not support role sync.
• B. Required operation(s) was not mapped in User Provisioning Settings.
• C. The Approval queue for User Provisioning Requests is unmonitored.
• D. Salesforce roles have more than three levels in the role hierarchy.

Answer: B

Explanation:
User Provisioning for Connected Apps supports role sync, but the required operation(s) must be mapped in User Provisioning Settings. According to the Salesforce documentation1, “To provision roles, map the Role operation to a field in the connected app. The field must contain the role’s unique name.” Therefore, option B is the correct answer.
References: Salesforce Documentation

NEW QUESTION 11
A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.
What should an identity architect recommend to configure the requirement with limited changes to the third-party app?

• A. Use a connected app with user provisioning flow.
• B. Create Canvas app in Salesforce for third-party app to provision users.
• C. Redirect users to the third-party app for registration.
• D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

Answer: A

Explanation:
To have users provisioned via a service endpoint before users access their app from Salesforce, the identity architect should recommend using a connected app with user provisioning flow. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols. A user provisioning flow is a custom post-authentication process that can be used to create or update users in the external application using a service endpoint when users access the connected app from Salesforce. This approach can provide automatic user provisioning with limited changes to the third-party app. References: Connected Apps, User Provisioning for Connected Apps

NEW QUESTION 12
Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC?

• A. Create a Canvas app and use Signed Requests to authenticate the users.
• B. Rewrite the web application as a set of Visualforce pages and Apex code.
• C. Configure the web application as an item in the Salesforce App Launcher.
• D. Add the web application as a ConnectedApp using OAuth User-Agent flow.

Answer: A

Explanation:
A Canvas app is a web application that can be embedded within Salesforce and access Salesforce data using the signed request authentication method. This method allows the Canvas app to receive a signed request that contains the context and OAuth token when it is loaded. The Canvas app can use the SDK to request a new or refreshed signed request on demand2. This way, the users do not need to re-authenticate when accessing the web application from Salesforce. References: Requesting a Signed Request, SAML Single Sign-On for Canv Apps, Mastering Salesforce Canvas Apps

NEW QUESTION 13
Universal Containers has multiple Salesforce instances where users receive emails from different instances. Users should be logged into the correct Salesforce instance authenticated by their IdP when clicking on an email link to a Salesforce record.
What should be enabled in Salesforce as a prerequisite?

• A. My Domain
• B. External Identity
• C. Identity Provider
• D. Multi-Factor Authentication

Answer: A

Explanation:
My Domain is a feature that allows you to personalize your Salesforce org with a subdomain within the Salesforce domain. For example, instead of using a generic URL like https://na30.salesforce.com, you can use a custom URL like https://somethingReallycool.my.salesforce.com10. My Domain should be enabled in Salesforce as a prerequisite for the following reasons:
My Domain lets you work in multiple Salesforce orgs in the same browser. Without My Domain, you can only log in to one org at a time in the same browser.
My Domain lets you set up single sign-on (SSO) with third-party identity providers (IdPs). SSO is an authentication method that allows users to access multiple applications with one login and one set of credentials. With My Domain and SSO, users can log in to Salesforce using their corporate credentials or social accounts.
My Domain lets you customize your login page with your brand. You can add your logo, background image, right-frame content, and authentication service buttons to your login page.
References:
My Domain
[Customize Your Login Process with My Domain]

NEW QUESTION 14
IT security at Unversal Containers (UC) us concerned about recent phishing scams targeting its users and wants to add additional layers of login protection. What should an Architect recommend to address the issue?

• A. Use the Salesforce Authenticator mobile app with two-step verification
• B. Lock sessions to the IP address from which they originated.
• C. Increase Password complexity requirements in Salesforce.
• D. Implement Single Sign-on using a corporate Identity store.

Answer: A

Explanation:
The Salesforce Authenticator mobile app adds an extra layer of security for online accounts with two-factor authentication. It allows users to respond to push notifications or use location services to verify their logins and other account activity1. This can help prevent phishing scams and unauthorized access.
References: Salesforce Authenticator, Salesforce Authenticator: Mobile App Security Features, Salesforce Authenticator

NEW QUESTION 15
A leading fitness tracker company is getting ready to launch a customer community. The company wants its customers to login to the community and connect their fitness device to their profile. Customers should be able to obtain exercise details and fitness recommendation in the community.
Which should be used to satisfy this requirement?

• A. Named Credentials
• B. Login Flows
• C. OAuth Device Flow
• D. Single Sign-On Settings

Answer: C

Explanation:
OAuth Device Flow is a protocol that allows users to authenticate their devices, such as fitness trackers, smart TVs, or printers, with an external identity provider and access Salesforce resources. The device flow involves displaying a verification code and a URL on the device, which the user can use to log in and authorize the device from another device, such as a smartphone or a computer. References: OAuth Device Flow, OAuth 2. Device Flow

NEW QUESTION 16
A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors.
Which two issues would cause these errors?
Choose 2 answers

• A. The subject element is missing from the assertion sent to salesforce.
• B. The certificate loaded into SSO configuration does not match the certificate used by the IdP.
• C. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
• D. The assertion sent to 5alesforce contains an assertion ID previously used.

Answer: CD

Explanation:
A SAML SSO ‘Replay Detected and Assertion Invalid’ error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected. References: SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On

NEW QUESTION 17
What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

• A. Reference to a URL redirect parameter at the identity provider.
• B. Reference to a URL redirect parameter at the service provider.
• C. Reference to the login address URL of the service provider.
• D. Reference to the login address URL of the identity Provider.

Answer: B

Explanation:
The ‘Relaystate’ parameter is an HTTP parameter that can be included as part of the SAML request and SAML response. In an SP-initiated sign-in flow, the SP can set the RelayState parameter in the SAML request with additional information about the request, such as the URL of the resource that the user is trying to access.
The IDP should just relay it back in the SAML response without any modification or inspection. Therefore, the ‘Relaystate’ parameter contains a reference to a URL redirect parameter at the service provider123.
References: 1: single sign on - What is exactly RelayState parameter used in SSO (Ex. SAML)? - Stack
Overflow 2: java - How to send current URL as relay state while sending authentication request to IDP - Stack Overflow 3: Understanding SAML | Okta Developer

NEW QUESTION 18
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have been purchased for the project.
After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers

• A. Enable "Allow customers and partners to self-register".
• B. Select the "Configurable Self-Reg Page" option under Login & Registration.
• C. Set jp an external login page and call Salesforce APIs for user creation.
• D. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.
• E. Customize me self-registration Apex handler to create only the user record.

Answer: ABE

Explanation:
Enabling “Allow customers and partners to self-register” allows guests to create their own user accounts in the portal. Selecting the “Configurable Self-Reg Page” option allows the administrator to customize the
self-registration page to capture the required fields. Customizing the self-registration Apex handler to create
only the user record prevents the automatic creation of a contact record until verification. References: Enable Self-Registration, Customize Self-Registration

NEW QUESTION 19
universal container plans to develop a custom mobile app for the sales team that will use salesforce for authentication and access management. The mobile app access needs to be restricted to only the sales team. What would be the recommended solution to grant mobile app access to sales users?

• A. Use a custom attribute on the user object to control access to the mobile app
• B. Use connected apps Oauth policies to restrict mobile app access to authorized users.
• C. Use the permission set license to assign the mobile app permission to sales users
• D. Add a new identity provider to authenticate and authorize mobile users.

Answer: B

Explanation:
The recommended solution to grant mobile app access to sales users is to use connected apps OAuth policies to restrict mobile app access to authorized users. A connected app is a configuration in Salesforce that allows an external application, such as a mobile app, to connect to Salesforce using OAuth. OAuth is a protocol that allows the mobile app to obtain an access token from Salesforce after the user grants permission. The access token can then be used by the mobile app to access Salesforce data and features. OAuth policies are settings that control how users can access a connected app, such as who can use the app, how long the access token is valid, and what level of access the app requests. By configuring OAuth policies in the connected app settings, Universal Containers can restrict the mobile app access to only the sales team and protect against unauthorized or excessive access.
References: [Connected Apps], [OAuth Authorization Flows], [OAuth Policies]

NEW QUESTION 20
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?

• A. SAML Metadata file importer
• B. Identity Provider Metadata download
• C. Connected App Manager
• D. Security Assertion Markup Language Validator

Answer: D

Explanation:
Security Assertion Markup Language (SAML) Validator is a tool that allows administrators to test and troubleshoot SAML single sign-on configurations. It can show which part of the login assertion is failing and provide error messages and suggestions. SAML Metadata file importer and Identity Provider Metadata download are features that allow administrators to import or download metadata files for SAML configurations. Connected App Manager is a tool that allows administrators to manage connected apps in Salesforce. References: SAML Validator, SAML Single Sign-On Settings, Connected App Manager

NEW QUESTION 21
......