A Review Of Top Quality Identity-and-Access-Management-Architect Free Practice Test

NEW QUESTION 1
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

• A. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
• B. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
• C. Use a self-signed certificate for salesforce and a self-signed cert for the external system
• D. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

Answer: CD

Explanation:
Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or
CA-signed. A self-signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two-way SSL between Salesforce and an external system, two valid choices for digital certificates are:
Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other’s self-signed certificates explicitly.
Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system.
This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system’s certificate implicitly.
References: Know more about all the SSL certificates that are supported by Salesforce, two way ssl. How to

NEW QUESTION 2
Northern Trail Outfitters is implementing a business-to-business (B2B) collaboration site using Salesforce Experience Cloud. The partners will authenticate with an existing identity provider and the solution will utilize Security Assertion Markup Language (SAML) to provide single sign-on to Salesforce. Delegated administration will be used in the Expenence Cloud site to allow the partners to administer their users' access.
How should a partner identity be provisioned in Salesforce for this solution?

• A. Create only a contact.
• B. Create a contactless user.
• C. Create a user and a related contact.
• D. Create a person account.

Answer: C

Explanation:
To provision a partner identity in Salesforce for a B2B collaboration site using SAML SSO, the identity architect should create a user and a related contact. A user record is required to authenticate and authorize the partner to access Salesforce resources. A contact record is required to associate the partner with an account, which represents the partner’s organization. A contactless user or a person account are not supported for B2B collaboration sites. References: User and Contact Records for Partner Users, Create Partner Users

NEW QUESTION 3
A multinational industrial products manufacturer is planning to implement Salesforce CRM to manage their business. They have the following requirements:
* 1. They plan to implement Partner communities to provide access to their partner network .
* 2. They have operations in multiple countries and are planning to implement multiple Salesforce orgs.
* 3. Some of their partners do business in multiple countries and will need information from multiple Salesforce communities.
* 4. They would like to provide a single login for their partners.
How should an Identity Architect solution this requirement with limited custom development?

• A. Create a partner login for the country of their operation and use SAML federation to provide access to other orgs.
• B. Consolidate Partner related information in a single org and provide access through Salesforce community.
• C. Allow partners to choose the Salesforce org they need information from and use login flows to authenticate access.
• D. Register partners in one org and access information from other orgs using APIs.

Answer: A

Explanation:
SAML federation allows partners to log in to multiple Salesforce orgs with a single identity provider. The partner login can be created for the country of their operation and then federated to other orgs using SAML assertions. References: SAML Single Sign-On Overview, Federated Authentication Using SAML

NEW QUESTION 4
Which two considerations should be made when implementing Delegated Authentication? Choose 2 answers

• A. The authentication web service can include custom attributes.
• B. It can be used to authenticate API clients and mobile apps.
• C. It requires trusted IP ranges at the User Profile level.
• D. Salesforce servers receive but do not validate a user’s credentials.
• E. Just-in-time Provisioning can be configured for new users.

Answer: BE

Explanation:
Delegated authentication is a feature that allows Salesforce to delegate the authentication process to an external service of your choice1. When implementing delegated authentication, you should consider the following aspects2:
The authentication web service can include custom attributes, such as user roles or permissions, in the response to Salesforce. These attributes can be used to update user records or trigger workflows in Salesforce2.
Delegated authentication can be used to authenticate API clients and mobile apps that use the SOAP API or REST API login() methods. However, it does not support OAuth 2.0 flows or other authentication methods2.
Delegated authentication does not require trusted IP ranges at the User Profile level. However, you can use them to restrict access to Salesforce from specific IP addresses or ranges2.
Salesforce servers receive but do not validate a user’s credentials. Instead, they pass the credentials to the external authentication service, which validates them and returns a response to Salesforce2.
Just-in-time provisioning can be configured for new users who log in with delegated authentication. Thi
feature allows Salesforce to create or update user accounts based on the information provided by the external authentication service3.
References:
Delegated Authentication
Delegated Authentication Single Sign-On
Just-in-Time Provisioning for Delegated Authentication

NEW QUESTION 5
Universal Container's (UC) identity architect needs to recommend a license type for their new Experience Cloud site that will be used by external partners (delivery providers) for reviewing and updating their accounts, downloading files provided by UC and obtaining scheduled pickup dates from their calendar.
UC is using their Salesforce production org as the identity provider for these users and the expected number of individual users is 2.5 million with 13.5 million unique logins per month.
Which of the following license types should be used to meet the requirement?

• A. External Apps License
• B. Partner Community License
• C. Partner Community Login License
• D. Customer Community plus Login License

Answer: C

Explanation:
Partner Community Login License is the best option for UC’s use case, as it allows external partners to access Experience Cloud sites and Salesforce data with a pay-per-login model. The other license types are either too expensive or not suitable for partner users. References: Experience Cloud User Licenses, Salesforce Experience Cloud Pricing

NEW QUESTION 6
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers

• A. Public Group Assignment
• B. Granting report folder access
• C. Role Assignment
• D. Custom permission assignment
• E. Permission sets assignment

Answer: ACE

Explanation:
AD groups can control public group assignment, role assignment, and permission set assignment through Identity Connect. Identity Connect is a tool that integrates Microsoft Active Directory (AD) user accounts with Salesforce user records1. It allows Salesforce admins to leverage the existing user data and group
memberships in AD to automate user provisioning and deprovisioning in Salesforce. Identity Connect can map AD groups to Salesforce public groups, roles, and permission sets, and assign them to users based on their group membership2. This way, AD groups can control the access level and visibility of users in Salesforce. AD groups cannot control granting report folder access or custom permission assignment through Identity Connect. These are not supported features of Identity Connect. Report folder access is controlled by the folder sharing settings in Salesforce. Custom permission assignment is controlled by the custom permission settings in Salesforce. References: Get to Know Identity Connect, Map Your Data, [Folder Sharing], [Custom Permissions]

NEW QUESTION 7
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of Single Sign-on for any users of the mobile app.
• B. Require High Assurance sessions in order to use the Connected App.
• C. Set Login IP Ranges to the internal network for all of the app users Profiles.
• D. Use Google Authenticator as an additional part of the login process

Answer: BD

Explanation:
Requiring High Assurance sessions and using Google Authenticator are two ways to enhance the security of the connected app.
Option B is correct because requiring High Assurance sessions means that the users must verify their identity using a second factor, such as a verification code or biometric scan, before they can access the
connected app.
Option D is correct because using Google Authenticator as an additional part of the login process also adds a second factor of authentication, which can be generated by the Google Authenticator app on the user’s mobile device.
Option A is incorrect because disallowing the use of Single Sign-on for any users of the mobile app does not improve the security of the app, and may create more inconvenience for the users who have to remember multiple credentials.
Option C is incorrect because setting Login IP Ranges to the internal network for all of the app users Profiles does not work for users who are commonly out of the office, as they may need to access the app from different locations.
References: [High Assurance Sessions], [Google Authenticator], [Single Sign-On], [Login IP Ranges]

NEW QUESTION 8
Universal Containers (UC) is looking to purchase a third-party application as an Identity Provider. UC is looking to develop a business case for the purchase in general and has enlisted an Architect for advice. Which two capabilities of an Identity Provider should the Architect detail to help strengthen the business case? Choose 2 answers

• A. The Identity Provider can authenticate multiple applications.
• B. The Identity Provider can authenticate multiple social media accounts.
• C. The Identity provider can store credentials for multiple applications.
• D. The Identity Provider can centralize enterprise password policy.

Answer: AD

Explanation:
The two capabilities of an identity provider that the architect should detail to help strengthen the business case are that the identity provider can authenticate multiple applications and that the identity provider can centralize enterprise password policy. These capabilities can provide benefits such as reducing login friction, improving user experience, enhancing security, and simplifying administration. Option B is not a good choice because the identity provider can authenticate multiple social media accounts may not be relevant for UC’s business case, as it does not specify how UC will use social media for its identity management. Option C is not a good choice because the identity provider can store credentials for multiple applications may not be desirable or secure for UC’s business case, as it may imply that the identity provider is using password vaulting or federation rather than single sign-on (SSO) or identity federation. References: Identity Management Concepts, [Single Sign-On Implementation Guide]

NEW QUESTION 9
which three are features of federated Single Sign-on solutions? Choose 3 answers

• A. It federates credentials control to authorized applications.
• B. It establishes trust between Identity store and service provider.
• C. It solves all identity and access management problems.
• D. It improves affiliated applications adoption rates.
• E. It enables quick and easy provisioning and deactivating of users.

Answer: ABD

Explanation:
It federates credentials control to authorized applications. This means that users can access multiple applications across different domains or organizations using one set of credentials, without having to share their passwords with each application1. The applications rely on a trusted identity provider (IdP) to authenticate the users and grant them access.
It establishes trust between Identity store and service provider. This means that the IdP and the service provider (SP) have a mutual agreement to exchange identity information using standard protocols, such as SAML, OpenID Connect, or OAuth2. The IdP and the SP also share metadata and certificates to ensure secure communication and verification.
It improves affiliated applications adoption rates. This means that users are more likely to use applications that are connected to their existing identity provider, as they do not have to create or remember multiple passwords3. This also reduces the friction and frustration of logging in to different applications, and enhances the user experience.
The other options are not features of federated single sign-on solutions because:
It solves all identity and access management problems. This is false, as federated single sign-on solutions only address the authentication aspect of identity and access management, not the authorization, provisioning, governance, or auditing aspects. Federated single sign-on solutions also have some challenges, such as complexity, interoperability, and security risks.
It enables quick and easy provisioning and deactivating of users. This is not necessarily true, as
federated single sign-on solutions do not automatically create or delete user accounts in the service provider applications. Users still need to be provisioned and deprovisioned manually or through other mechanisms, such as just-in-time provisioning or SCIM.
References: Federated Identity Management vs. Single Sign-On: What’s the Difference?, What is single sign-on?, Single Sign-On (SSO) Solution, [Identity Management vs. Access Management: What’s the Difference?], [Federated Identity Management Challenges], [Just-in-Time Provisioning for SAML], [SCIM User Provisioning]

NEW QUESTION 10
Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers

• A. Disallow the use of single Sign-on for any users of the mobile app.
• B. Require high assurance sessions in order to use the connected App
• C. Use Google Authenticator as an additional part of the logical processes.
• D. Set login IP ranges to the internal network for all of the app users profiles.

Answer: BC

Explanation:
High assurance sessions are sessions that require a stronger level of identity verification, such as two-factor authentication or SAML assertions1. Google Authenticator is an app that generates verification codes on your mobile device that you can use as a second factor of authentication2. These measures can help prevent unauthorized access to the connected app by ensuring that the user is who they claim to be and that they have access to their mobile device. Disallowing the use of single sign-on (SSO) for the mobile app is not a recommendation because SSO can provide a seamless and secure user experience across multiple applications3. Setting login IP ranges to the internal network for the app users profiles is not a recommendation because it can limit the mobility and flexibility of the users who are commonly out of the
office. References: 1: Session Security Levels 2: Google Authenticator 3: Connected Apps : [Restri Access by IP Address]

NEW QUESTION 11
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?

• A. Configure a predefined authentication provider for Amazon.
• B. Create a custom external authentication provider for Amazon.
• C. Configure an OpenID Connect Authentication Provider for Amazon.
• D. Configure Amazon as a connected app.

Answer: C

Explanation:
Amazon supports OpenID Connect as an authentication protocol, which allows users to sign in with their Amazon credentials and access Salesforce resources. To enable this, an identity architect needs to configure an OpenID Connect Authentication Provider for Amazon and link it to a connected app. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect

NEW QUESTION 12
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers

• A. salesforce Canvas
• B. Identity Connect
• C. Connected Apps
• D. App Launcher

Answer: AD

Explanation:
Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on and use Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connect Apps

NEW QUESTION 13
Universal Containers (UC) plans to use a SAML-based third-party IdP serving both of the Salesforce Partner Community and the corporate portal. UC partners will log in 65* to the corporate portal to access protected resources, including links to Salesforce resources. What would be the recommended way to configure the IdP so that seamless access can be achieved in this scenario?

• A. Set up the corporate portal as a Connected App in Salesforce and use the Web server OAuth flow.
• B. Configure SP-initiated SSO that passes the SAML token upon Salesforce resource access request.
• C. Set up the corporate portal as a Connected App in Salesforce and use the User Agent OAuth flow.
• D. Configure IdP-initiated SSO that passes the SAML token upon Salesforce resource access request.

Answer: D

Explanation:
The recommended way to configure the IdP for seamless access is to use IdP-initiated SSO that passes the SAML token upon Salesforce resource access request. This means that the user logs in to the corporate portal first, and then clicks a link to access a Salesforce resource. The IdP sends a SAML response to Salesforce with the user’s identity and other attributes. Salesforce verifies the SAML response and logs in the user to the appropriate Salesforce org and community12. This way, the user does not have to log in again to Salesforce or enter any credentials3. References: 1: SAML SSO with Salesforce as the Service Provider 2: Set Up Single Sign-On for Your Internal Users Unit | Salesforce - Trailhead 3: What is IdP-Initiated Single Sign-On? – OneLogin

NEW QUESTION 14
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider? Choose 2 answers

• A. A custom registration handier can be set.
• B. A custom error URL can be set.
• C. The default login user can be set.
• D. The default authentication provider certificate can be set.

Answer: AB

Explanation:
An authentication provider is a configuration that allows users to log in to Salesforce using an external identity provider, such as Facebook, Google, or a custom one. When creating an authentication provider, two options that can be utilized are:
A custom registration handler, which is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider.
A custom error URL, which is a URL that users are redirected to when an error occurs during the authentication process. References: Authentication Providers, Create an Authentication Provider

NEW QUESTION 15
Northern Trail Outfitters wants to implement a partner community. Active community users will need to review and accept the community rules, and update key contact information for each community member before their annual partner event.
Which approach will meet this requirement?

• A. Create tasks for users who need to update their data or accept the new community rules.
• B. Create a custom landing page and email campaign asking all community members to login and verify their data.
• C. Create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information.
• D. Add a banner to the community Home page asking users to update their profile and accept the new community rules.

Answer: C

Explanation:
To meet the requirement of having active community users review and accept the community rules and update key contact information before their annual partner event, the identity architect should create a login flow that conditionally prompts users who have not accepted the new community rules and who have missing or outdated information. A login flow is a custom post-authentication process that can be used to add additional screens or logic after a user logs in to Salesforce. By creating a login flow, the identity architect can check the user’s status and information and display the appropriate screens for them to review and accept the community rules and update their contact information. References: Login Flows, Create a Login Flow

NEW QUESTION 16
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.
How should the quantity of required Identity Verification Credits be estimated?

• A. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.
• B. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.
• C. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of loginsthat will incur a verification challenge.
• D. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

Answer: B

Explanation:
Identity Verification Credits are units that are consumed when Salesforce sends verification messages to users via email or SMS. To use passwordless login, customers need to receive a one-time passcode via email or SMS that they can use to log in to the customer service portal. Therefore, Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users. Email verification does not consume Identity Verification Credits. References: Identity Verification Credits, Passwordless Login

NEW QUESTION 17
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud. Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement? Choose 2 answers

• A. Add customers as contacts and add them to Experience Cloud site.
• B. Enable Welcome emails while configuring the Experience Cloud site.
• C. Allow Password reset using the API to update Experience Cloud site membership.
• D. Use Login Flows to allow users to reset password in Experience Cloud site.

Answer: CD

Explanation:
Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are not relevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites

NEW QUESTION 18
An architect needs to advise the team that manages the identity provider how to differentiate salesforce from other service providers. What SAML SSO setting in salesforce provides this capability?

• A. Entity id
• B. Issuer
• C. Identity provider login URL
• D. SAML identity location

Answer: A

Explanation:
The Entity ID is the SAML SSO setting in Salesforce that provides the capability to differentiate Salesforce from other service providers. The Entity ID is a unique identifier for the service provider that is sent in the SAML request and response messages1. The identity provider uses the Entity ID to determine which service provider is requesting or receiving authentication information2. You can customize the Entity ID for your Salesforce org or Experience Cloud site in the SAML Single Sign-On Settings page3. References: 1: SAML SSO Flows 2: Federated Authentication Using SAML to Log in to Salesforce Org 3: Step 2: Create a SA Single Sign-On Setting in Salesforce

NEW QUESTION 19
Universal Containers uses Salesforce as an identity provider and Concur as the Employee Expense management system. The HR director wants to ensure Concur accounts for employees are created only after the apocopate approval in the Salesforce org.
Which three steps should the identity architect use to implement this requirement? Choose 3 answers

• A. Create an approval process for a custom object associated with the provisioning flow.
• B. Create a connected app for Concur in Salesforce.
• C. Enable User Provisioning for the connected app.
• D. Create an approval process for user object associated with the provisioning flow.
• E. Create an approval process for UserProvisionlngRequest object associated with the provisioning flow.

Answer: BCE

Explanation:
User provisioning is a feature that allows Salesforce to create, update, or deactivate user accounts on a
third-party system, such as Concur, based on user assignments in Salesforce1. To implement user provisioning for Concur with an approval process, the identity architect should use the following steps2:
Create a connected app for Concur in Salesforce. A connected app is an application that integrates with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect3. To create a connected app for Concur, you need to provide the basic information, such as the app name, logo URL, contact email, and API name. You also need to enable SAML and configure the SAML settings, such as the entity ID, ACS URL, and subject type4.
Enable User Provisioning for the connected app. This step allows you to configure the user provisioning settings for the connected app, such as the provisioning API endpoint URL, the client ID and client secret, the mapping of user attributes, and the linkage rules5. You can also choose to require an approval process for user provisioning requests by selecting the Approval Required option6.
Create an approval process for UserProvisioningRequest object associated with the provisioning flow. A UserProvisioningRequest object represents a user provisioning request that is sent to or received from a third-party system7. An approval process specifies the steps necessary for a record to be approved and who must approve it at each step8. To create an approval process for UserProvisioningRequest object, you need to define the approval steps, assignees, actions, criteria, and email alerts9.
References:
User Provisioning for Connected Apps
Tutorial: Configure Salesforce for automatic user provisioning
Connected Apps
Create a Connected App
Enable User Provisioning for a Connected App
Require Approvals for User Provisioning Requests
UserProvisioningRequest
Approval Processes
Create an Approval Process

NEW QUESTION 20
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups. The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?

• A. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
• B. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
• C. Use a login flow to query custom SAML attributes and set permission sets.
• D. Use a login flow to query standard SAML attributes and set permission sets.

Answer: B

Explanation:
Using the Apex Just-in-Time handler to query custom SAML attributes and set permission sets is the best way to ensure that the Active Directory groups are reflected correctly when a user accesses Salesforce. The Apex Just-in-Time handler is a custom class that can process the SAML response from the identity provider and assign permission sets based on the user’s AD groups. The other options are either not feasible or not effective for this use case. References: Just-in-Time Provisioning for SAML, Apex Just-in-Time Handler

NEW QUESTION 21
......