New 2026 Latest Questions Identity-and-Access-Management-Architect Dumps - Use Updated Salesforce Exam
Latest Identity-and-Access-Management-Architect Exam Dumps Salesforce Exam from Training Expert BraindumpsIT
Salesforce Certified Identity and Access Management Architect certification exam is a valuable credential that can help professionals stand out in the competitive job market. Salesforce Certified Identity and Access Management Architect certification demonstrates that a professional has the knowledge, skills, and expertise to design, implement, and manage identity and access management solutions. Employers value this certification because it shows that a professional is committed to continuous learning and development, and has the ability to deliver high-quality solutions that meet business needs.
NEW QUESTION # 136
Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in Salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properly secure access to the app. Which two are recommendations to make the UC? Choose 2 answers
- A. Require High Assurance sessions in order to use the Connected App.
- B. Use Google Authenticator as an additional part of the login process
- C. Disallow the use of Single Sign-on for any users of the mobile app.
- D. Set Login IP Ranges to the internal network for all of the app users Profiles.
Answer: A,B
NEW QUESTION # 137
Which two capabilities does My Domain enable in the context of a SAML SSOconfiguration? Choose 2 answers
- A. Resource deep linking
- B. App Launcher
- C. SSO from Salesforce Mobile App
- D. Login Forensics
Answer: A,C
Explanation:
These are two capabilities that My Domain enables in the context of a SAML SSO configuration. My Domain is a feature that lets you customize your Salesforce domain name and login page1. Resource deep linking is the ability to access a specific page or resource within Salesforce directly from a link, without having to navigate through the app2. SSO from Salesforce Mobile App is the ability to log in to the Salesforce Mobile App using your SSO credentials, without having to enter your username and password3. My Domain enables these capabilities by allowing you to specify your identity provider (IdP) and SSO settings for your unique domain name, and by providing a custom login URL that can be used for deep linking and mobile app login1.
The other options are notcorrect for this question because:
* App Launcher is a feature that lets you access all your connected apps from one place in Salesforce. It does not require My Domain or SAML SSO to work, although it can be enhanced by using them.
* Login Forensics is a feature that analyzes login behavior and identifies anomalous or suspicious logins.
It does not require My Domain or SAML SSO to work, although it can be used with them.
References: MyDomain, Deep Linking into Salesforce, Salesforce Mobile AppBasics, [App Launcher],
[Login Forensics]
NEW QUESTION # 138
Universal containers (UC) have a custom, internal-only, mobile billing application for users who are commonly out of the office. The app is configured as a connected App in salesforce. Due to the nature of this app, UC would like to take the appropriate measures to properlysecure access to the app. Which two are recommendations to make the UC? Choose 2 answers
- A. Require high assurance sessions in order to use the connected App
- B. Set login IP ranges to the internal network for all of the app users profiles.
- C. Use Google Authenticator as an additional part of the logical processes.
- D. Disallow the use of single Sign-on for any users of the mobile app.
Answer: A,C
Explanation:
High assurance sessions are sessions that require a stronger level of identity verification, such astwo-factor authentication or SAML assertions1. Google Authenticator is an app that generates verification codes on your mobile device that you canuse as a second factor of authentication2. These measures can help prevent unauthorized access to the connected app by ensuring that the useris who they claim to be and that they have access to their mobile device. Disallowing the use of single sign-on (SSO) for the mobile app is not a recommendation because SSO can provide a seamless and secure user experience across multiple applications3. Setting login IP ranges totheinternal network for the app users profiles is not a recommendation because it can limit the mobility and flexibility of the users who are commonly out of the office.
References: 1: Session Security Levels 2: Google Authenticator 3: Connected Apps : [Restrict Login Access by IP Address]
NEW QUESTION # 139
Northern Trail Outfitters (NTO) is launching a new sportswear brand on its existing consumer portal built on Salesforce Experience Cloud. As part of the launch, emails with promotional links will be sent to existing customers to log in and claim a discount. The marketing manager would like the portal dynamically branded so that users will be directed to the brand link they clicked on; otherwise, users will view a recognizable NTO-branded page.
The campaign is launching quickly, so there is no time to procure any additional licenses. However, the development team is available to apply any required changes to the portal.
Which approach should the identity architect recommend?
- A. Implement Experience ID in the code and extend the URLs and endpoints, as required.
- B. Configure an additional community site on the same org that is dedicated for the new brand.
- C. Use Heroku to build the new brand site and embedded login to reuse identities.
- D. Create a full sandbox to replicate the portal site and update the branding accordingly.
Answer: A
Explanation:
Explanation
To dynamically brand the portal so that users will be directed to the brand link they clicked on, the identity architect should recommend implementing Experience ID in the code and extending the URLs and endpoints, as required. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community). Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the Experience ID or other criteria. By implementing Experience ID in the code, the identity architect can provide a consistent and personalized brand experience for each user without creating multiple sites or sandboxes.
References: Experience ID, Dynamic Branding for Experience Cloud Sites
NEW QUESTION # 140
Universal containers(UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?
- A. Use the updateuser() method on the registration handler class.
- B. Use information in the signed request that is received from Facebook.
- C. Use SAML just-in-time provisioning between Facebook and Salesforce
- D. Develop a schedule job that calls out to Facebook on a nightly basis.
Answer: A
NEW QUESTION # 141 
A pharmaceutical company has an on-premise application (see illustration) that it wants to integrate with Salesforce.
The IT director wants to ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint.
What should an Identity architect do to meet this requirement?
- A. Generate a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore.
- B. Use open SSL to generate a Self-signed Certificate and upload it to the on-premise app.
- C. Upload a third-party certificate from Salesforce into the on-premise server.
- D. Configure the company firewall to allow traffic from Salesforce IP ranges.
Answer: A
Explanation:
Explanation
To ensure that requests must include a certificate with a trusted certificate chain to access the company's on-premise application endpoint, the identity architect should generate a certificate authority-signed certificate in Salesforce and upload it to the on-premise application Truststore. A certificate authority-signed certificate is a certificate that is issued by a trusted third-party entity, such as VeriSign or Thawte, that verifies the identity and authenticity of the certificate holder. A Truststore is a repository that stores trusted certificates and public keys. By generating a certificate authority-signed certificate in Salesforce and uploading it to the on-premise application Truststore, the identity architect can enable mutual authentication and secure communication between Salesforce and the on-premise application. The other options are not recommended for this scenario, as they either do not provide a trusted certificate chain, do not enable mutual authentication, or do not secure the communication. References: Create Certificate Authority-Signed Certificates, Mutual Authentication
NEW QUESTION # 142
Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers
- A. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system
- B. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system
- C. Use a self-signed certificate for salesforce and a self-signed cert for the external system
- D. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system
Answer: A,C
NEW QUESTION # 143
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?
- A. Use a HTTP POST to request the refresh token for the current user.
- B. Use a HTTP POST to make a call to the revoke token endpoint.
- C. Enable Single Logout with a secure logout URL.
- D. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
Answer: B
Explanation:
To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario. References: Revoke OAuth Tokens, OAuth 2.0 Token Revocation
NEW QUESTION # 144
A Salesforce customer is implementing Sales Cloud and a custom pricing application for its call center agents.
An Enterprise single sign-on solution is used to authenticate and sign-in users to all applications. The customer has the following requirements:
1. The development team has decided touse a Canvas app to expose the pricing application to agents.
2. Agents should be able to access the Canvas app without needing to log in to the pricing application.
Which two options should the identity architect consider to provide support for the Canvas app to initiate login for users?
Choose 2 answers
- A. Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized.
- B. Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated.
- C. Select "Enable as a Canvas Personal App" in the connected app settings.
- D. Enable OAuth settings in the connected app with required OAuth scopes for the pricing application.
Answer: A,B
Explanation:
To allow agents to access the Canvas appwithout needing to log in to the pricing application, the identity architect should consider two options:
* Configure the Canvas app as a connected app and set Admin-approved users as pre-authorized. A connected app is a framework that enables an externalapplication to integrate with Salesforce using APIs and standard protocols. A Canvas app is a type of connected app that allows an external application to be embedded within Salesforce. By setting Admin-approved users as pre-authorized, the identity architect can control which users can access the Canvas app by assigning profiles or permission sets to the connected app.
* Enable SAML in the connected app and Security Assertion Markup Language (SAML) Initiation Method as Service Provider Initiated. SAML is aprotocol that allows users to authenticate and authorize with an external identity provider and access Salesforce resources. By enabling SAML in the connected app, the identity architect can use Salesforce as a service provider (SP) and the pricing application as an identity provider (IdP) for single sign-on (SSO). By setting SAML Initiation Method as Service Provider Initiated, the identity architect can initiate the SSO process from Salesforce and send a SAML request to the pricing application. References: Connected Apps, Canvas Apps, SAML Single Sign-On Settings
NEW QUESTION # 145
Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.
NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisioning of users in Salesforce.
What role does identity Connect play in the outlined requirements?
- A. Identity Provider
- B. Service Provider
- C. User Management
- D. Single Sign-On
Answer: C
Explanation:
Explanation
Salesforce Identity Connect is a tool that synchronizes user data between Microsoft Active Directory and Salesforce. It allows automatic provisioning and deprovisioning of users in Salesforce based on the changes made in Active Directory. Therefore, Identity Connect plays the role of user management in the outlined requirements. References: Identity Connect Implementation Guide, Identity Connect Overview
NEW QUESTION # 146
A real estate company wants to provide its customers a digital space to design their interior decoration options. To simplify the registration to gain access to the communitysite (built in Experience Cloud), the CTO has requested that the IT/Development team provide the option for customers to use their existing social- media credentials to register and access.
The IT lead has approached the Salesforce Identity and Access Management (IAM) architect for technical direction on implementing the social sign-on (for Facebook, Twitter, and a new provider that supports standard OpenID Connect (OIDC)).
Which two recommendations should the Salesforce IAM architect make to the IT Lead?
Choose 2 answers
- A. For supporting OIDC it is necessary to enable Security Assertion Markup Language (SAML) with Just- in-Time provisioning (JIT) and OAuth 2.0.
- B. Authentication provider configuration is required each social sign-on providers; and enable Authentication providers incommunity.
- C. Use declarative registration handler process builder/flow to create, update users and contacts.
- D. Apex coding skills are needed for registration handler to create and update users.
Answer: B,D
Explanation:
Authentication provider configuration and Apex coding skills are two recommendations that the Salesforce IAM architect should make to the IT Lead. Authentication providers are used to configure social sign-on providers, such as Facebook, Twitter, and any OpenID Connect compliant provider. Apex coding skills are needed for registration handlers, which are custom classes that create and update users based on social sign-on data. References: Authentication Providers, Registration Handlers
NEW QUESTION # 147
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers
- A. The Use Digital Signature option in the connected app.
- B. The "api" OAuth scope in the connected app.
- C. The "web" OAuth scope in the connected app,
- D. The "edair_api" OAuth scope m the connected app.
Answer: A,B
Explanation:
Explanation
JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT) instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:
The Use Digital Signature option, which enables the connected app to verify the signature of the JWT using a certificate.
The "api" OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user.
References: JWT OAuth Flow, Connected Apps, OAuth Scopes
NEW QUESTION # 148
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers
- A. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
- B. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
- C. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
- D. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure User Provisioning for Connected Apps.
Answer: B,D
Explanation:
Explanation
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesforce Identity-and-Access-Management-Architect Questions ... 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] :
[Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation
NEW QUESTION # 149
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
- A. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
- B. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
- C. Use Login Flow in System Context to update role and permission sets.
- D. Use Login Flow in User Context to update role and permission sets.
Answer: B,C
NEW QUESTION # 150
In a typical SSL setup involving a trusted party and trusting party, what consideration should an Architect take into account when using digital certificates?
- A. Use of self-signed certificate leads to lower maintenance for trusted party because multiple self-signed certs need to be maintained.
- B. Use of self-signed certificate leads to lower maintenance for trusting party because there is no trusted CA cert to maintain.
- C. Use of self-signed certificate leads to higher maintenance for trusting party because the cert needs to be added to their truststore.
- D. Use of self-signed certificate leads to higher maintenance for trusted party because they have to act as the trusted CA
Answer: B
NEW QUESTION # 151
......
Salesforce Certified Identity and Access Management Architect certification is designed to validate an individual's expertise in designing and implementing IAM solutions using Salesforce. Salesforce Certified Identity and Access Management Architect certification is intended for experienced architects who have a deep understanding of the Salesforce platform and its IAM tools. Salesforce Certified Identity and Access Management Architect certification exam measures a candidate's ability to develop and implement IAM solutions that meet business requirements, comply with industry regulations, and integrate with other systems.
Salesforce Certified Identity and Access Management Architect certification offers a comprehensive assessment of the knowledge and competencies required to design and implement effective identity and access management solutions for Salesforce applications. Salesforce Certified Identity and Access Management Architect certification covers a range of topics, including identity management, access control, authentication, authorization, and federation.
Updated Test Engine to Practice Identity-and-Access-Management-Architect Dumps & Practice Exam: https://examtorrent.braindumpsit.com/Identity-and-Access-Management-Architect-latest-dumps.html