What Refined Identity-and-Access-Management-Architect Exam Engine Is

NEW QUESTION 1
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience.
What should be used and considered before recommending it as a solution on the Salesforce Platform?

• A. OpenID Connect Web Server Flo
• B. Determine if the service provider is secure enough to store the client secret on.
• C. Embedded Logi
• D. Identify what level of UI customization will be required to make it match the service providers look and feel.
• E. Salesforce REST api
• F. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
• G. Embedded Logi
• H. Consider whether or not it relies on third party cookies which can cause browser compatibility issues.

Answer: D

Explanation:
Embedded Login is a feature that allows Salesforce to embed a login widget into any web page, such as a service provider’s site, to enable users to log in with their Salesforce credentials. However, Embedded Login relies on third-party cookies, which can cause browser compatibility issues and require users to adjust their browser settings. Therefore, this should be considered before recommending it as a solution on the Salesforce Platform. References: Embedded Login, Embedded Login Implementation Guide

NEW QUESTION 2
Under which scenario Web Server flow will be used?

• A. Used for web applications when server-side code needs to interact with APIS.
• B. Used for server-side components when page needs to be rendered.
• C. Used for mobile applications and testing legacy Integrations.
• D. Used for verifying Access protected resources.

Answer: A

Explanation:
The web server flow is used for web applications when server-side code needs to interact with APIs. This flow implements the OAuth 2.0 authorization code grant type, which allows the web app to obtain an access token and a refresh token from Salesforce after the user grants permission1. The web app can then use the access token to call the Salesforce APIs and use the refresh token to obtain a new access token when the previous one expires2. The other options are not valid scenarios for using the web server flow. The web server flow is not used for server-side components when page needs to be rendered, as this does not involve API calls. The web server flow is not used for mobile applications and testing legacy integrations, as these scenarios are better suited for other OAuth flows, such as the user-agent flow or the password flow3. The web server flow is not used for verifying access protected resources, as this is a general purpose of OAuth, not a specific scenario for the web server flow. References: OAuth 2.0 Web Server Flow for Web App Integration, Mastering Salesforc Canvas Apps, OAuth Authorization Flows

NEW QUESTION 3
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?

• A. Ensure that there is an HTTPS connection between IDP and SP.
• B. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.
• C. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.
• D. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.

Answer: D

Explanation:
Encrypting the SAML Request using a CA signed certificate and decrypting it on the IdP ensures that the request content is not altered or tampered with during transit. This also adds an extra layer of security and trust between the SP and the IdP. References: SAML Single Sign-On Overview, SAML Assertion Encryption

NEW QUESTION 4
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?

• A. Select "Admin approved users are pre-authorized" and assign specific profiles.
• B. Create custom scopes and assign to the connected app.
• C. Define a permission set that grants access to the app and assign to authorized users.
• D. Leverage external objects and data classification policies.

Answer: B

Explanation:
To limit the level of access to the data of the protected resource in a flexible way, the identity architect should create custom scopes and assign them to the connected app. Custom scopes are permissions that define the specific data that an external application can access or modify in Salesforce. Custom scopes can be created using Apex or Metadata API and assigned to a connected app using OAuth 2.0 or SAML protocols. Custom scopes can provide more granular control over data access than standard scopes, which are predefined by Salesforce. References: Custom Scopes, Create and Assign Custom Scopes

NEW QUESTION 5
An identity architect is implementing a mobile-first Consumer Identity Access Management (CIAM) for external users. User authentication is the only requirement. The users email or mobile phone number should be supported as a username.
Which two licenses are needed to meet this requirement? Choose 2 answers

• A. External Identity Licenses
• B. Identity Connect Licenses
• C. Email Verification Credits
• D. SMS verification Credits

Answer: AD

Explanation:
External Identity Licenses are required to enable external users to access Salesforce resources via a CIAM solution. Email Verification Credits and SMS Verification Credits are required to enable email or mobile phone number verification for user authentication. Identity Connect Licenses are not required for this scenario, as Identity Connect is a tool for synchronizing user data between Salesforce and Active Directory.
References: External Identity Implementation Guide, Identity Connect Implementation Guide

NEW QUESTION 6
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

• A. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
• B. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• C. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• D. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure UserProvisioning for Connected Apps.

Answer: BD

Explanation:
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesfo Identity-and-Access-Management-Architect Questions … 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation

NEW QUESTION 7
Universal Containers (UC) has decided to replace the homegrown customer portal with Salesforce Experience Cloud. UC will continue to use its third-party single sign-on (SSO) solution that stores all of its customer and partner credentials.
The first time a customer logs in to the Experience Cloud site through SSO, a user record needs to be created automatically.
Which solution should an identity architect recommend in order to automatically provision users in Salesforce upon login?

• A. Just-in-Time (JIT) provisioning
• B. Custom middleware and web services
• C. Custom login flow and Apex handler
• D. Third-party AppExchange solution

Answer: A

Explanation:
Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider. This eliminates the need for manual or batch user provisioning in Salesforce. References: Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

NEW QUESTION 8
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers

• A. salesforce Canvas
• B. Identity Connect
• C. Connected Apps
• D. App Launcher

Answer: AD

Explanation:
Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on and use Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connect Apps

NEW QUESTION 9
Containers (UC) has implemented SAML-based single Sign-on for their Salesforce application and is planning to provide access to Salesforce on mobile devices using the Salesforce1 mobile app. UC wants to ensure that Single Sign-on is used for accessing the Salesforce1 mobile App. Which two recommendations should the Architect make? Choose 2 Answers

• A. Configure the Embedded Web Browser to use My Domain URL.
• B. Configure the Salesforce1 App to use the MY Domain URL.
• C. Use the existing SAML-SSO flow along with User Agent Flow.
• D. Use the existing SAML SSO flow along with Web Server Flow.

Answer: BC

Explanation:
To ensure that SSO is used for accessing the Salesforce1 mobile app, UC should configure the Salesforce1 app to use the My Domain URL instead of the default login.salesforce.com URL. My Domain is a feature that allows UC to create a custom domain name for their Salesforce org that supports SSO with their identity provider. UC should also use the existing SAML-SSO flow along with User Agent Flow, which is an OAuth 2.1 flow that allows users to authenticate with their identity provider through an embedded browser within the mobile app. Verified References: [Configure SSO with Salesforce as a SAML Service Provider], [User-Agent Flow]

NEW QUESTION 10
An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.
Which two reasons are the source of the issue? Choose 2 answers

• A. StartURL for the connected app is not set in Connected App settings.
• B. OAuth scope does not include "openid*.
• C. Session Policy is set as 'High Assurance Session required' for this connected app.
• D. The connected app is not set in the App menu as 'Visible in App Launcher".

Answer: AD

Explanation:
The StartURL for the connected app is required to specify the landing page for the app. The connected app
must also be set as visible in the App Launcher to appear as a tile for users. References: Connected App Basics, Manage Connected Apps

NEW QUESTION 11
Universal Container's (UC) is using Salesforce Experience Cloud site for its container wholesale business. The identity architect wants to an authentication provider for the new site.
Which two options should be utilized in creating an authentication provider? Choose 2 answers

• A. A custom registration handier can be set.
• B. A custom error URL can be set.
• C. The default login user can be set.
• D. The default authentication provider certificate can be set.

Answer: AB

Explanation:
An authentication provider is a configuration that allows users to log in to Salesforce using an external identity provider, such as Facebook, Google, or a custom one. When creating an authentication provider, two options that can be utilized are:
A custom registration handler, which is a class that implements the Auth.RegistrationHandler interface and defines how to create or update users in Salesforce based on the information from the external identity provider.
A custom error URL, which is a URL that users are redirected to when an error occurs during the authentication process. References: Authentication Providers, Create an Authentication Provider

NEW QUESTION 12
Universal containers (UC) has a customer Community that uses Facebook for authentication. UC would like to ensure that changes in the Facebook profile are reflected on the appropriate customer Community user. How can this requirement be met?

• A. Use the updateuser() method on the registration handler class.
• B. Use SAML just-in-time provisioning between Facebook and Salesforce
• C. Use information in the signed request that is received from Facebook.
• D. Develop a schedule job that calls out to Facebook on a nightly basis.

Answer: C

Explanation:
Using information in the signed request that is received from Facebook is how this requirement can be met. A signed request is a parameter that contains information about the user who is logging in with Facebook credentials. The signed request can include information such as the user ID, name, email, and profile picture. You can use this information to update the corresponding customer community user in Salesforce by implementing a registration handler class. The registration handler class is an Apex class that defines how Salesforce handles user registration and authentication when using an auth provider. You can use the updateUser() method in the registration handler class to update the user record with the information from the signed request. Using the updateUser() method on the registration handler class is not how this requirement can be met because it is only part of the solution. You also need to use information from the signed request as the source of the updates. Using SAML just-in-time provisioning between Facebook and Salesforce is not how this requirement can be met because Facebook does not support SAML as an identity provider protocol. Developing a scheduled job that calls out to Facebook on a nightly basis is not how this requirement can be met because it is inefficient and unnecessary. You can update the user record in real time using the signed request instead of waiting for a nightly batch process.

NEW QUESTION 13
Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory. What is the role of Active Directory in this scenario?

• A. Identity store
• B. Authentication store
• C. Identity provider
• D. Service provider

Answer: C

Explanation:
The role of Active Directory in this scenario is an identity provider. An identity provider is an application that authenticates users and provides information about them to service providers6. A service provider is an application that provides a service to users and relies on an identity provider for authentication6. In this scenario, the employee portal is a service provider that provides collaboration features to employees and relies on Active Directory for authentication. Active Directory is an identity provider that authenticates employees using their corporate credentials and sends information about them to the employee portal7.
References: Identity Provider Overview, Configure SSO to Salesforce Using Microsoft AD FS as the Identit
Provider

NEW QUESTION 14
An identity architect has been asked to recommend a solution that allows administrators to configure personalized alert messages to users before they land on the Experience Cloud site (formerly known as Community) homepage.
What is recommended to fulfill this requirement with the least amount of customization?

• A. Customize the registration handler Apex class to create a routing logic navigating to different home pages based on the user profile.
• B. Use Login Flows to add a screen that shows personalized alerts.
• C. Build a Lightning web Component (LWC) for a homepage that shows custom alerts.
• D. Create custom metadata that stores user alerts and use a LWC to display alerts.

Answer: B

Explanation:
Login Flows are custom post-authentication processes that can be used to add additional screens or logic after a user logs in to Salesforce. Login Flows can be used to show personalized alert messages to users based on their profile or other criteria before they land on the Experience Cloud site homepage. Login Flows require minimal customization and can be configured using Visual Workflow or Apex. References: Login Flows, Customizing User Authentication with Login Flows

NEW QUESTION 15
Northern Trail Outfitters (NTO) utilizes a third-party cloud solution for an employee portal. NTO also owns Salesforce Service Cloud and would like employees to be able to login to Salesforce with their third-party portal credentials for a seamless experience. The third-party employee portal only supports OAuth.
What should an identity architect recommend to enable single sign-on (SSO) between the portal and Salesforce?

• A. Configure SSO to use the third-party portal as an identity provider.
• B. Create a custom external authentication provider.
• C. Add the third-party portal as a connected app.
• D. Configure Salesforce for Delegated Authentication.

Answer: A

Explanation:
Configuring SSO to use the third-party portal as an identity provider is the best option to enable SSO between the portal and Salesforce. The portal can use OAuth as the protocol to authenticate users and redirect them to Salesforce. The other options are either not feasible or not relevant for this use case. References: Single Sign-On for Desktop and Mobile Applications using SAML and OAuth, Single Sign-On with SAML on Force.com

NEW QUESTION 16
Northern Trail Outfitters (NTO) is planning to build a new customer service portal and wants to use passwordless login, allowing customers to login with a one-time passcode sent to them via email or SMS.
How should the quantity of required Identity Verification Credits be estimated?

• A. Each community comes with 10,000 Identity Verification Credits per month and only customers with more than 10,000 logins a month should estimate additional SMS verifications needed.
• B. Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users.
• C. Identity Verification Credits are consumed with each verification sent and should be estimated based on the number of loginsthat will incur a verification challenge.
• D. Identity Verification Credits are a direct add-on license based on the number of existing member-based or login-based Community licenses.

Answer: B

Explanation:
Identity Verification Credits are units that are consumed when Salesforce sends verification messages to users via email or SMS. To use passwordless login, customers need to receive a one-time passcode via email or SMS that they can use to log in to the customer service portal. Therefore, Identity Verification Credits are consumed with each SMS (text message) sent and should be estimated based on the number of login verification challenges for SMS verification users. Email verification does not consume Identity Verification Credits. References: Identity Verification Credits, Passwordless Login

NEW QUESTION 17
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into.
Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands?

• A. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience.
• B. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows.
• C. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand.
• D. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience.

Answer: A

Explanation:
To support scalability and reduce maintenance costs for a multinational, multi-brand organization, the architect should recommend assigning each sub-brand a unique Experience ID and using the Experience ID to dynamically brand the login experience. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community). Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the Experience ID or other criteria. This solution can provide a consistent and personalized brand experience for each sub-brand without creating multiple subdomains or orgs. References: Experience ID, Dynamic Branding for Experience Cloud Sites

NEW QUESTION 18
Universal Containers (UC) would like to enable self-registration for their Salesforce Partner Community Users. UC wants to capture some custom data elements from the partner user, and based on these data elements, wants to assign the appropriate Profile and Account values.
Which two actions should the Architect recommend to UC1 Choose 2 answers

• A. Configure Registration for Communities to use a custom Visualforce Page.
• B. Modify the SelfRegistration trigger to assign Profile and Account.
• C. Modify the CommunitiesSelfRegController to assign the Profile and Account.
• D. Configure Registration for Communities to use a custom Apex Controller.

Answer: CD

Explanation:
To enable self-registration for partner community users, UC should modify the CommunitiesSelfRegController class to assign the Profile and Account values based on the custom data elements captured from the partner user. UC should also configure Registration for Communities to use a custom Apex controller that extends the CommunitiesSelfRegController class and overrides the default registration logic3.
References:
Customize Self-Registration

NEW QUESTION 19
......