Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.

2026 Latest Identity-and-Access-Management-Architect dumps - Instant Download PDF [Q80-Q98]

Share

2026 Latest Identity-and-Access-Management-Architect dumps - Instant Download PDF

Updated Verified Identity-and-Access-Management-Architect Downloadable Printable Exam Dumps

NEW QUESTION # 80
Universal Containers (UC) has implemented SSO according to the diagram below. uses SAML while Salesforce Org 1 uses OAuth 2.0. Users usually start their day by first attempting to log into Salesforce Org 2 and then later in the day, they will log into either the Financial System or CPQ system depending upon their job position. Which two systems are acting as Identity Providers?

  • A. Salesforce Org 2
  • B. Financial System
  • C. Pingfederate
  • D. Salesforce Org 1

Answer: C,D


NEW QUESTION # 81
Universal Containers (UC) has an existing web application that it would like to access from Salesforce without requiring users to re-authenticate. The web application is owned UC and the UC team that is responsible for it is willing to add new javascript code and/or libraries to the application. What implementation should an Architect recommend to UC?

  • A. Create a Canvas app and use Signed Requests to authenticate the users.
  • B. Rewrite the web application as a set of Visualforce pages and Apex code.
  • C. Configure the web application as an item in the Salesforce App Launcher.
  • D. Add the web application as a ConnectedApp using OAuth User-Agent flow.

Answer: A


NEW QUESTION # 82
Universal Containers (UC) has built a custom token-based Two-factor authentication (2FA) system for their existing on-premise applications. They are now implementing Salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution as Architect should consider?

  • A. Replace the custom 2FA system with an AppExchange App that supports on premise application and salesforce.
  • B. Use the custom 2FA system for on-premise applications and native 2FA for Salesforce.
  • C. Use Custom Login Flows to connect to the existing custom 2FA system for use in Salesforce.
  • D. Replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce.

Answer: D

Explanation:
Explanation
The recommended solution for UC to enable a two-factor login process for Salesforce and their existing on-premise applications is to replace the custom 2FA system with Salesforce 2FA for on-premise applications and Salesforce. Salesforce 2FA is a feature that requires users to verify their identity with a second factor, such as a verification code or a mobile app, after entering their username and password. Salesforce 2FA can be enabled for both Salesforce and on-premise applications by using one of the following methods:
Use Salesforce Authenticator, a mobile app that generates verification codes or sends push notifications to users' devices.
Use a third-party authenticator app, such as Google Authenticator or Microsoft Authenticator, that generates verification codes based on a shared secret key.
Use a verification code sent by email or SMS to users' registered email address or phone number.
Use a U2F security key, such as YubiKey, that plugs into users' devices and provides a physical token.
By replacing the custom 2FA system with Salesforce 2FA, UC can benefit from the following advantages:
Improved security and compliance by using a standard and proven 2FA solution that protects against phishing, credential theft, and brute force attacks.
Reduced complexity and cost by eliminating the need to maintain a custom 2FA system and integrating it with Salesforce.
Enhanced user experience and convenience by providing multiple options for verifying identity and allowing users to remember trusted devices or browsers.
The other options are not recommended solutions for this scenario. Using the custom 2FA system for on-premise applications and native 2FA for Salesforce would create inconsistency and confusion for users who have to use different methods of verification for different applications. Replacing the custom 2FA system with an AppExchange app that supports on-premise applications and Salesforce would require UC to find an app that meets their specific needs and pay for its license and maintenance. Using custom login flows to connect to the existing custom 2FA system for use in Salesforce would require UC to write custom code and logic to invoke the custom 2FA system from Salesforce, which could introduce security and performance issues. References: [Two-Factor Authentication], [Salesforce Authenticator], [Third-Party Authenticator Apps], [Verification Code via Email or SMS], [U2F Security Keys], [Custom Login Flows]


NEW QUESTION # 83
Universal containers (UC) is building a mobile application that will make calls to the salesforce RESTAPI.
Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

  • A. Web
  • B. Refresh token
  • C. API
  • D. full

Answer: B,C

Explanation:
The two OAuth scopes that UCshould configure in the connected app are:
* Refresh token. This scope allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires orbecomes invalid. This scope enables UC to provide an optimal experience for its mobile users by reducing the number of login prompts and authentication failures.
* API. This scope allows the mobile app to make REST API calls to Salesforce using the access token.
The REST API allows the mobile app to access or manipulate data and metadata in Salesforce using HTTP methods. This scope enables UC to build a custommobile app that can connect to Salesforce and perform various operations on Salesforce resources.
References: [OAuth Scopes], [Connected Apps], [Refresh Token], [REST API]


NEW QUESTION # 84
A consumer products company uses Salesforce to maintain consumer information, including orders. The company implemented a portal solution using Salesforce Experience Cloud for its consumers where the consumers can log in using their credentials. The company is considering allowing users to login with their Facebook or Linkedln credentials.
Once enabled, what role will Salesforce play?

  • A. Salesforce will be the identity provider (IdP).
  • B. Salesforce will be the service provider (SP).
  • C. Facebook and Linkedln will be the SPs.
  • D. Facebook and Linkedln will act as the IdPs and SPs.

Answer: B

Explanation:
Explanation
To allow users to login with their Facebook or LinkedIn credentials, Salesforce will play the role of a service provider (SP). A SP is an entity that relies on an identity provider (IdP) to authenticate and authorize users. In this scenario, Facebook and LinkedIn are the IdPs, and Salesforce is the SP. The SP receives a token from the IdP and uses it to access Salesforce resources. The other options are not correct for this scenario. References:
Service Provider, Social Sign-On with Authentication Providers


NEW QUESTION # 85
Universal containers wants salesforce inbound Oauth-enabled integration clients to use SAML-BASED single Sign-on for authentication. What Oauth flow would be recommended in this scenario?

  • A. User-Token Oauth flow
  • B. Web server Oauth flow
  • C. SAML assertion Oauth flow
  • D. User-Agent Oauth flow

Answer: C


NEW QUESTION # 86

A multinational company is looking to rollout Salesforce globally. The company has a Microsoft Active Directory Federation Services (ADFS) implementation for the Americas, Europe and APAC. The company plans to have a single org and they would like to have all of its users access Salesforce using the ADFS . The company would like to limit its investments and prefer not to procure additional applications to satisfy the requirements.
What is recommended to ensure these requirements are met ?

  • A. Use connected apps for each ADFS implementation and implement Salesforce site to authenticate users across the ADFS system applicable to their geo.
  • B. Configure Each ADFS system under single sign-on settings and allow users to choose the system to authenticate during sign on to Salesforce-
  • C. Add a central identity system that federates between the ADFS systems and integrate with Salesforce for single sign-on.
  • D. Implement Identity Connect to provide single sign-on to Salesforce and federated across multiple ADFS systems.

Answer: D


NEW QUESTION # 87
Universal Containers (UC) has a mobile application for its employees that usesdata from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. Theapplication has been live for a little over 6 months, and all of the users who werepart of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile applicationfor its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?

  • A. Check the Refresh Token policy defined in the Salesforce Connected App.
  • B. Validate that the users are checking the box to remember their passwords.
  • C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
  • D. Confirm that the access Token's Time-To-Livepolicy has been set appropriately.

Answer: A

Explanation:
The first thing that the architect at UC should investigate is the refresh token policy defined in the Salesforce connected app. A refresh token is a credential that allows an application to obtain new access tokens without requiring the user to re-authenticate. The refresh token policy determines how long a refresh token is valid and under what conditions it can be revoked. If the refresh token policy is set to expire after a certain period of time or after a change in IP address or device ID, then the users may have to re-authenticate after using the app for a while or from a different location or device. Option B is not a good choice because validating that the users are checking the box to remember their passwords may not be relevant, as the app uses SSO with a third-party identity provider and does not rely on Salesforce credentials. Option C is not a good choice because verifying that the callback URL is correctly pointing to the new URI scheme may not be necessary, as the callback URL is used for redirecting the user back to the app after authentication, but it does not affect how long the user can stay authenticated. Option D is not a good choice because confirming that the access token's time-to-live policyhas been set appropriately may not be effective, as the access token's time-to-live policy determines how long an access token is valid before it needs to be refreshed by a refresh token, but it does not affect how long a refresh token is valid or when itcan be revoked. References: [Connected Apps Developer Guide], [Digging Deeper into OAuth 2.0 on Force.com]


NEW QUESTION # 88
A technology enterprise is setting up an identity solution with an external vendors wellness application for its employees. The user attributes need to be returned to the wellness application in an ID token.
Which authentication mechanism should an identity architect recommend to meet the requirements?

  • A. Web Server Flow
  • B. User Agent Flow
  • C. OpenID Connect
  • D. JWT Bearer Token Flow

Answer: A


NEW QUESTION # 89
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

  • A. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
  • B. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.
  • C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system
  • D. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

Answer: B

Explanation:
Explanation
Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respond to user attributes in a way that benefits a business process. In this case, the custom handler can query the user's open "classified" cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open "classified" cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.
References: Certification - Identity and Access Management Architect - Trailhead, Create a Custom Connected App Handler, Manage Access Through a Custom Connected App Handler


NEW QUESTION # 90
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprints as a form of identification for salesforce Authentication?

  • A. Use custom login flows with callouts to a third-party fingerprint scanning application.
  • B. Use an appexchange product that does fingerprint scanning with native salesforce identity confirmation.
  • C. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.
  • D. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.

Answer: A


NEW QUESTION # 91
Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose
2 answers

  • A. Use open-ended security questions and complex password requirements
  • B. Primarily use lookup and picklist fields on the self registration page.
  • C. Use hidden fields populated via java script events in the self-registration page.
  • D. Require a captcha at the end of the self-registration process.

Answer: C,D

Explanation:
Explanation
To prevent unauthorized form submissions during the self-registration process, UC should require a captcha at the end of the self-registration process and use hidden fields populated via JavaScript events in the self-registration page. These methods will help to verify that the user is a human and not a bot, and also to validate the user's input against some predefined values. Option A is not a good choice because open-ended security questions and complex password requirements may frustrate the user and reduce the conversion rate.
Option B is not a good choice because lookup and picklist fields may not prevent bots from submitting the form, as they can be easily automated or bypassed.
References: Single Sign-On Implementation Guide, Customizing User Authentication with Login Flows


NEW QUESTION # 92
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?

  • A. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
  • B. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.
  • C. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
  • D. Configure an authentication provider to delegate authentication to the LDAP directory.

Answer: D

Explanation:
Explanation
Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues.
References: Login History


NEW QUESTION # 93
A global company is using the Salesforce Platform as an Identity Provider and needs to integrate a third-party application with its Experience Cloud customer portal.
Which two features should be utilized to provide users with loginand identity services for the third-party application?
Choose 2 answers

  • A. Use the App Launcher with single sign-on (SSO).
  • B. External a Data source with Named Principal identity type.
  • C. Use a connected app.
  • D. Use Delegated Authentication.

Answer: A,C

Explanation:
Using the App Launcher with SSO and using a connected app are two features that can be utilized to provide users with login and identity services for the third-party application. The App Launcher allows users to access multiple apps from one location with SSO. The connected app allows users to authorize access to the third- party application using OAuth 2.0. The other options are either not relevant or not applicable for this use case.
References: App Launcher, Connected Apps


NEW QUESTION # 94
Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.
Which OAuth flow should the identity architect recommend to meet the requirement?

  • A. OAuth 2.0 Username-Password Flow for Special Scenarios
  • B. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration
  • C. OAuth 2.0 Asset Token Flow for Securing Connected Devices
  • D. OAuth 2.0 Web Server Flow for Web App Integration

Answer: C


NEW QUESTION # 95
Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from withinsalesforce through App launcher and connected App set up? Choose 2 answers

  • A. Salesforce is the identity provider
  • B. Google is the identity provider
  • C. Salesforce is the service provider
  • D. Google is the service provider

Answer: A,D

Explanation:
In an environment where Salesforce users are enabled to access Google Apps from within Salesforce through App Launcher and Connected App setup, Google is the service provider and Salesforce is the identity provider. A service provider is an application that provides a service to users and relies on an identity provider for authentication3. A connected app is a service provider that integrates an application with Salesforce using APIs4. An identity provider is an application that authenticates users and provides information about them to service providers3. The App Launcher is a feature that allows users to access Salesforce, connected, and on- premises apps from one location5. In this scenario, Google Apps are connected apps that provide services to Salesforce users, such as Gmail, Google Drive, and GoogleCalendar. Salesforce isthe identity provider that authenticates users and allows them to access Google Apps with their Salesforce credentials using single sign- on (SSO)6.
References: Identity Provider Overview, Connected Apps Overview, App Launcher, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth


NEW QUESTION # 96
Northern Trail Outfitters (NTO) is setting up Salesforce to authenticate users with an external identity provider. The NTO Salesforce Administrator is having trouble getting things setup.
What should an identity architect use to show which part of the login assertion is fading?

  • A. SAML Metadata file importer
  • B. Security Assertion Markup Language Validator
  • C. Identity Provider Metadata download
  • D. Connected App Manager

Answer: B


NEW QUESTION # 97
Universal Containers built a custom mobile app fortheir field reps to create orders in Salesforce. OAuth is used for authenticating mobile users. The app is built in such a way that when a user session expires after Initial login, a new access token is obtained automatically without forcing the user to log in again. While that improved the field reps' productivity, UC realized that they need a "logout" feature.
What should the logout function perform in this scenario, where user sessions are refreshed automatically?

  • A. Invoke the revocation URL and pass the refresh token.
  • B. Clear out all the tokens to stop auto session refresh.
  • C. Invoke the revocation URL and pass the access token.
  • D. Clear out the client Id to stop auto session refresh.

Answer: A

Explanation:
The refresh token is used to obtain a new access token when the previous one expires. To revoke the user session, the logout function should invoke the revocation URL and pass the refresh token as a parameter. This will invalidate both the refresh token and the access token, and prevent the user from accessing Salesforce without logging in again2.
References:
Certification Exam Guide
Revoke OAuth Tokens


NEW QUESTION # 98
......

The Ultimate Salesforce Identity-and-Access-Management-Architect Dumps PDF Review: https://www.dumptorrent.com/Identity-and-Access-Management-Architect-braindumps-torrent.html

Achieve The Utmost Performance In Identity-and-Access-Management-Architect Exam Pass Guaranteed: https://drive.google.com/open?id=1y4vd4DiFKllMI2oJOxsWeitpAkrV8Ml1