Identity-and-Access-Management-Architect Exam - Salesforce Certified Identity and Access Management Architect (SU23)

NEW QUESTION 1
A group of users try to access one of universal containers connected apps and receive the following error message: "Failed : Not approved for access". what is most likely to cause of the issue?

• A. The use of high assurance sections are required for the connected App.
• B. The users do not have the correct permission set assigned to them.
• C. The connected App setting "All users may self-authorize" is enabled.
• D. The salesforce administrators gave revoked the Oauth authorization.

Answer: B

Explanation:
The users do not have the correct permission set assigned to them is the most likely cause of the issue. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect1. Connected apps use these protocols to authorize, authenticate, and provide single sign-on (SSO) for external apps1. To access a connected app, users must have the appropriate permissions assigned to them, either through their profile or a permission set2. If the users do not have the required permissions, they will receive an error message when they try to access the connected app. The use of high assurance sessions are required for the connected app is not a valid option, as high assurance sessions are related to multi-factor authentication (MFA), not connected apps3. The connected app setting “All users may self-authorize” is enabled is not a cause of the issue, but a possible solution. This setting allows users to access the connected app without pre-approval from an administrator4. The Salesforce administrators have revoked the OAuth authorization is not a likely cause of the issue, as OAuth authorization is granted by the users, not the administrators5. Revoking OAuth authorization would also affect all users, not just a group of them.
References: Learn About Connected Apps, Create a Connected App, [Multi-Factor Authentication (MFA) fo Salesforce], [Connected App Basics], OAuth Authorization Flows

NEW QUESTION 2
Universal Containers (UC) wants its users to access Salesforce and other SSO-enabled applications from a custom web page that UC magnets. UC wants its users to use the same set of credentials to access each of the applications. what SAML SSO flow should an Architect recommend for UC?

• A. SP-Initiated with Deep Linking
• B. SP-Initiated
• C. IdP-Initiated
• D. User-Agent

Answer: C

Explanation:
The SAML SSO flow that an architect should recommend for UC is IdP-initiated. IdP-initiated SSO is a process that allows users to start at the IdP site, such as UC’s custom web page, and then be redirected to Salesforce or other SPs with a SAML assertion that contains information about the user’s identity and attributes. This flow enables UC to provide a single point of entry for its users to access multiple applications with the same credentials, as they do not need to enter their username and password again for each application. This flow also simplifies the configuration and maintenance of SSO, as UC does not need to create or manage deep links or URLs for each application.
The other options are not valid SAML SSO flows for this scenario. SP-initiated with deep linking is a process that allows users to start at a specific resource on the SP site, such as a report or dashboard, and then be redirected to the IdP for authentication and back to the resource with a SAML assertion. This flow is not suitable for UC’s scenario, as they want their users to start at their custom web page, not at a specific resource on Salesforce or other SPs. SP-initiated is a process that allows users to start at the SP site, such as Salesforce or other applications, and then be redirected to the IdP for authentication and back to the SP site with a SAML assertion. This flow is not suitable for UC’s scenario, as they want their users to start at their custom web page, not at each application separately. User-agent is not a standard term for SAML SSO, but it could refer to user-agent flow, which is an OAuth authorization flow that allows users to obtain an access token from Salesforce by using a browser or web-view. This flow is not suitable for UC’s scenario, as it does not use SAML or IdP for authentication. References: [SAML Single Sign-On], [IdP-Initiated Login], [SP-Initiated Login], [Deep Linking], [OAuth User-Agent Flow]

NEW QUESTION 3
Universal Containers (UC) currently uses Salesforce Sales Cloud and an external billing application. Both Salesforce and the billing application are accessed several times a day to manage customers. UC would like to configure single sign-on and leverage Salesforce as the identity provider. Additionally, UC would like the billing application to be accessible from Salesforce. A redirect is acceptable.
Which two Salesforce tools should an identity architect recommend to satisfy the requirements? Choose 2 answers

• A. salesforce Canvas
• B. Identity Connect
• C. Connected Apps
• D. App Launcher

Answer: AD

Explanation:
Salesforce Canvas is a tool that allows external applications to be embedded into Salesforce as iframes, which can provide a seamless user experience. App Launcher is a feature that allows users to access connected apps from a single location in Salesforce. To enable single sign-on and use Salesforce as the identity provider, the external billing application needs to be configured as a connected app and use an OAuth 2.0 or SAML protocol. Identity Connect is not relevant for this scenario, as it is a tool for synchronizing user data between Salesforce and Active Directory. References: Salesforce Canvas Developer Guide, App Launcher, Connect Apps

NEW QUESTION 4
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?

• A. Add the Employee portals IP address to the Trusted IP range for the connected App
• B. Use a digital certificate signed by the employee portal Server.
• C. Add the employee portals IP address to the login IP range on the user profile.
• D. Use a dedicated profile for the user the Employee portal uses.

Answer: A

Explanation:
Adding the employee portal’s IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal’s IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0
Username-Password Flow]

NEW QUESTION 5
An Identity architect works for a multinational, multi-brand organization. As they work with the organization to understand their Customer Identity and Access Management requirements, the identity architect learns that the brand experience is different for each of the customer's sub-brands and each of these branded experiences must be carried through the login experience depending on which sub-brand the user is logging into.
Which solution should the architect recommend to support scalability and reduce maintenance costs, if the organization has more than 150 sub-brands?

• A. Assign each sub-brand a unique Experience ID and use the Experience ID to dynamically brand the login experience.
• B. Use Audiences to customize the login experience for each sub-brand and pass an audience ID to the community during the OAuth and Security Assertion Markup Language (SAML) flows.
• C. Create a community subdomain for each sub-brand and customize the look and feel of the Login page for each community subdomain to match the brand.
• D. Create a separate Salesforce org for each sub-brand so that each sub-brand has complete control over the user experience.

Answer: A

Explanation:
To support scalability and reduce maintenance costs for a multinational, multi-brand organization, the architect should recommend assigning each sub-brand a unique Experience ID and using the Experience ID to dynamically brand the login experience. Experience ID is a parameter that can be used to identify different brands or experiences within a single Experience Cloud site (formerly known as Community). Dynamic branding is a feature that allows Experience Cloud sites to display different branding elements, such as logos, colors, or images, based on the Experience ID or other criteria. This solution can provide a consistent and personalized brand experience for each sub-brand without creating multiple subdomains or orgs. References: Experience ID, Dynamic Branding for Experience Cloud Sites

NEW QUESTION 6
Universal Containers (UC) has a Customer Community that uses Facebook for Authentication. UC would like to ensure that Changes in the Facebook profile are reflected on the appropriate Customer Community user: How can this requirement be met?

• A. Use the updateUser method on the registration Handler Class.
• B. Develop a scheduled job that calls out to Facebook on a nightly basis.
• C. Use information in the signed Request that is received from facebook.
• D. Use SAML Just-In-Time Provisioning between Facebook and Salesforce.

Answer: A

Explanation:
The best option for UC to ensure that changes in the Facebook profile are reflected on the appropriate customer community user is to use the updateUser method on the registration handler class. A registration handler class is an Apex class that implements the Auth.RegistrationHandler interface and defines the logic for creating or updating a user account when a user logs in with an external authentication provider, such as Facebook. The updateUser method is a method in the registration handler class that takes a user ID and a JSON string as parameters and updates the user record with the information from the JSON string. This method can be used to update the user’s profile, email, name, or other attributes based on the changes in the Facebook profile. The other options are not optimal for this scenario. Developing a scheduled job that calls out to Facebook on a nightly basis would introduce a delay in updating the user information and require custom code and API integration. Using information in the signed request that is received from Facebook would only provide limited information about the user, such as name, email, and locale, and not reflect any changes made after the initial login. Using SAML Just-in-Time provisioning between Facebook and Salesforce would require UC to configure Facebook as a SAML identity provider, which is not supported by Facebook. References: [Create a Registration Handler Class], [Auth.RegistrationHandler Interface], [Facebook Signed Request], [Facebook as SAML Identity Provider]

NEW QUESTION 7
Universal Containers (UC) is looking to build a Canvas app and wants to use the corresponding Connected App to control where the app is visible. Which two options are correct in regards to where the app can be made visible under the Connected App setting for the Canvas app? Choose 2 answers

• A. As part of the body of a Salesforce Knowledge article.
• B. In the mobile navigation menu on Salesforce for Android.
• C. The sidebar of a Salesforce Console as a console component.
• D. Included in the Call Control Tool that's part of Open CTI.

Answer: CD

Explanation:
The sidebar of a Salesforce Console as a console component and included in the Call Control Tool that’s part of Open CTI are two options that are correct in regards to where the app can be made visible under the connected app settings for the Canvas app. A Canvas app is an external application that can be embedded within Salesforce using an iframe. A connected app is an application that integrates with Salesforce using APIs and uses OAuth as the authentication protocol. You can control where a Canvas app can be displayed in Salesforce by configuring the locations in the connected app settings. The sidebar of a Salesforce Console as a console component is a valid location for a Canvas app because it allows you to display the app as a collapsible panel on the side of any console app. Included in the Call Control Tool that’s part of Open CTI is a valid location for a Canvas app because it allows you to display the app as part of the softphone panel that integrates with your telephony system. As part of the body of a Salesforce Knowledge article is not a valid location for a Canvas app because it is not supported by the connected app settings. In the mobile navigation menu on Salesforce for Android is not a valid location for a Canvas app because it is not supported by the connected app settings. References: : [Canvas Developer Guide] : [Connected Apps Overview] : [Add or Remove Components from Your Console Apps] : [Open CTI Developer Guide]

NEW QUESTION 8
Universal Containers would like its customers to register and log in to a portal built on Salesforce Experience Cloud. Customers should be able to use their Facebook or Linkedln credentials for ease of use.
Which three steps should an identity architect take to implement social sign-on? Choose 3 answers

• A. Register both Facebook and Linkedln as connected apps.
• B. Create authentication providers for both Facebook and Linkedln.
• C. Check "Facebook" and "Linkedln" under Login Page Setup.
• D. Enable "Federated Single Sign-On Using SAML".
• E. Update the default registration handlers to create and update users.

Answer: BCE

Explanation:
To implement social sign-on for customers to register and log in to a portal built on Salesforce Experience Cloud using their Facebook or LinkedIn credentials, the identity architect should take three steps:
Create authentication providers for both Facebook and LinkedIn. Authentication providers are configurations that enable users to authenticate with an external identity provider and access Salesforce resources. Salesforce provides predefined authentication providers for some common identity providers, such as Facebook and LinkedIn, which can be easily configured with minimal customization.
Check “Facebook” and “LinkedIn” under Login Page Setup. Login Page Setup is a setting that allows administrators to customize the login page for Experience Cloud sites. By checking “Facebook” and “LinkedIn”, the identity architect can enable social sign-on buttons for these identity providers on the login page.
Update the default registration handlers to create and update users. Registration handlers are classes that implement the Auth.RegistrationHandler interface and define how to create or update users in Salesforce based on the information from the external identity provider. The identity architect can update the default registration handlers to link the user’s social identity with their Salesforce identity and prevent duplicate accounts. References: Authentication Providers, Social Sign-On with Authentication Providers, Login Page Setup, Create a Custom Registration Handler

NEW QUESTION 9
Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

• A. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
• B. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
• C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
• D. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Answer: D

Explanation:
Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user’s identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3. References: 1: Customize User Authentication with Login Flows 2: Custom Login Flow Examples 3: Salesforce Multi-Factor Authentic

NEW QUESTION 10
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.
Which two settings need to be configured in the connect app to support this requirement? Choose 2 answers

• A. The Use Digital Signature option in the connected app.
• B. The "web" OAuth scope in the connected app,
• C. The "api" OAuth scope in the connected app.
• D. The "edair_api" OAuth scope m the connected app.

Answer: AC

Explanation:
JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT) instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:
The Use Digital Signature option, which enables the connected app to verify the signature of the JWT using a certificate.
The “api” OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user.
References: JWT OAuth Flow, Connected Apps, OAuth Scopes

NEW QUESTION 11
Which three are capabilities of SAML-based Federated authentication? Choose 3 answers

• A. Trust relationships between Identity Provider and Service Provider are required.
• B. SAML tokens can be in XML or JSON format and can be used interchangeably.
• C. Web applications with no passwords are more secure and stronger against attacks.
• D. Access tokens are used to access resources on the server once the user is authenticated.
• E. Centralized federation provides single point of access, control and auditing.

Answer: ACE

Explanation:
A is correct because SAML-based Federated authentication requires trust relationships between the IdP and the SP. The IdP issues a SAML assertion that contains information about the user’s identity and attributes. The SP validates the assertion and grants access to the user.
C is correct because web applications that use SAML-based Federated authentication do not require passwords for users to log in. Instead, they rely on the IdP to authenticate the users and provide a secure token. This eliminates the risk of password breaches and phishing attacks.
E is correct because centralized federation provides a single point of access, control, and auditing for web applications that use SAML-based Federated authentication. Users can access multiple applications with one login, administrators can manage user access from one place, and auditors can monitor user activity across applications.
B is incorrect because SAML tokens are always in XML format. They cannot be used interchangeably with JSON tokens, which are used by OAuth or OpenID Connect protocols.
D is incorrect because access tokens are not used by SAML-based Federated authentication. Access tokens are used by OAuth or OpenID Connect protocols to access resources on the server once the user is authenticated.
References: : [Single Sign-On Implementation Guide Developer Documentation] : [Identity 101: Design Patterns for Access Management Salesforce Developers YouTube] : Certification - Identity and Access Management Architect - Trailhead : OAuth Authorization Flows Trailblazer Community Documentation : User Authentication Module - Trailhead

NEW QUESTION 12
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications. Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records on their behalf.
Which two roles are being performed by Salesforce? Choose 2 answers

• A. SAML Identity Provider
• B. OAuth Client
• C. OAuth Resource Server
• D. SAML Service Provider

Answer: BD

Explanation:
Salesforce acts as an OAuth client when it uses Okta to authorize a Forecasting web application to access
Salesforce records on behalf of the user. Salesforce acts as a SAML service provider when it accepts SAML assertions from Okta to authenticate NTO users. References: OAuth 2.0 Web Server Authentication
Flow, SAML Single Sign-On Overview

NEW QUESTION 13
Universal containers (UC) has a mobile application that it wants to deploy to all of its salesforce users, including customer Community users. UC would like to minimize the administration overhead, which two items should an architect recommend? Choose 2 answers

• A. Enable the "Refresh Tokens is valid until revoked " setting in the Connected App.
• B. Enable the "Enforce Ip restrictions" settings in the connected App.
• C. Enable the "All users may self-authorize" setting in the Connected App.
• D. Enable the "High Assurance session required" setting in the Connected App.

Answer: AC

Explanation:
The two items that an architect should recommend for UC to minimize the administration overhead are:
Enable the “Refresh Tokens is valid until revoked” setting in the Connected App. This setting allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. By enabling this setting in the Connected App, UC can reduce the number of login prompts and authentication failures for its mobile users, as they can use the refresh token to renew their access without entering their credentials again.
Enable the “All users may self-authorize” setting in the Connected App. This setting allows users to grant access to the mobile app without administrator approval. By enabling this setting in the Connected App, UC can simplify and speed up the deployment process for its mobile app, as they do not need to manually authorize each user or group of users.
The other options are not recommended items for this scenario. Enabling the “Enforce IP restrictions” setting in the Connected App would limit the mobile app access to certain IP ranges, which could prevent some users from accessing the app from different locations or networks. Enabling the “High Assurance session required” setting in the Connected App would require users to verify their identity with a second factor before accessing the mobile app, which could increase complexity and inconvenience for users. References: [Connected Apps], [Refresh Token], [All Users May Self-Authorize], [IP Restrictions for Connected Apps], [Require a Second Factor of Authentication for Connected Apps]

NEW QUESTION 14
Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?

• A. Scope - Deny refresh_token scope for this connected app.
• B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
• C. Session Policy - Set timeout value of the connected app to 7 days.
• D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Answer: B

Explanation:
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not logged in from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow

NEW QUESTION 15
An identity architect is setting up an integration between Salesforce and a third-party system. The third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers connected app in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?

• A. JWT Bearer Flow
• B. Web Server Flow
• C. User Agent Flow
• D. Username-Password Flow

Answer: A

Explanation:
JWT Bearer Flow allows the third-party system to authenticate to Salesforce using a digital certificate and a JSON Web Token (JWT) without any user interaction. It also provides a high level of security as it does not require sharing credentials or storing tokens. References: OAuth 2.0 JWT Bearer Token Flow

NEW QUESTION 16
Universal Containers (UC) is both a Salesforce and Google Apps customer. The UC IT team would like to manage the users for both systems in a single place to reduce administrative burden. Which two optimal ways can the IT team provision users and allow Single Sign-on between Salesforce and Google Apps ? Choose 2 answers

• A. Build a custom app running on Heroku as the Identity Provider that can sync user information between Salesforce and Google Apps.
• B. Use a third-party product as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• C. Use Identity Connect as the Identity Provider for both Salesforce and Google Apps and manage the provisioning from there.
• D. Use Salesforce as the Identity Provider and Google Apps as a Service Provider and configure UserProvisioning for Connected Apps.

Answer: BD

Explanation:
B is correct because a third-party product can act as an Identity Provider (IdP) for both Salesforce and Google Apps and manage the user provisioning from a single place12. This reduces the administrative burden and provides a consistent user experience.
D is correct because Salesforce can act as an IdP and Google Apps can act as a Service Provider (SP) and they can use SAML or OpenID Connect for Single Sign-on (SSO)34. Salesforce also supports User Provisioning for Connected Apps, which allows the creation, update, and deactivation of users in Google Apps based on changes in Salesforce.
A is incorrect because building a custom app on Heroku as an IdP is not an optimal way to provision users and allow SSO. It would require more development and maintenance effort than using a third-party product or Salesforce as an IdP.
C is incorrect because Identity Connect is a tool that synchronizes users between Active Directory and Salesforce. It does not support Google Apps as a target system for user provisioning or SSO.
References: 1: Architect Journey: Identity and Access Management Trailmix - Trailhead 2: Free Salesfo Identity-and-Access-Management-Architect Questions … 3: [Single Sign-On Implementation Guide Developer Documentation] 4: [Social Single Sign-On with OpenID Connect Salesforce Developer YouTube] : [Authorize Apps with OAuth Trailblazer Community Documentation] : Identity Connect Implementation Guide Developer Documentation

NEW QUESTION 17
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers

• A. Use the existing SAML SSO flow along with user agent flow.
• B. Configure the embedded Web browser to use my domain URL.
• C. Use the existing SAML SSO flow along with Web server flow
• D. Configure the salesforce1 app to use the my domain URL

Answer: BD

Explanation:
To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identity provider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because Salesforce Mobile Applications only work with service provider initiated setups46. Therefore, option B and D are the correct answers.
References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On

NEW QUESTION 18
Universal Containers (UC) is building an authenticated Customer Community for its customers. UC does not want customer credentials stored in Salesforce and is confident its customers would be willing to use their social media credentials to authenticate to the community. Which two actions should an Architect recommend UC to take?

• A. Use Delegated Authentication to call the Twitter login API to authenticate users.
• B. Configure an Authentication Provider for LinkedIn Social Media Accounts.
• C. Create a Custom Apex Registration Handler to handle new and existing users.
• D. Configure SSO Settings For Facebook to serve as a SAML Identity Provider.

Answer: BC

Explanation:
Configuring an Authentication Provider for LinkedIn Social Media Accounts allows UC to use LinkedIn as an external identity provider for its customer community. This means that customers can use their LinkedIn credentials to log in to the community without storing their credentials in Salesforce. Creating a Custom Apex Registration Handler allows UC to customize how new and existing users are handled when they log in with an external identity provider. This means that UC can control how user records are created, updated, or matched when customers use their social media credentials to authenticate to the community. These two actions can meet the requirement of UC to use social media credentials for its customer community.

NEW QUESTION 19
......