
Latest Verified & Correct Salesforce Identity-and-Access-Management-Architect Questions & Answers Daily Updated
100% Pass Guaranteed Download Identity and Access Management Designer Exam PDF Q&A
NEW QUESTION # 92
Universal Containers (UC) is building an integration between Salesforce and a legacy web application using the canvas framework. The security for UC has determined that a signed request from Salesforce is not an adequate authentication solution for the Third-Party app. Which two options should the Architect consider for authenticating the third-party app using the canvas framework? Choose 2 Answers
- A. Utilize Canvas OAuth flow to allow the third-party application to authenticate itself against Salesforce as the Idp.
- B. Create a registration handler Apex class to allow the third-party application to authenticate itself against Salesforce as the Idp.
- C. Utilize the SAML Single Sign-on flow to allow the third-party to authenticate itself against UC's IdP.
- D. Utilize Authorization Providers to allow the third-party application to authenticate itself against Salesforce as the Idp.
Answer: A,C
Explanation:
Explanation
The Canvas framework supports OAuth 2.0 for authorization1. There are two OAuth flows that can be used to authenticate the third-party app using the canvas framework: User-Agent OAuth Flow and Web Server OAuth Flow2. The User-Agent OAuth Flow uses the Canvas JavaScript SDK to obtain an OAuth token by using the login function in the SDK2. The Web Server OAuth Flow redirects the user to the Salesforce OAuth authorization endpoint and then obtains an OAuth access token by making a POST request to the Salesforce OAuth token endpoint2. Both of these flows allow the third-party app to authenticate itself against Salesforce as the IdP. The SAML Single Sign-on flow can also be used to allow the third-party app to authenticate itself against UC's IdP, which is another option for authentication3.
References: OAuth Authorization, Mastering Salesforce Canvas Apps, Integrate third-party applications via Canvas App
NEW QUESTION # 93
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
- A. Configure the salesforce1 app to use the my domain URL
- B. Use the existing SAML SSO flow along with user agent flow.
- C. Use the existing SAML SSO flow along with Web server flow
- D. Configure the embedded Web browser to use my domain URL.
Answer: A,D
Explanation:
Explanation
To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identity provider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because Salesforce Mobile Applications only work with service provider initiated setups46.
Therefore, option B and D are the correct answers.
References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On
NEW QUESTION # 94
Universal Containers (UC) is implementing Salesforce and would like to establish SAML SSO for its users to log in. UC stores its corporate user identities in a Custom Database. The UC IT Manager has heard good things about Salesforce Identity Connect as an Idp, and would like to understand what limitations they may face if they decided to use Identity Connect in their current environment. What limitation Should an Architect inform the IT Manager about?
- A. Identity Connect will not support user provisioning in UC's current environment.
- B. Identity Connect will only support Idp-initiated SAML flows in UC's current environment.
- C. Identity connect is not compatible with UC's current identity environment.
- D. Identity Connect will only support SP-initiated SAML flows in UC's current environment.
Answer: A
Explanation:
Explanation
Identity Connect will not support user provisioning in UC's current environment. Identity Connect is a tool that synchronizes user data between Active Directory and Salesforce, but it does not work with other identity sources such as a Custom Database5. Therefore, if UC wants to use Identity Connect as an Idp, they will not be able to provision users from their Custom Database to Salesforce.
Options B, C, and D are incorrect because Identity Connect does not have any limitations on the type of SAML flow or the compatibility with UC's current identity environment. Identity Connect supports both Idp-initiated and SP-initiated SAML flows6, and it can act as an Idp for any external service provider that supports SAML 2.07.
References: 5: Identity Connect - Salesforce 6: SAML SSO Flows - Salesforce 7: Salesforce Connect:
Integration, Benefits, and Limitations
NEW QUESTION # 95
Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers
- A. Use Login Flow in User Context to update role and permission sets.
- B. Use Login Flow in System Context to update role and permission sets.
- C. Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.
- D. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
Answer: B,D
NEW QUESTION # 96
When designing a multi-branded Customer Identity and Access Management solution on the Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce is presented?
- A. The Audience ID, which can be set in a shared cookie.
- B. Provide a brand picker that the end user can use to select its sub-brand when they arrive on salesforce.
- C. Add a custom parameter to the service provider's OAuth/SAML call and implement logic on its login page to apply branding based on the parameters value.
- D. The Experience ID, which can be included in OAuth/Open ID flows and Security Assertion Markup Language (SAML) flows as a URL parameter.
Answer: D
NEW QUESTION # 97
Northern Trail Outfitters manages application functional permissions centrally as Active Directory groups.
The CRM_Superllser and CRM_Reportmg_SuperUser groups should respectively give the user the SuperUser and Reportmg_SuperUser permission set in Salesforce. Salesforce is the service provider to a Security Assertion Markup Language (SAML) identity provider.
Mow should an identity architect ensure the Active Directory groups are reflected correctly when a user accesses Salesforce?
- A. Use a login flow to query standard SAML attributes and set permission sets.
- B. Use the Apex Just-in-Time handler to query standard SAML attributes and set permission sets.
- C. Use a login flow to query custom SAML attributes and set permission sets.
- D. Use the Apex Just-in-Time handler to query custom SAML attributes and set permission sets.
Answer: D
Explanation:
Explanation
Using the Apex Just-in-Time handler to query custom SAML attributes and set permission sets is the best way to ensure that the Active Directory groups are reflected correctly when a user accesses Salesforce. The Apex Just-in-Time handler is a custom class that can process the SAML response from the identity provider and assign permission sets based on the user's AD groups. The other options are either not feasible or not effective for this use case. References: Just-in-Time Provisioning for SAML, Apex Just-in-Time Handler
NEW QUESTION # 98
Northern Trail Outfitters (NTO) is planning to implement a community for its customersusing Salesforce Experience Cloud. Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement?
Choose 2 answers
- A. Allow Password reset using the API to update Experience Cloud site membership.
- B. Use Login Flows to allow users to reset password in Experience Cloud site.
- C. Add customers as contacts and add them to Experience Cloud site.
- D. Enable Welcome emails while configuring the Experience Cloud site.
Answer: A,B
Explanation:
Allowing password reset using the API and using login flows are two possible ways to enable customers to set their own passwords in Experience Cloud. The other options are notrelevant for this requirement, as they do not address the password issue. References: Allow Password Reset Using the API, Use Login Flows to Allow Users to Reset Passwords in Experience Cloud Sites
NEW QUESTION # 99
Universal containers (UC) uses a legacy Employee portal for their employees to collaborate and post their ideas. UC decides to use salesforce ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to push ideas posted on the Employee portal to salesforce through API. UC decides to use an API user using Oauth Username - password flow for the connection. How can the connection to salesforce be restricted only to the employee portal server?
- A. Use a dedicated profile for the user the Employee portal uses.
- B. Add the Employee portals IP address to the Trusted IP range for the connected App
- C. Use a digital certificate signed by the employee portal Server.
- D. Add the employee portals IP address to the login IP range on the user profile.
Answer: B
Explanation:
Explanation
Adding the employee portal's IP address to the trusted IP range for the connected app is the best way to restrict the connection to Salesforce only to the employee portal server. This will ensure that only requests from the specified IP range will be accepted by Salesforce for that connected app. Option B is not a good choice because using a digital certificate signed by the employee portal server may not be supported by Salesforce for OAuth username-password flow. Option C is not a good choice because adding the employee portal's IP address to the login IP range on the user profile may not be sufficient, as it will still allow other users with the same profile to log in from that IP range. Option D is not a good choice because using a dedicated profile for the user that the employee portal uses may not be effective, as it will still allow other users with that profile to log in from any IP address. References: [Connected Apps], [OAuth 2.0 Username-Password Flow]
NEW QUESTION # 100
Universal Containers (UC) uses Global Shipping (GS) as one of their shipping vendors. Regional leads of GS need access to UC's Salesforce instance for reporting damage of goods using Cases. The regional leads also need access to dashboards to keep track ofregional shipping KPIs. UC internally uses a third-party cloud analytics tool forcapacity planning and UC decided to provide access to this tool to a subset of GS employees.
In addition to regional leads, the GS capacity planning team would benefit fromaccess to this tool. To access the analytics tool, UC IT has set up Salesforce as the Identity provider for Internal users and would like to follow the same approach for the GS users as well. What are the most appropriate license types for GS Tregional Leads and the GS Capacity Planners? Choose 2 Answers
- A. Customer Community license for GS Regional Leads and Identity license for GS Capacity Planners.
- B. Customer Community Plus license for GS Regional Leads and External Identity for GS Capacity Planners.
- C. Identity License for GS Regional Leads and External Identity license for GS capacity Planners.
- D. Customer Community Plus license for GS Regional Leads and Customer Community license for GS Capacity Planners.
Answer: A,B
Explanation:
The most appropriate license types for GS regional leads and the GS capacity planners are:
* Customer Community Plus license for GS regional leads. This license type allows external users, such as customers or partners, to access standard Salesforce objects, such as cases and dashboards, and custom objects in a community. This license type also supports role hierarchy, sharing rules, and reports. This license type is suitable for GS regional leads who need to report damage of goods using cases and access dashboards to track regional shipping KPIs.
* External Identity license for GS capacity planners. This license type allows external users to access a limited set of standard Salesforce objects, such as contacts and documents, and custom objects in a community. This license type also supports identity features, such as single sign-on (SSO) and social sign-on. This license type is suitable for GS capacity planners who need to access the third-party cloud analytics tool using Salesforce as the identity provider.
The other options are not appropriate license types for this scenario. Customer Community license for GS capacity planners would not allow them to access the third-party cloud analytics tool using SSO, as this license type does not support identity features. Identity license for GS regionalleads would not allow them to access cases and dashboards in the community, as this license type does not support standard Salesforce objects. References: [Customer Community Plus Licenses], [External Identity Licenses], [Customer Community Licenses], [Identity Licenses]
NEW QUESTION # 101
Universal Containers (UC) has a desktop application to collect leads for marketing campaigns. UC wants to extend this application to integrate with Salesforce to create leads. Integration between the desktop application and Salesforce should be seamless. What Authorization flow should the Architect recommend?
- A. Web Server Authentication Flow
- B. JWT Bearer Token Flow
- C. Username and Password Flow
- D. User Agent Flow
Answer: D
NEW QUESTION # 102
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?
- A. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
- B. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
- C. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.
- D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
Answer: B
NEW QUESTION # 103
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?
- A. API
- B. Full
- C. Visualforce
- D. Web
Answer: D
NEW QUESTION # 104
Universal containers (UC) has decided to use identity connect as it's identity provider. UC uses active directory(AD) and has a team that is very familiar and comfortable with managing ad groups. UC would like to use AD groups to help configure salesforce users. Which three actions can AD groups control through identity connect? Choose 3 answers
- A. Role Assignment
- B. Granting report folder access
- C. Permission sets assignment
- D. Custom permission assignment
- E. Public Group Assignment
Answer: A,C,E
Explanation:
Explanation
AD groups can control public group assignment, role assignment, and permission set assignment through Identity Connect. Identity Connect is a tool that integrates Microsoft Active Directory (AD) user accounts with Salesforce user records1. It allows Salesforce admins to leverage the existing user data and group memberships in AD to automate user provisioning and deprovisioning in Salesforce. Identity Connect can map AD groups to Salesforce public groups, roles, and permission sets, and assign them to users based on their group membership2. This way, AD groups can control the access level and visibility of users in Salesforce.
AD groups cannot control granting report folder access or custom permission assignment through Identity Connect. These are not supported features of Identity Connect. Report folder access is controlled by the folder sharing settings in Salesforce. Custom permission assignment is controlled by the custom permission settings in Salesforce. References: Get to Know Identity Connect, Map Your Data, [Folder Sharing], [Custom Permissions]
NEW QUESTION # 105
A company's external application is protected by Salesforce through OAuth. The identity architect for the project needs to limit the level of access to the data of the protected resource in a flexible way.
What should be done to improve security?
- A. Leverage external objects and data classification policies.
- B. Select "Admin approved users are pre-authorized" and assign specific profiles.
- C. Create custom scopes and assign to the connected app.
- D. Define a permission set that grants access to the app and assign to authorized users.
Answer: C
NEW QUESTION # 106
Northern Trail Outfitters (NTO) wants to improve its engagement with existing customers to boost customer loyalty. To get a better understanding of its customers, NTO establishes a single customer view including their buying behaviors, channel preferences and purchasing history. All of this information exists but is spread across different systems and formats.
NTO has decided to use Salesforce as the platform to build a 360 degree view. The company already uses Microsoft Active Directory (AD) to manage its users and company assets.
What should an Identity Architect do to provision, deprovision and authenticate users?
- A. Salesforce Identity is not needed since NTO uses Microsoft AD.
- B. Salesforce Identity can be included but NTO will be required to build a custom integration with Microsoft AD.
- C. A Salesforce Identity can be included but NTO will require Identity Connect.
- D. Salesforce Identity is included in the Salesforce licenses so it does not need to be considered separately.
Answer: C
Explanation:
Explanation
Identity Connect is a Salesforce product that integrates Microsoft Active Directory with Salesforce user records. It allows provisioning, deprovisioning, and authentication of users based on AD data. The other options are either incorrect or irrelevant for this use case. References: Get to Know Identity Connect, Identity Connect
NEW QUESTION # 107
which three are features of federated Single Sign-on solutions? Choose 3 answers
- A. It improves affiliated applications adoption rates.
- B. It enables quick and easy provisioning and deactivating of users.
- C. It solves all identity and access management problems.
- D. It establishes trust between Identity store and service provider.
- E. It federates credentials control to authorized applications.
Answer: A,D,E
Explanation:
Explanation
It federates credentials control to authorized applications. This means that users can access multiple applications across different domains or organizations using one set of credentials, without having to share their passwords with each application1. The applications rely on a trusted identity provider (IdP) to authenticate the users and grant them access.
It establishes trust between Identity store and service provider. This means that the IdP and the service provider (SP) have a mutual agreement to exchange identity information using standard protocols, such as SAML, OpenID Connect, or OAuth2. The IdP and the SP also share metadata and certificates to ensure secure communication and verification.
It improves affiliated applications adoption rates. This means that users are more likely to use applications that are connected to their existing identity provider, as they do not have to create or remember multiple passwords3. This also reduces the friction and frustration of logging in to different applications, and enhances the user experience.
The other options are not features of federated single sign-on solutions because:
It solves all identity and access management problems. This is false, as federated single sign-on solutions only address the authentication aspect of identity and access management, not the authorization, provisioning, governance, or auditing aspects. Federated single sign-on solutions also have some challenges, such as complexity, interoperability, and security risks.
It enables quick and easy provisioning and deactivating of users. This is not necessarily true, as federated single sign-on solutions do not automatically create or delete user accounts in the service provider applications. Users still need to be provisioned and deprovisioned manually or through other mechanisms, such as just-in-time provisioning or SCIM.
References: Federated Identity Management vs. Single Sign-On: What's the Difference?, What is single sign-on?, Single Sign-On (SSO) Solution, [Identity Management vs. Access Management: What's the Difference?], [Federated Identity Management Challenges], [Just-in-Time Provisioning for SAML], [SCIM User Provisioning]
NEW QUESTION # 108
Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate andplace orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?
- A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order detailsto retrieve customer data.
- B. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.
- C. Use a Connected App Handler Apex Plugin class to collect only order details to retrievecustomer data.
- D. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
Answer: B
Explanation:
Self-registration allows guests to create their own user accounts and access the community. The self- registration page can be customized to collect order details and use them to retrieve customer data from the org. References: Customize Self-Registration
NEW QUESTION # 109
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between the SP and the IdP?
- A. Ensure that there is an HTTPS connection between IDP and SP.
- B. Ensure that the Issuer and Assertion Consumer service (ACS) URL is property configured between SP and IDP.
- C. Encrypt the SAML Request using certification authority (CA) signed certificate and decrypt on IdP.
- D. Ensure that on the SSO settings page, the "Request Signing Certificate" field has a self-signed certificate.
Answer: C
NEW QUESTION # 110
Universal Containers is budding a web application that will connect with the Salesforce API using JWT OAuth Flow.
Which two settings need to be configured in the connect app to support this requirement?
Choose 2 answers
- A. The Use Digital Signature option in the connected app.
- B. The "api" OAuth scope in the connected app.
- C. The "web" OAuth scope in theconnected app,
- D. The "edair_api" OAuth scope m the connected app.
Answer: A,B
Explanation:
JWT OAuth Flow is a protocol that allows a client app to obtain an access token from Salesforce by using a JSON Web Token (JWT)instead of an authorization code. The JWT contains information about the client app and the user who wants to access Salesforce. To use this flow, the client app needs to have a connected app configured in Salesforce. The connected app is a framework thatenables an external application to integrate with Salesforce using APIs and standard protocols. To support JWT OAuth Flow, two settings need to be configured in the connected app:
* The Use Digital Signature option, which enables the connected app to verifythe signature of the JWT using a certificate.
* The "api" OAuth scope, which allows the connected app to access Salesforce APIs on behalf of the user. References: JWT OAuth Flow, Connected Apps, OAuth Scopes
NEW QUESTION # 111
Universal containers(UC) has implemented SAML-BASED single Sign-on for their salesforce application and is planning to provide access to salesforce on mobile devices using the salesforce1 mobile app. UC wants to ensure that single Sign-on is used for accessing the salesforce1 mobile app. Which two recommendations should the architect make? Choose 2 answers
- A. Configure the salesforce1 app to use the my domain URL
- B. Use the existing SAML SSO flow along with user agent flow.
- C. Configure the embedded Web browser to use my domain URL.
- D. Use the existing SAML SSO flow along withWeb server flow
Answer: A,C
Explanation:
To use SAML SSO for accessing the Salesforce1 mobile app, the architect should recommend configuring the embedded web browser to use the My Domain URL and configuring the Salesforce1 app to use the My Domain URL4. Using the My Domain URL allows Salesforce to identify the identityprovider and initiate the SSO process5. Using the existing SAML SSO flow along with user agent flow or web server flow is not necessary because SalesforceMobile Applications only work with service provider initiated setups46.
Therefore, option B and D are the correct answers.
References: Salesforce Mobile Application Single Sign-On overview, SAML SSO with Salesforce as the Service Provider, Single Sign-On
NEW QUESTION # 112
Universal Containers (UC) wants to use Salesforce for sales orders and a legacy of system for order fulfillment. The legacy system must update the status of orders in 65* Salesforce in real time as they are fulfilled. UC decides to use OAuth for connecting the legacy system to Salesforce. What OAuth flow should be considered that doesn't require storing credentials, client secret or refresh tokens?
- A. Web Server flow
- B. Username-Password flow
- C. JWT Bearer Token flow
- D. User Agent flow
Answer: C
NEW QUESTION # 113
Universal Containers (UC) uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC's middleware authenticate to Salesforce while adhering to this requirement?
- A. Create a Connected App that supports the Web Server OAuth Flow.
- B. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
- C. Create a Connected App that supportsthe Refresh Token OAuth Flow
- D. Create a Connected App that supports the User-Agent OAuth Flow.
Answer: B
Explanation:
A is correct because creating a connected app that supports the JWT Bearer Token OAuth Flow allows the middleware to authenticate to Salesforce without storing usernames and passwords.The JWT Bearer Token OAuth Flow uses a certificate and a private key to sign a JSON Web Token (JWT) that contains information about the user identity andrequested access. The middleware sends the JWTto Salesforce, which verifies it using the certificate and grants an access token2.
B is incorrect because creatinga connected app that supports the Refresh Token OAuth Flow requires storing usernames and passwords in the middleware. The Refresh Token OAuth Flow uses a username-password authentication flow to obtain an access token and a refresh token. The middleware can use the refresh token to obtain new access tokens without user interaction, but it still needs to store the username and password for the initial authentication3.
C is incorrect because creating a connected app that supports the Web Server OAuth Flow requires user interaction to authenticate to Salesforce. The Web Server OAuth Flow redirects the user to a Salesforce login page, where they enter their credentials and grant access to the middleware. The middleware then receives an authorization code that it can exchange for an access token and a refresh token4.
D is incorrect because creating a connected app that supports the User-Agent OAuth Flow also requires user interaction to authenticate to Salesforce. The User-Agent OAuth Flow is similar to the Web Server OAuth Flow, except that it does not return a refresh token. The middleware can only use the access token until it expires5.
References: 2: Accessing Salesforce with JWT OAuth Flow 3: OAuth Authorization Flows - Salesforce 4: OAuth Authorization Flows - Salesforce 5: OAuth Authorization Flows - Salesforce
NEW QUESTION # 114
Universal containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be RESR-ful and written in. NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers
- A. Delegated Authentication will continue to work with a.net service.
- B. Delegated Authentication will not work with rest services.
- C. Delegated Authentication will continue to work with rest services.
- D. Delegated Authentication will not work with a.net service.
Answer: A,B
Explanation:
Explanation
Delegated Authentication will continue to work with a .NET service as long as it is wrapped in a web service that Salesforce can consume1. Delegated Authentication will not work with REST services because it requires a SOAP-based web service23. Therefore, option C and D are the correct answers.
References: Salesforce Documentation, DEV Community, Salesforce Developer Community
NEW QUESTION # 115
Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?
- A. Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
- B. Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.
- C. Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
- D. Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.
Answer: A,B
NEW QUESTION # 116
......
Salesforce Identity-and-Access-Management-Architect Exam is a valuable certification for professionals who want to advance their careers in the Salesforce ecosystem. Salesforce Certified Identity and Access Management Architect certification is recognized by Salesforce and is an essential requirement for professionals seeking senior-level positions in identity and access management. Identity-and-Access-Management-Architect exam is designed to test the knowledge and skills of professionals in designing and implementing complex identity and access management solutions. By obtaining this certification, professionals can demonstrate their expertise and credibility in the field of identity and access management in Salesforce.
Salesforce Certified Identity and Access Management Architect exam is a challenging certification that requires a comprehensive understanding of the Salesforce platform and its security features. Identity-and-Access-Management-Architect exam is designed to test not only the candidate’s technical knowledge but also their ability to design and implement effective solutions that meet their clients’ needs. Those who pass the exam will earn the title of Salesforce Certified Identity and Access Management Architect, which is recognized throughout the industry as a mark of expertise and professionalism.
Salesforce Identity-and-Access-Management-Architect certification exam is a valuable credential for professionals who are responsible for designing and implementing identity and access management solutions using Salesforce technologies. By earning this certification, individuals can demonstrate their expertise in this important area, as well as their commitment to maintaining the security and privacy of sensitive information within their organization.
Identity-and-Access-Management-Architect PDF Dumps Are Helpful To produce Your Dreams Correct QA's: https://www.test4engine.com/Identity-and-Access-Management-Architect_exam-latest-braindumps.html
Identity-and-Access-Management-Architect Practice Test Dumps with 100% Passing Guarantee: https://drive.google.com/open?id=1HQ_O7wZdPXrrXx2ldWXrnADnW4OYj8zo