Salesforce Certified Platform Identity and Access Management Architect Sample Questions:

1. Which two things should be done to ensure end users can only use single sign-on (SSO) to login in to Salesforce?
Choose 2 answers

A) Enable My Domain and select "Prevent login from https://login.salesforce.com".
B) Once SSO is enabled, users are only able to login using Salesforce credentials.
C) Request Salesforce Support to enable delegated authentication.
D) Assign user "is Single Sign-on Enabled" permission via profile or permission set.

2. Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, who use SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.
Which two mechanisms are used to provision agents with the appropriate permissions?
Choose 2 answers

A) Use Login Flow in User Context to update role and permission sets.
B) Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.
C) Use Login Flow in System Context to update role and permission sets.
D) Use SAML Just-m-Time (JIT) Handler class run as current user to update role and permission sets.

3. Northern Trail Outfitters (NTO) leverages Microsoft Active Directory (AD) for management of employee usernames, passwords, permissions, and asset access. NTO also owns a third-party single sign-on (SSO) solution. The third-party party SSO solution is used for all corporate applications, including Salesforce.
NTO has asked an architect to explore Salesforce Identity Connect for automatic provisioning and deprovisiorung of users in Salesforce.
What role does identity Connect play in the outlined requirements?

A) Single Sign-On
B) Service Provider
C) User Management
D) Identity Provider

4. Universal Containers (UC) is using a custom application that will act as the Identity Provider and will generate SAML assertions used to log in to Salesforce. UC is considering including custom parameters in the SAML assertion. These attributes contain sensitive data and are needed to authenticate the users. The assertions are submitted to salesforce via a browser form post. The majority of the users will only be able to access Salesforce via UC's corporate network, but a subset of admins and executives would be allowed access from outside the corporate network on their mobile devices. Which two methods should an Architect consider to ensure that the sensitive data cannot be tampered with, nor accessible to anyone while in transit?

A) Use the Identity provider's certificate to digitally Sign and the Identity provider's certificate to encrypt the payload.
B) Use Salesforce's Certificate to digitally sign the SAML Assertion and a Mobile Device Management client on the users' mobile devices.
C) Use a custom login flow to retrieve sensitive data using an Apex callout without including the attributes in the assertion.
D) Use the Identity Provider's certificate to digitally sign and Salesforce's Certificate to encrypt the payload.

5. What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?

A) Reference to the login address URL of the service provider.
B) Reference to a URL redirect parameter at the identity provider.
C) Reference to a URL redirect parameter at the service provider.
D) Reference to the login address URL of the identity Provider.

Solutions: