Free Identity-and-Access-Management-Architect Exam Braindumps

Universal containers (UC) has built a custom based Two-factor Authentication (2fa) system for their existing on-premise applications. Thru are now implementing salesforce and would like to enable a Two-factor login process for it, as well. What is the recommended solution an architect should consider?

1. A. Replace the custom 2fa system with salesforce 2fa for on-premise application and salesforce.
2. B. Use the custom 2fa system for on-premise applications and native 2fa for salesforce.
3. C. Replace the custom 2fa system with an app exchange app that supports on-premise applications and salesforce.
4. D. Use custom login flows to connect to the existing custom 2fa system for use in salesforce.

Correct Answer: D
Using custom login flows to connect to the existing custom 2fa system for use in salesforce is the recommended solution because it allows you to leverage your existing 2fa infrastructure and provide a consistent user experience across your applications. Custom login flows let you customize the authentication process by adding extra screens or logic before or after the standard login1. You can use Apex code to call your custom 2fa system and verify the user’s identity2. This option also gives you more flexibility and control over the 2fa process than using native 2fa or an app exchange app3. References: 1: Customize User Authentication with Login Flows 2: Custom Login Flow Examples 3: Salesforce Multi-Factor Authentic

Universal Containers is implementing Salesforce Identity to broker authentication from its enterprise single sign-on (SSO) solution through Salesforce to third party applications using SAML.
What rote does Salesforce Identity play in its relationship with the enterprise SSO system?

1. A. Identity Provider (IdP)
2. B. Resource Server
3. C. Service Provider (SP)
4. D. Client Application

Correct Answer: C
To broker authentication from its enterprise SSO solution through Salesforce to third party applications using SAML, Salesforce Identity plays the role of a Service Provider (SP). A SP is an entity that relies on an Identity Provider (IdP) to authenticate and authorize users. In this scenario, the enterprise SSO solution is the IdP, Salesforce is the SP, and the third party applications are the Resource Servers or Client Applications. The SP receives a SAML assertion from the IdP and uses it to obtain an access token from the Resource Server or Client Application. References: SAML Single Sign-On Settings, Authorize Apps with OAuth

Universal Containers (UC) has an Experience Cloud site (Customer Community) where customers can authenticate and place orders, view the status of orders, etc. UC allows guest checkout.
Mow can a guest register using data previously collected during order placement?

1. A. Enable Security Assertion Markup Language Sign-On and use a login flow to collect only order details to retrieve customer data.
2. B. Enable Facebook as an authentication provider and use a registration handler to collect only order details to retrieve customer data.
3. C. Use a Connected App Handler Apex Plugin class to collect only order details to retrieve customer data.
4. D. Enable self-registration and customize a self-registration page to collect only order details to retrieve customer data.

Correct Answer: D
Self-registration allows guests to create their own user accounts and access the community. The
self-registration page can be customized to collect order details and use them to retrieve customer data from the org. References: Customize Self-Registration

Universal Containers (UC) has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing
REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?

1. A. Use SAML JIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.
2. B. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.
3. C. Use a nightly batch ETL job to sync users between the Customer Community and the e-commerce platform and use SAML to allow SSO.
4. D. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allow SSO.

Correct Answer: A
The best option for UC to create the identities of its e-commerce users with the customer community is to use SAML JIT in the customer community to create users when a user tries to login to the community from the e-commerce site. SAML JIT (Just-in-Time) is a feature that allows Salesforce to create or update user accounts based on the information provided in a SAML assertion from an identity provider (IdP). This feature enables UC to avoid duplicating user registration on both applications and provide a seamless single sign-on (SSO) experience for its customers. The other options are not optimal for this scenario. Using the e-commerce REST API to create users when a user self-registers on the customer community would require the user to register twice, once on the e-commerce site and once on the customer community, which would degrade the customer experience. Using a nightly batch ETL job to sync users between the customer community and the e-c ommerce platform would introduce a delay in user creation and synchronization, which could cause errors or inconsistencies. Using the standard Salesforce API to create users in the community when a user is created in the e-commerce platform would require UC to write custom code and maintain API integration, which could increase complexity and cost. References: [Just-in-Time Provisioning for SAML], [Single Sign-On], [SAML SSO Flows]

A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind? Choose 2 answers

1. A. AMR field shows the authentication methods used at IdP.
2. B. Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
3. C. High-assurance sessions must be configured under Session Security Level Policies.
4. D. Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.

Correct Answer: AB
The AMR field in the Login History shows the authentication methods used at the IdP level, such as password, MFA, or SSO. Both OIDC and SAML are supported protocols for SSO, but the IdP must implement the AMR attribute and pass it to Salesforce. References: Secure Your Users’ Identity, Salesforce Multi-Factor Authentication (MFA) and Single Sign-on (SSO)