• Home
  • Articles
  • Dec-2023 Salesforce Identity-and-Access-Management-Architect Certification Real 2023 Mock Exam [Q76-Q99]

Dec-2023 Salesforce Identity-and-Access-Management-Architect Certification Real 2023 Mock Exam [Q76-Q99]

Share

Dec-2023 Salesforce Identity-and-Access-Management-Architect Certification Real 2023 Mock Exam

Identity-and-Access-Management-Architect Exam Questions and Valid PMP Dumps PDF


Salesforce Identity-and-Access-Management-Architect Certification Exam covers a wide range of topics, including identity management, access management, authentication and authorization, single sign-on (SSO), multi-factor authentication (MFA), and more. Identity-and-Access-Management-Architect exam is designed to test candidates' understanding of these concepts and their ability to apply them in real-world scenarios. It consists of multiple-choice questions, scenario-based questions, and hands-on exercises that require candidates to design and implement identity and access management solutions using the Salesforce platform.


Salesforce Identity-and-Access-Management-Architect (IAM) certification exam is designed to test an individual's knowledge and skills in building and implementing secure and scalable identity and access management solutions on the Salesforce platform. Salesforce Certified Identity and Access Management Architect certification is intended for experienced architects and technical professionals who are responsible for designing and implementing identity and access management solutions for their organizations. Identity-and-Access-Management-Architect exam covers a wide range of topics, including authentication, authorization, identity management, single sign-on (SSO), multi-factor authentication (MFA), and more.


Salesforce Identity-and-Access-Management-Architect certification exam covers a wide range of topics related to identity and access management. Some of the key areas that are tested include identity and access management architecture, identity governance, authentication and authorization, single sign-on (SSO), and federation. Identity-and-Access-Management-Architect exam also covers topics such as user provisioning, password management, and identity lifecycle management.

 

NEW QUESTION # 76
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number.
The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?

  • A. Use an external Identity Provider
  • B. Create a custom Lightning Web Component
  • C. Integrate with social websites (Facebook, Linkedin. Twitter)
  • D. Use Login Discovery

Answer: D

Explanation:
Explanation
Login Discovery allows the administrator to configure a custom login page that collects additional information from users, such as phone number, and use it for identity verification. Login Discovery can also be used to route users to different identity providers based on their input. References: Login Discovery, Customize Your Experience Cloud Site Login Process


NEW QUESTION # 77
Universal containers (UC) wants to integrate a Web application with salesforce. The UC team has implemented the Oauth web-server Authentication flow for authentication process. Which two considerations should an architect point out to UC? Choose 2 answers

  • A. The web application should be hosted on a secure server.
  • B. The flow will not provide an Oauth refresh token back to the server.
  • C. The web server must be able to protect consumer privacy
  • D. The flow involves passing the user credentials back and forth.

Answer: A,C

Explanation:
Explanation
The web application should be hosted on a secure server and the web server must be able to protect consumer privacy are two considerations that an architect should point out to UC. To integrate an external web app with the Salesforce API, UC can use the OAuth 2.0 web server flow, which implements the OAuth 2.0 authorization code grant type4. With this flow, the server hosting the web app must be able to protect the connected app's identity, defined by the client ID and client secret4. The web application should be hosted on a secure server to ensure that the communication between the web app and Salesforce is encrypted and protected from unauthorized access or tampering6. The web server must be able to protect consumer privacy to comply with data protection laws and regulations, such as GDPR or CCPA . The web server should implement best practices for storing and handling user data, such as encryption, hashing, salting, and anonymization. The flow involves passing the user credentials back and forth is not a correct consideration, as the web server flow does not require the user credentials to be passed between the web app and Salesforce. Instead, it uses an authorization code that is exchanged for an access token and a refresh token4. The flow will not provide an OAuth refresh token back to the server is also not a correct consideration, as the web server flow does provide a refresh token that can be used to obtain new access tokens without user interaction4. References: OAuth 2.0 Web Server Flow for Web App Integration, Secure Your Web Application, [General Data Protection Regulation (GDPR)], [California Consumer Privacy Act (CCPA)],
[Data Protection Best Practices]


NEW QUESTION # 78
Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

  • A. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system
  • B. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.
  • C. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.
  • D. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

Answer: D

Explanation:
Explanation
Use a custom connected app handler using Apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases is the recommended solution for this scenario. A custom connected app handler is an Apex class that implements the ConnectedAppPlugin interface and can customize the behavior of a connected app. The custom handler can support new protocols or respond to user attributes in a way that benefits a business process. In this case, the custom handler can query the user's open "classified" cases and grant or deny access to the classified information system accordingly. Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed is not a good solution, as permission sets are not related to SSO and cannot control access to external systems. Use custom SAML JIT provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system is not feasible, as JIT provisioning is used to create or update user records in Salesforce, not in external systems. Use Salesforce reports to identify users that currently own open "classified" cases and should be granted access to the classified information system is not an automated solution, as it requires manual intervention and does not leverage SSO.
References: Certification - Identity and Access Management Architect - Trailhead, Create a Custom Connected App Handler, Manage Access Through a Custom Connected App Handler


NEW QUESTION # 79
A technology enterprise is planning to implement single sign-on login for users. When users log in to the Salesforce User object custom field, data should be populated for new and existing users.
Which two steps should an identity architect recommend?
Choose 2 answers

  • A. Implement RegistrationHandler Interface.
  • B. Implement SesslonManagement Class.
  • C. Create and update methods.
  • D. Implement Auth.SamlJitHandler Interface.

Answer: C,D


NEW QUESTION # 80
What are three capabilities of Delegated Authentication? Choose 3 answers

  • A. It can be assigned by Permission Sets.
  • B. It can connect to SOAP services.
  • C. It can be assigned by Profiles.
  • D. It can connect to REST services.
  • E. It can be assigned by Custom Permissions.

Answer: A,B,D


NEW QUESTION # 81
Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users. Which three steps are required to make this happen?

  • A. Set up Identity Connect to Synchronize user data.
  • B. Set up Salesforce as a SAML Idp with My Domain.
  • C. Add each connected App to the App Launcher with a Start URL.
  • D. Set up an Auth Provider for each External Application.
  • E. Create a Connected App for each external application.

Answer: B,C,E


NEW QUESTION # 82
After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement?
Choose 2 answers

  • A. Require users to supply their email and phone number, which gets validated.
  • B. Require users to provide their RSA token along with their credentials.
  • C. Require users to enter a second password after the first Authentication
  • D. Require users to use a biometric reader as well as their password

Answer: B,D


NEW QUESTION # 83
Universal containers (UC) uses a home-grown employee portal for their employees to collaborate. UC decides to use salesforce ideas to allow the employees to post ideas from the employee portal. When clicking some links in the employee portal, the users should be redirected to salesforce, authenticated, and presented with relevant pages. What scope should be requested when using the Oauth token to meet this requirement?

  • A. API
  • B. Web
  • C. Visualforce
  • D. Full

Answer: B


NEW QUESTION # 84
Northern Trail Outfitters (NTO) is planning to roll out a partner portal for its distributors using Experience Cloud. NTO would like to use an external identity provider (idP) and for partners to register for access to the portal. Each partner should be allowed to register only once to avoid duplicate accounts with Salesforce.
What should a identity architect recommend to create partners?

  • A. On successful creation of Partners using Self Registration page in Experience Cloud, create identity in Ping.
  • B. Create a custom page m Experience Cloud to self register partner with Experience Cloud and Ping identity store.
  • C. Create a custom web page in the Portal and create users in the IdP and Experience Cloud using published APIs.
  • D. Allow partners to register through the IdP and create partner users in Salesforce through an API.

Answer: B

Explanation:
Explanation
To create partners using an external identity provider (IdP) and avoid duplicate accounts with Salesforce, the identity architect should recommend creating a custom page in Experience Cloud to self register partner with Experience Cloud and Ping identity store. Ping is an IdP that supports OpenID Connect protocol, which allows users to sign in with an external identity provider and access Salesforce resources. By creating a custom page in Experience Cloud, the identity architect can use a custom registration handler to link the partner's Ping identity with their Salesforce identity and prevent duplicate accounts. The custom page can also provide a seamless user experience for the partners. References: OpenID Connect Authentication Providers, Social Sign-On with OpenID Connect, Create a Custom Registration Handler


NEW QUESTION # 85
Universal Containers (UC) uses Salesforce to allow customers to keep track of the order status. The customers can log in to Salesforce using external authentication providers, such as Facebook and Google. UC is also leveraging the App Launcher to let customers access an of platform application for generating shipping labels.
The label generator application uses OAuth to provide users access. What license type should an Architect recommend for the customers?

  • A. Identity license
  • B. Customer Community license
  • C. Customer Community Plus license
  • D. External Identity license

Answer: D

Explanation:
Explanation
D is correct because External Identity license is designed for customers who need to log in to Salesforce using external authentication providers, such as Facebook and Google. External Identity license also supports App Launcher, which allows customers to access other applications from Salesforce using OAuth or OpenID Connect .
A is incorrect because Customer Community license is designed for customers who need to access data and records in Salesforce, such as cases, accounts, and contacts. Customer Community license does not support App Launcher or external authentication providers.
B is incorrect because Identity license is designed for employees who need to access multiple applications from Salesforce using SSO and App Launcher. Identity license does not support external authentication providers or customer data access.
C is incorrect because Customer Community Plus license is designed for customers who need to access data and records in Salesforce, as well as collaborate with other customers and partners. Customer Community Plus license does not support App Launcher or external authentication providers.
References: : Salesforce Licensing Module - Trailhead : Free Salesforce Identity-and-Access-Management-Architect Questions ... : Salesforce Licensing Module - Trailhead :
Salesforce Licensing Module - Trailhead : Salesforce Licensing Module - Trailhead


NEW QUESTION # 86
Universal containers (UC) is concerned that having a self-registration page will provide a means for "bots" or unintended audiences to create user records, thereby consuming licences and adding dirty data. Which two actions should UC take to prevent unauthorised form submissions during the self-registration process? Choose
2 answers

  • A. Use open-ended security questions and complex password requirements
  • B. Use hidden fields populated via java script events in the self-registration page.
  • C. Require a captcha at the end of the self-registration process.
  • D. Primarily use lookup and picklist fields on the self registration page.

Answer: B,C

Explanation:
Explanation
To prevent unauthorized form submissions during the self-registration process, UC should require a captcha at the end of the self-registration process and use hidden fields populated via JavaScript events in the self-registration page. These methods will help to verify that the user is a human and not a bot, and also to validate the user's input against some predefined values. Option A is not a good choice because open-ended security questions and complex password requirements may frustrate the user and reduce the conversion rate.
Option B is not a good choice because lookup and picklist fields may not prevent bots from submitting the form, as they can be easily automated or bypassed.
References: Single Sign-On Implementation Guide, Customizing User Authentication with Login Flows


NEW QUESTION # 87
An identity architect has built a native mobile application and plans to integrate it with a Salesforce Identity solution. The following are the requirements for the solution:
1. Users should not have to login every time they use the app.
2. The app should be able to make calls to the Salesforce REST API.
3. End users should NOT see the OAuth approval page.
How should the identity architect configure the Salesforce connected app to meet the requirements?

  • A. Enable the API Scope and Offline Access Scope on the connected app, and then set the Connected App access settings to "User may self authorize".
  • B. Enable the API Scope and Offline Access Scope on the connected app, and then set the connected app to access settings to 'Admin Pre-Approved".
  • C. Enable the API Scope and Offline Access Scope, upload a certificate so JWT Bearer Flow can be used and then set the connected app access settings to "Admin Pre-Approved".
  • D. Enable the Full Access Scope and then set the connected app access settings to "Admin Pre-Approved".

Answer: C

Explanation:
Explanation
JWT Bearer Flow is an OAuth 2.0 flow that allows a client app to obtain an access token without user interaction. It requires a certificate to sign the JWT and the API and Offline Access scopes to access the Salesforce REST API and refresh the token. The connected app must also be pre-approved by the admin to avoid the OAuth approval page. References: OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration, Authorize an Org Using the JWT Flow


NEW QUESTION # 88
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the various application support teams to finish user deactivations. A terminated employee recently was able to login to NTO's Salesforce instance 24 hours after termination, even though the user was disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?

  • A. use a login flow to make a callout to the LDAP directory before authenticating the user to Salesforce.
  • B. Configure an authentication provider to delegate authentication to the LDAP directory.
  • C. Create a Just-in-Time provisioning registration handler to ensure users are deactivated in Salesforce as they are disabled in LDAP.
  • D. Setup an identity provider (IdP) to authenticate users using LDAP, set up single sign-on to Salesforce and disable Login Form authentication.

Answer: B

Explanation:
Explanation
Login History allows administrators to view the login attempts of all users in the org, including the status, source IP, login type, and application. This can help identify and troubleshoot any login errors or issues.
References: Login History


NEW QUESTION # 89
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?

  • A. OAuth 2.0 Device Authentication Row
  • B. OAuth 2.0 SAML Bearer Assertion Flow
  • C. OAuth 2.0 JWT Bearer Token Flow
  • D. OAuth 2.0 Asset Token Flow

Answer: D

Explanation:
Explanation
To generate sensor information in Salesforce, the architect should recommend OAuth 2.0 Asset Token Flow.
OAuth 2.0 Asset Token Flow is a protocol that allows devices, such as sensors, to obtain an access token from Salesforce by using a certificate instead of an authorization code. The access token can be used to access Salesforce APIs and send data to Salesforce. OAuth 2.0 Asset Token Flow is designed for devices that do not have a user interface or a web browser. References: OAuth 2.0 Asset Token Flow, Authorize Apps with OAuth


NEW QUESTION # 90
Northern Trail Outfitters (NTO) is planning to implement a community for its customers using Salesforce Experience Cloud . Customers are not able to self-register. NTO would like to have customers set their own passwords when provided access to the community.
Which two recommendations should an identity architect make to fulfill this requirement?
Choose 2 answers

  • A. Add customers as contacts and add them to Experience Cloud site.
  • B. Enable Welcome emails while configuring the Experience Cloud site.
  • C. Allow Password reset using the API to update Experience Cloud site membership.
  • D. Use Login Flows to allow users to reset password in Experience Cloud site.

Answer: C,D


NEW QUESTION # 91
Universal Containers (UC) has an e-commerce website where customers can buy products, make payments, and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

  • A. Set up My Domain.
  • B. Configure SAML SSO settings.
  • C. Configure Delegated Authentication.
  • D. Create a Connected App.

Answer: A,B

Explanation:
Explanation
To enable SP-initiated SSO with Salesforce as the Service Provider, two steps are required in Salesforce:
Option A is correct because configuring SAML SSO settings involves specifying the identity provider details, such as the entity ID, login URL, logout URL, and certificate2.
Option D is correct because setting up My Domain enables you to use a custom domain name for your Salesforce org and allows you to use SAML as an authentication method3.
Option B is incorrect because creating a connected app is not necessary for SP-initiated SSO using a SAML-compliant IdP. A connected app is used for OAuth-based authentication or OpenID Connect-based authentication4.
Option C is incorrect because configuring delegated authentication is not related to SP-initiated SSO using a SAML-compliant IdP. Delegated authentication is a feature that allows Salesforce to delegate user authentication to an external service, such as LDAP or Active Directory5.
References: SAML-based single sign-on: Configuration and Limitations, Configure SAML single sign-on with an identity provider, My Domain, Create a Connected App, Configure Salesforce for Delegated Authentication


NEW QUESTION # 92
Northern Trail Outfitters (NTO) wants to give customers the ability to submit and manage issues with their purchases. It is important for NTO to give its customers the ability to login with their Amazon credentials.
What should an identity architect recommend to meet these requirements?

  • A. Configure Amazon as a connected app.
  • B. Configure a predefined authentication provider for Amazon.
  • C. Configure an OpenID Connect Authentication Provider for Amazon.
  • D. Create a custom external authentication provider for Amazon.

Answer: C


NEW QUESTION # 93
In an SP-Initiated SAML SSO setup where the user tries to access a resource on the Service Provider, What HTTP param should be used when submitting a SAML Request to the Idp to ensure the user is returned to the intended resourse after authentication?

  • A. StartURL
  • B. RedirectURL
  • C. RelayState
  • D. DisplayState

Answer: C

Explanation:
Explanation
The HTTP parameter that should be used when submitting a SAML request to the IdP to ensure the user is returned to the intended resource after authentication is RelayState. RelayState is an optional parameter that can be used to preserve some state information across the SSO process. For example, RelayState can be used to specify the URL of the resource that the user originally requested on the SP before being redirected to the IdP for authentication. After the IdP validates the user's identity and sends back a SAML response, it also sends back the RelayState parameter with the same value as it received from the SP. The SP then uses the RelayState value to redirect the user to the intended resource after validating the SAML response. The other options are not valid HTTP parameters for this purpose. RedirectURL, DisplayState, and StartURL are not standard SAML parameters and they are not supported by Salesforce as SP or IdP. References: [SAML SSO Flows], [RelayState Parameter]


NEW QUESTION # 94
Universal containers(UC) has decided to build a new, highly sensitive application on Force.com platform. The security team at UC has decided that they want users to provide a fingerprint in addition to username/Password to authenticate to this application. How can an architect support fingerprint as a form of identification for salesforce Authentication?

  • A. Use an AppExchange product that does fingerprint scanning with native salesforce identity confirmation.
  • B. Use custom login flows with callouts to a third-party fingerprint scanning application.
  • C. Use Delegated Authentication with callouts to a third-party fingerprint scanning application.
  • D. Use salesforce Two-factor Authentication with callouts to a third-party fingerprint scanning application.

Answer: B

Explanation:
Explanation
D is correct because using custom login flows with callouts to a third-party fingerprint scanning application allows UC to support fingerprints as a form of identification for Salesforce authentication. Custom login flows allow UC to implement custom logic and UI elements for authentication, such as calling an external web service that performs fingerprint scanning and verification. A is incorrect because using Salesforce two-factor authentication with callouts to a third-party fingerprint scanning application does not support fingerprints as a form of identification for Salesforce authentication. Salesforce two-factor authentication requires users to enter a verification code or use an app like Salesforce Authenticator, not a fingerprint. B is incorrect because using delegated authentication with callouts to a third-party fingerprint scanning application does not support fingerprints as a form of identification for Salesforce authentication. Delegated authentication requires users to enter their username and password, not a fingerprint. C is incorrect because using an AppExchange product that does fingerprint scanning with native Salesforce identity confirmation does not support fingerprints as a form of identification for Salesforce authentication. AppExchange products are third-party applications that integrate with Salesforce, not native Salesforce features. Verified References: [Custom Login Flows],
[Two-Factor Authentication], [Delegated Authentication], [AppExchange]


NEW QUESTION # 95
Universal Containers (UC) has Active Directory (AD) as their enterprise identity store and would like to use it for Salesforce user authentication. UC expects to synchronize user data between Salesforce and AD and Assign the appropriate Profile and Permission Sets based on AD group membership. What would be the optimal way to implement SSO?

  • A. Use Active Directory Federation Service (ADFS) as the Identity Provider.
  • B. Use Salesforce Identity Connect as the Identity Provider.
  • C. Use Microsoft Access control Service as the Authentication provider.
  • D. Use Active Directory with Reverse Proxy as the Identity Provider.

Answer: B

Explanation:
Explanation
The optimal way to implement SSO with Active Directory as the enterprise identity store is to use Salesforce Identity Connect as the identity provider. Salesforce Identity Connect is a software that integrates Microsoft Active Directory with Salesforce and enables single sign-on (SSO) using SAML. It also allows user data synchronization between Active Directory and Salesforce and profile and permission set assignment based on Active Directory group membership. Option A is not a good choice because using Active Directory with reverse proxy as the identity provider may not be supported by Salesforce or may require additional configuration and customization. Option B is not a good choice because using Microsoft Access Control Service as the authentication provider may not be available, as Microsoft has retired this service in 2018.
Option C is not a good choice because using Active Directory Federation Service (ADFS) as the identity provider may not allow user data synchronization or profile and permission set assignment based on Active Directory group membership, unless it is combined with another tool such as Salesforce Identity Connect.
References: Salesforce Identity Connect Implementation Guide, Single Sign-On Implementation Guide


NEW QUESTION # 96
A division of a Northern Trail Outfitters (NTO) purchased Salesforce. NTO uses a third party identity provider (IdP) to validate user credentials against Its corporate Lightweight Directory Access Protocol (LDAP) directory. NTO wants to help employees remember as passwords as possible.
What should an identity architect recommend?

  • A. Setup Salesforce as an Authentication Provider to the existing IdP.
  • B. Setup Salesforce as an IdP to authenticate against the LDAP directory.
  • C. Setup Salesforce as a Service Provider to the existing IdP.
  • D. Use Salesforce connect to synchronize LDAP passwords to Salesforce.

Answer: C


NEW QUESTION # 97
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to SSO set up My Domain for their Salesforce org.
How does that decision impact their SSO implementation?

  • A. SP-initiated SSO will NOT work
  • B. IdP-initiated SSO will NOT work.
  • C. Either SP- or IdP-initiated SSO will work.
  • D. Neither SP- nor IdP-initiated SSO will work.

Answer: D


NEW QUESTION # 98
Universal Containers (UC) wants to implement SAML SSO for their internal of Salesforce users using a third-party IdP. After some evaluation, UC decides NOT to SSO set up My Domain for their Salesforce org.
How does that decision impact their SSO implementation?

  • A. Neither SP- nor IdP-initiated SSO will work.
  • B. IdP-initiated SSO will NOT work.
  • C. Either SP- or IdP-initiated SSO will work.
  • D. SP-initiated SSO will NOT work

Answer: D

Explanation:
Explanation
This is because without My Domain, Salesforce will not know in advance what Identity Provider (IdP) to use for SSO, since it does not even know yet what Organization the user is trying to log in to1. SP-initiated SSO is the scenario where the user starts with a Salesforce link (login page, deep link, Outlook Sync URL, etc.) and then gets redirected to the IdP for authentication2. Without My Domain, SP-initiated SSO requires that the user do an IdP-initiated SSO at least once first so that Salesforce can set a cookie in their browser identifying the IdP1. The other options are not correct for this question because:
IdP-initiated SSO will work without My Domain, as long as the user starts SSO at the IdP and sends the identity information to Salesforce along with SAML protocol information that identifies the Organization and the IdP2.
Neither SP- nor IdP-initiated SSO will not work is false, as explained above.
Either SP- or IdP-initiated SSO will work is false, as explained above.
References: Considerations for setting up My Domain and SSO - Salesforce, SAML SSO with Salesforce as the Service Provider


NEW QUESTION # 99
......

Identity-and-Access-Management-Architect Question Bank: Free PDF Download Recently Updated Questions: https://www.newpassleader.com/Salesforce/Identity-and-Access-Management-Architect-exam-preparation-materials.html

Identity-and-Access-Management-Architect Brain Dump: A Study Guide with Tips & Tricks for passing Exam: https://drive.google.com/open?id=19uZqE-lEFCjfjDTuRixXW0s89j5JBsfS

Related Articles

more
Salesforce Identity-and-Access-Management-Architect Certification Practice Exam