Salesforce Identity and Access Management Designer Salesforce Certified Identity and Access Management Designer Online Training
Salesforce Identity and Access Management Designer Online Training
The questions for Identity and Access Management Designer were last updated at Dec 09,2025.
- Exam Code: Identity and Access Management Designer
- Exam Name: Salesforce Certified Identity and Access Management Designer
- Certification Provider: Salesforce
- Latest update: Dec 09,2025
Containers (UC) uses a legacy Employee portal for their employees to collaborate. Employees access the portal from their company’s internal website via SSO. It is set up to work with SiteMinder and Active Directory. The Employee portal has features to support posing ideas. UC decides to use Salesforce Ideas for voting and better tracking purposes. To avoid provisioning users on Salesforce, UC decides to integrate Employee portal ideas with Salesforce idea through the API .
What is the role of Salesforce in the context of SSO, based on this scenario?
- A . Service Provider, because Salesforce is the application for managing ideas.
- B . Connected App, because Salesforce is connected with Employee portal via API.
- C . Identity Provider, because the API calls are authenticated by Salesforce.
- D . An independent system, because Salesforce is not part of the SSO setup.
The security team at Universal Containers (UC) has identified exporting reports as a high-risk action and would like to require users to be logged into Salesforce with their Active Directory (AD) credentials when doing so. For all other users of Salesforce, users should be allowed to use AD Credentials or Salesforce credentials .
What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with Salesforce credentials?
- A . Use SAML Federated Authentication and block access to reports when accessed through a Standard Assurance session.
- B . Use SAML Federated Authentication and Custom SAML JIT Provisioning to dynamically and or remove a permission set that grants the Export Reports Permission.
- C . Use SAML federated Authentication, treat SAML Sessions as High Assurance, and raise the session level required for exporting reports.
- D . Use SAML federated Authentication with a Login Flow to dynamically add or remove a Permission Set that grants the Export Reports Permission.
Refer to the exhibit.
Outfitters (NTO) is using Experience Cloud as an Identity for its application on Heroku. The application on Heroku should be able to handle two brands, Northern Trail Shoes and Northern Trail Shirts.
A user should select either of the two brands in Heroku before logging into the community. The app then performs Authorization using OAuth2.0 with the Salesforce Experience Cloud site.
NTO wants to make sure it renders login page images dynamically based on the user’s brand preference selected in Heroku before Authorization.
What should an identity architect do to fulfill the above requirements?
- A . For each brand create different communities and redirect users to the appropriate community using a custom Login controller written in Apex.
- B . Create multiple login screens using Experience Builder and use Login Flows at runtime toroute to different login screens.
- C . Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authorize/cookie_value.
- D . Authorize third-party service by sending authorization requests to the community-url/services/oauth2/authonze/expid_value.
Universal Containers (UC) rolling out a new Customer Identity and AccessManagement Solution will be built on top of their existing Salesforce instance.
Several service providers have been setup and integrated with Salesforce using OpenlD Connect to allow for a seamless single sign-on experience. UC has a requirement to limit user access to only a subset of service providers per customer type.
Which two steps should be done on the platform to satisfy the requirement? Choose 2 answers
- A . Manage which connected apps a user has access to by assigning authentication providers to theusers profile.
- B . Assign the connected app to the customer community, and enable the users profile in the Community settings.
- C . Use Profiles and Permission Sets to assign user access to Admin Pre-Approved Connected Apps.
- D . Set each of the Connected Appaccess settings to Admin Pre-Approved.
Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts? Choose 3 answers
- A . Enable access to person and business account record types under Public Access Settings.
- B . Contact Salesforce Support to enable business accounts.
- C . Under Login and Registration settings, ensure that the default account field is empty.
- D . Contact Salesforce Support to enable person accounts.
- E . Set organization-wide default sharing for Contact to Public Read Only.
Universal Containers is implementing a new Experience Cloud site and the identity architect wants to use dynamic branding features as of the login process.
Which two options should the identity architect recommend to support dynamic branding for the site? Choose 2 answers
- A . To use dynamic branding, the community must be built with the Visuaiforce + Salesforce Tabs template.
- B . To use dynamic branding, the community must be built with the Customer Account Portal template.
- C . An experience ID (expid) or placeholder parameter must be used in the URL to represent the brand.
- D . An external content management system (CMS) must be used for dynamic branding on Experience Cloud sites.
A group of users try to access one of Universal Containers’ Connected Apps and receive the following error message: " Failed: Not approved for access."
What is the most likely cause of this issue?
- A . The Connected App settings "All users may self-authorize" is enabled.
- B . The Salesforce Administrators have revoked the OAuth authorization.
- C . The Users do not have the correct permission set assigned to them.
- D . The Userof High Assurance sessions are required for the Connected App.
Universal containers (UC) has implemented a multi-org strategy and would like to centralize the management of their salesforce user profiles .
What should the architect recommend to allow salesforce profiles to be managed from a central system of record?
- A . Implement jit provisioning on the SAML IDP that will pass the profile id in each assertion.
- B . Create an apex scheduled job in one org that will synchronize the other orgs profile.
- C . Implement Delegated Authentication that will update the user profiles as necessary.
- D . Implement an Oauthjwt flow to pass the profile credentials between systems.
Uwversal Containers (UC) is building a custom employeehut) application on Amazon Web Services (AWS) and would like to store their users’ credentials there. Users will also need access to Salesforce for internal operations. UC has tasked an identity architect with evaluating Afferent solutions for authentication and authorization between AWS and Salesforce.
How should an identity architect configure AWS to authenticate and authorize Salesforce users?
- A . Configure the custom employee app as a connected app.
- B . Configure AWS as an OpenID Connect Provider.
- C . Create a custom external authentication provider.
- D . Develop a custom Auth server in AWS.
Universal Containers is creating a web application that will be secured by Salesforce Identity using the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow? Choose 3 answers
- A . Verification URL
- B . Client Secret
- C . Access Token
- D . Scopes
Latest Identity and Access Management Designer Dumps Valid Version with 196 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
