Salesforce Identity and Access Management Designer Salesforce Certified Identity and Access Management Designer Online Training
Salesforce Identity and Access Management Designer Online Training
The questions for Identity and Access Management Designer were last updated at Dec 09,2025.
- Exam Code: Identity and Access Management Designer
- Exam Name: Salesforce Certified Identity and Access Management Designer
- Certification Provider: Salesforce
- Latest update: Dec 09,2025
A security architect is rolling out a new multi-factor authentication (MFA) mandate, where all employees must go through a secure authentication process before accessing Salesforce. There are multiple Identity Providers (IdP) in place and the architect is considering how the "Authentication Method Reference" field (AMR) in the Login History can help.
Which two considerations should the architect keep in mind? Choose 2 answers
- A . AMR field shows the authentication methods used at IdP.
- B . Both OIDC and Security Assertion Markup Language (SAML) are supported but AMR must be implemented at IdP.
- C . High-assurance sessions must be configured under Session Security Level Policies.
- D . Dependency on what is supported by OpenID Connect (OIDC) implementation at IdP.
An Architect needs to advise the team that manages the Identity Provider how to differentiate Salesforce from other Service Providers .
What SAML SSOsetting in Salesforce provides this capability?
- A . Identity Provider Login URL.
- B . Issuer.
- C . Entity Id
- D . SAML Identity Location.
Universal Containers (UC) has five Salesforce orgs (UC1, UC2, UC3, UC4, UC5). of Every user that is in UC2, UC3, UC4, and UC5 is also in UC1, however not all users 65* have access to everyorg. Universal Containers would like to simplify the authentication process such that all Salesforce users need to remember one set of credentials. UC would like to achieve this with the least impact to cost and maintenance .
What approach should an Architect recommend to UC?
- A . Purchase a third-party Identity Provider for all five Salesforce orgs to use and set up JIT user provisioning on all other orgs.
- B . Purchase a third-party Identity Provider for all five Salesforce orgs to use, but don’t set up JIT user provisioning for other orgs.
- C . Configure UC1 as the Identity Provider to the other four Salesforce orgs and set up JIT user provisioning on all other orgs.
- D . Configure UC1 as the Identity Provider to the other four Salesforce orgs, but don’t set up JIT user provisioning for other orgs.
Universal Containers (UC) wants its closed Won opportunities to be synced to a Datawarehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure .
What certificate is sent along with the Outbound Message?
- A . The Self-signed Certificates from the Certificate & Key Management menu.
- B . The default client Certificate from the Develop–> API menu.
- C . The default client Certificate or the Certificate and Key Management menu.
- D . The CA-signed Certificate from the Certificateand Key Management Menu.
Universal containers (UC) has a mobile application that calls the salesforce REST API. In order to prevent users from having toenter their credentials everytime they use the app, UC has enabled the use of refresh Tokens as part of the salesforce connected App and updated their mobile app to take advantage of the refresh token. Even after enabling the refresh token, Users are stillcomplaining that they have to enter their credentials once a day .
What is the most likely cause of the issue?
- A . The Oauth authorizations are being revoked by a nightly batch job.
- B . The refresh token expiration policy is set incorrectly in salesforce
- C . The app is requesting too many access Tokens in a 24-hour period
- D . The users forget to check the box to remember their credentials.
Universal Containers (UC) employees have Salesforce access from restricted IP ranges only, to protect against unauthorised access. UC wants to roll out the Salesforce1 mobile app and make it accessible from any location .
Which two options should an Architect recommend? Choose 2 answers
- A . Relax the IP restriction with a second factor in the Connect App settings for Salesforce1 mobile app.
- B . Remove existing restrictions on IP ranges for all types of user access.
- C . Relax the IP restrictions in the Connect App settings for the Salesforce1 mobile app.
- D . Use Login Flow to bypass IP range restriction for the mobile app.
A service provider (SP) supports both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
When integrating this SP with Salesforce, which use case is the determining factor when choosing OIDC or SAML?
- A . OIDC is more secure than SAML and therefore is the obvious choice.
- B . The SP needs to perform API calls back to Salesforce on behalf of the user after the user logs in to the service provider.
- C . If the user has a session on Salesforce, you do not want them to be prompted for a username and password when they login to the SP.
- D . They are equivalent protocols and there is no real reason to choose one over the other.
Northern Trail Outfitters would like to automatically create new employee users in Salesforce with an appropriate profile that maps to its Active Directory Department.
How should an identity architect implement this requirement?
- A . Use the create User method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
- B . Use the update User method in the Just-in-Time (JIT) provisioning registration handler to assign the appropriate profile.
- C . Use a login flow to collect Security Assertion Markup Language attributes and assign the appropriate profile during Just-In-Time (JIT) provisioning.
- D . Make a callout during the login flow to query department from Active Directory to assign the appropriate profile.
What item should an Architect consider when designing a Delegated Authentication implementation?
- A . The Web service should be secured with TLS using Salesforce trusted certificates.
- B . The Web service should be able to accept one to four input method parameters.
- C . The web service should use the Salesforce Federation ID to identify the user.
- D . The Webservice should implement a custom password decryption method.
A public sector agency is setting up an identity solution for its citizens using a Community built on Experience Cloud and requires the new user registration functionality to capture first name, last name, and phone number. The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?
- A . Integrate with social websites (Facebook, Linkedin. Twitter)
- B . Use an external Identity Provider
- C . Create a custom Lightning Web Component
- D . Use Login Discovery
Latest Identity and Access Management Designer Dumps Valid Version with 196 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund
