Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Salesforce
  5. Certified Identity and Access Management Designer

Salesforce Certified Identity and Access Management Designer Exam
Certified Identity and Access Management Designer (Page 8 )

Updated On: 9-Feb-2026
Page 8 of 48
PDF with 230 Questions

Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third- party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy.
Which two options should an architect recommend to UC? Choose 2 answers

  1. Use a professional social media such as LinkedIn as an Authentication provider
  2. Build a custom web page that uses the identity store and calls frontdoor.jsp
  3. Build a custom Web service that is supported by Delegated Authentication.
  4. Implement the Openid protocol and configure an Authentication provider

Answer(s): C,D



Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.

The chief security officer is rolling out an org wide compliance policy to enforce re- venfication of devices if an employee has not logged in from that device in the last week.

Which connected app setting should be leveraged to complywith this policy change?

  1. Scope - Deny refresh_token scope for this connected app.
  2. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
  3. Session Policy - Set timeout value of the connected app to 7 days.
  4. PermittedUser - Ask admins to maintain a list of users who are permitted based on last login date.

Answer(s): B



Universal Containers (UC) is using Active Directory as its corporate identity provider and Salesforce as its CRM for customer care agents, whouse SAML based sign sign-on to login to Salesforce. The default agent profile does not include the Manage User permission. UC wants to dynamically update the agent role and permission sets.

Which two mechanisms are used to provision agents with the appropriate permissions?

Choose 2 answers

  1. Use Login Flow in User Context to update role and permission sets.
  2. Use Login Flow in System Context to update role and permission sets.
  3. Use SAML Just-m-Time (JIT) Handler class run as current user to update roleand permission sets.
  4. Use SAML Just-in-Time (JIT) handler class run as an admin user to update role and permission sets.

Answer(s): B,D



Universal Containers (UC)has an existing e-commerce platform and is implementing a new customer community. They do not want to force customers to register on both applications due to concern over the customers experience. It is expected that 25% of the e-commerce customers will utilize the customer community . The e-commerce platform is capable of generating SAML responses and has an existing REST-ful API capable of managing users. How should UC create the identities of its e-commerce users with the customer community?

  1. Use SAMLJIT in the Customer Community to create users when a user tries to login to the community from the e-commerce site.
  2. Use the e-commerce REST API to create users when a user self-register on the customer community and use SAML to allow SSO.
  3. Use a nightly batch ETL job to sync users between the Customer Community and the e- commerce platform and use SAML to allow SSO.
  4. Use the standard Salesforce API to create users in the Community When a User is Created in the e-Commerce platform and use SAML to allowSSO.

Answer(s): A



Northern TrailOutfitters (NTO) has a number of employees who do NOT need access Salesforce objects. Trie employees should sign in to a custom Benefits web app using their Salesforce credentials.

Which license should the identity architect recommend to fulfill this requirement?

  1. Identity Only License
  2. External Identity License
  3. Identity Verification Credits Add-on License
  4. Identity Connect License

Answer(s): A






Post your Comments and Discuss Salesforce Certified Identity and Access Management Designer exam prep with other Community members:

Join the Certified Identity and Access Management Designer Discussion