Salesforce Certified Identity and Access Management Designer Exam Dumps & Practice Test Questions

Question 1:

In a Salesforce implementation, you are designing an Identity and Access Management (IAM) solution for an organization that requires seamless access for employees and partners across multiple systems. The organization mandates single sign-on (SSO) with strong security and minimal user friction. 

Which of the following strategies best meets these requirements?

A) Use Salesforce as the Identity Provider (IdP) with SAML-based SSO for all users.
B) Implement an external enterprise Identity Provider supporting OpenID Connect and integrate Salesforce as a Service Provider (SP).
C) Use Salesforce's delegated authentication for all users with password storage in Salesforce.
D) Require users to maintain separate credentials for Salesforce and other applications with manual login.

Correct Answer: B

Explanation:

When designing an effective Identity and Access Management (IAM) solution for Salesforce, especially for an organization that includes both employees and partners, seamless and secure Single Sign-On (SSO) is critical. The best approach balances security, user convenience, and scalability.

Option B, implementing an external enterprise Identity Provider (IdP) that supports OpenID Connect (OIDC) and integrating Salesforce as a Service Provider (SP), is the most appropriate. Many organizations already have centralized Identity Providers such as Okta, Azure AD, or Ping Identity managing users and access across many applications. Leveraging this external IdP allows users to authenticate once and access Salesforce plus other enterprise applications without needing multiple credentials. OpenID Connect is a modern, widely adopted authentication protocol built on OAuth 2.0 that provides strong security features including token-based authentication and multi-factor support.

Option A—using Salesforce as the IdP—is possible but generally less scalable for larger enterprises or partner ecosystems. Salesforce as an IdP is most useful when Salesforce is the primary system, but external IdPs usually offer better integration, management, and security features.

Option C describes delegated authentication, which involves Salesforce validating usernames and passwords against an external system. While this can improve security, it still relies on password credentials and does not provide seamless SSO across multiple apps, making it less user-friendly.

Option D, requiring separate logins for each system, introduces poor user experience and increased security risks like password reuse and reset overhead.

In summary, the best practice for enterprise IAM with Salesforce is to leverage an external IdP with standards-based protocols like OpenID Connect or SAML. This ensures strong security, streamlined user experience, and centralized identity management—all essential for a scalable and robust IAM design.

Question 2:

Universal Containers (UC) currently uses Delegated Authentication with a Java-based service. The new CIO mandates that all web services must be RESTful and implemented in .Net. 

What two points should the Architect communicate regarding Delegated Authentication compatibility with these requirements? (Choose two.)

A. Delegated Authentication supports integration with RESTful web services.
B. Delegated Authentication can work with web services developed in .Net.
C. Delegated Authentication cannot be used with RESTful services.
D. Delegated Authentication is incompatible with .Net web services.

Correct Answers: A and B

Explanation:

Delegated Authentication is a Salesforce security feature allowing Salesforce to delegate the verification of user credentials to an external system, typically a web service. This external system authenticates the user and responds to Salesforce, which then permits or denies login access.

With the CIO’s new mandate requiring all services to be RESTful and developed in .Net, there are two key compatibility considerations:

Option A is correct because Delegated Authentication supports RESTful web services. The protocol used by the external service—whether SOAP or REST—does not inherently prevent Delegated Authentication from functioning. As long as the external service implements the correct API endpoints and communication patterns that Salesforce expects, Delegated Authentication will work properly. Salesforce communicates over HTTPS and expects a specific authentication response, which can be achieved using REST.

Option B is also correct because the technology stack (Java, .Net, or others) used to build the external authentication service does not restrict Delegated Authentication. The critical factor is that the service correctly processes Salesforce’s authentication requests and returns the appropriate responses. A .Net-based service can be fully compatible if it implements the necessary RESTful endpoints for authentication.

Options C and D are incorrect because they wrongly claim incompatibility. REST or .Net technologies do not limit Delegated Authentication’s functionality. The protocol and platform can differ as long as the service adheres to the expected authentication contract.

In summary, the Architect should reassure the CIO that Delegated Authentication will continue to work seamlessly when switching to RESTful web services developed in .Net, as these changes do not compromise the integration’s functionality.

Question 3:

How can an Architect ensure that users are required to use Two-Factor Authentication (2FA) in Salesforce only when they are logging in from outside the company’s internal network?

A. Grant the “Two-factor Authentication for User Interface Logins” permission to all Profiles and configure Login IP Ranges.
B. Add the company’s internal network IP addresses to the Login IP Range list in the 2FA settings.
C. Implement Custom Login Flows using Apex code to check users’ IP addresses and enforce 2FA when necessary.
D. Create an Apex Trigger on the UserLogin object to detect IP addresses and trigger 2FA prompts accordingly.

Correct Answer: B

Explanation:

To mandate Two-Factor Authentication (2FA) for Salesforce users only when they are outside the trusted internal company network, the most effective and straightforward approach is to utilize the Login IP Range feature within Salesforce’s 2FA setup. By adding the organization’s known internal IP addresses to this Login IP Range list, Salesforce can identify trusted connections and allow users logging in from these IPs to bypass the 2FA prompt.

This approach leverages native Salesforce functionality designed to streamline security policies based on IP addresses. When users access Salesforce from outside these trusted ranges—such as from home networks, public Wi-Fi, or other external locations—the system automatically requires them to complete 2FA, adding an essential layer of security against unauthorized access.

The alternative options are less optimal:
Option A enforces 2FA for all user interface logins regardless of network location, which contradicts the requirement to restrict 2FA to external access only.
Option C suggests creating custom login flows with Apex to detect IP addresses and enforce 2FA. While flexible, this method introduces unnecessary complexity and maintenance overhead, as Salesforce’s built-in IP range handling already meets the requirement cleanly.
Option D involves using an Apex Trigger on the UserLogin object, which is not a typical or recommended method for enforcing authentication policies and would complicate the architecture without added benefits.

In summary, configuring the company’s internal IP addresses under the Login IP Range in Salesforce’s 2FA settings allows seamless, native enforcement of 2FA solely when users log in from outside the trusted internal network—balancing security and usability effectively.

Question 4:

What is the primary function of the Identity Provider (IdP) in a SAML-based Single Sign-On (SSO) system?

A. To consume the SAML assertion
B. To revoke issued assertions
C. To validate assertions received
D. To create and issue SAML assertions

Correct Answer: D

Explanation:

In a Single Sign-On (SSO) system that uses the Security Assertion Markup Language (SAML) protocol, the Identity Provider (IdP) plays a critical role in authenticating users and issuing digital tokens called assertions. These assertions carry the authentication details and user identity information needed by other applications or services, commonly referred to as Service Providers (SPs).

The main responsibility of the Identity Provider (IdP) is to create and issue these SAML assertions after successfully authenticating a user. These assertions confirm the user’s identity and may include additional information such as user roles or permissions. Once created, the assertion is digitally signed by the IdP to ensure its integrity and authenticity before being sent to the Service Provider.

The Service Provider then receives the assertion and validates it to confirm that it has not been tampered with and originates from a trusted IdP. This validation step is crucial because it ensures secure access without the user needing to re-enter credentials.

The other options describe roles that do not belong to the Identity Provider:

• Consuming assertions (A) is the task of the Service Provider, which relies on assertions to grant access.

• Revoking assertions (B) is not typically a function of the IdP within SAML; session or token revocation is managed differently.

• Validating assertions (C) is done by the Service Provider to authenticate the user based on the received assertion.

In essence, the IdP’s role is foundational: it creates and issues SAML assertions, enabling secure and seamless user authentication across multiple services within an SSO framework.

Question 5:

Universal Containers (UC) wants to enable delegated authentication so employees can log in with their corporate credentials. However, the security team is concerned about exposing the corporate login service to the internet and requests a secure trust mechanism between the login service and Salesforce. 

What is the best method an architect should implement to ensure a trusted connection between these two systems?

A. Require Salesforce security tokens to be appended to passwords
B. Use mutual SSL authentication between systems
C. Deploy a proxy server for the login service in a DMZ
D. Include Client Id and Client Secret in the login API call header

Correct Answer: B

Explanation:

In this scenario, the key requirement is to secure the communication channel between the corporate login service and Salesforce while minimizing risks related to exposing internal services to the public internet. The best approach is to enforce mutual SSL authentication (option B), also known as two-way SSL.

Mutual SSL authentication requires both the client and server to present trusted certificates during the SSL handshake. This ensures that both parties verify each other’s identities before any data exchange occurs. By using this approach, the corporate login service and Salesforce mutually authenticate, establishing a trusted and encrypted connection. This not only encrypts data traffic to prevent interception but also prevents unauthorized systems from impersonating either party.

Let’s examine why the other options are less suitable:

• Option A (using Salesforce security tokens) focuses on API-level authentication but does not secure or validate the network connection itself. Security tokens help with authentication but do not prevent exposure risks or ensure a trusted transport layer.

• Option C involves placing a proxy in the DMZ (Demilitarized Zone) to shield the internal login service. While proxies can reduce direct exposure, they do not inherently provide mutual trust between Salesforce and the login service. This approach addresses network architecture rather than cryptographic trust.

• Option D involves sending OAuth credentials (Client Id and Secret) in API calls. While essential for OAuth workflows, it doesn’t create a trusted, encrypted channel for the login service communication.

In summary, mutual SSL authentication is the most robust way to create a secure, trusted link between Salesforce and the corporate login service. It effectively addresses the security team’s concerns by verifying both endpoints and encrypting all communications, reducing the risk of interception or impersonation.

Question 6:

Universal Containers (UC) has decided to use Identity Connect as their Identity Provider, integrating with Active Directory (AD). Since their IT team is experienced with managing AD groups, UC wants to leverage AD groups to help configure Salesforce users. 

Which three capabilities can AD Groups control via Identity Connect? (Select three.)

A. Assignment to Salesforce Public Groups
B. Role Assignments in Salesforce
C. Custom Permissions Assignment
D. Access to Report Folders
E. Permission Sets Assignment

Correct Answers: A, B, E

Explanation:

Identity Connect enables synchronization between Active Directory groups and Salesforce user attributes and permissions. This integration helps streamline user management by leveraging existing AD group structures to automatically control certain Salesforce user configurations.

The three key capabilities AD groups can control via Identity Connect are:

1. Role Assignment (B):
   AD groups can be mapped to specific Salesforce roles. When a user is added to an AD group, Identity Connect automatically assigns them the corresponding Salesforce role. This simplifies role management by centralizing it in AD while keeping Salesforce roles synchronized without manual intervention.
   
   

2. Permission Sets Assignment (E):
   AD groups can also control the assignment of Salesforce permission sets. Permission sets grant users additional privileges beyond their profiles. By mapping AD groups to permission sets, administrators can dynamically manage feature access based on group membership in AD, enhancing flexibility and security.
   
   

3. Public Group Assignment (A):
   Salesforce public groups are used for sharing records, managing security, and setting up workflow tasks. Identity Connect allows AD groups to map users into Salesforce public groups automatically. This integration streamlines group membership management and record sharing policies.

The options that are not supported include:

• Custom Permissions Assignment (C): Salesforce custom permissions are granular controls assigned via permission sets or profiles. They are not directly mappable to AD groups through Identity Connect.

• Report Folder Access (D): Access to report folders is managed within Salesforce itself, typically via roles, profiles, or permission sets, but not through AD groups.

In conclusion, leveraging AD groups to control Role Assignments, Permission Sets, and Public Group membership through Identity Connect provides UC a powerful and automated way to manage Salesforce user access aligned with existing corporate directory structures.

Question 7:

The CIO of Universal Containers wants to implement refresh tokens for their applications using OAuth 2.0. An Architect has been tasked with identifying which OAuth flows support refresh tokens. 

Which two OAuth flows should the Architect focus on? (Select two.)

A. JWT Bearer Token
B. Web Server
C. Username-Password
D. User-Agent

Correct Answer: B, C

Explanation:

Refresh tokens in OAuth 2.0 are designed to allow applications to obtain new access tokens without forcing users to re-authenticate every time the current access token expires. This enables smoother user experiences by maintaining long-lived sessions securely. However, not all OAuth flows support refresh tokens. The Architect must therefore identify the flows that do.

B. Web Server Flow:
This flow is tailored for server-side web applications where the app redirects the user to authenticate and grants an authorization code. The server exchanges this code for an access token and a refresh token. The refresh token enables the application to silently renew the access token without further user interaction, making it ideal for persistent access in web apps.

C. Username-Password Flow:
This flow allows an application to obtain access tokens by directly submitting the user's credentials (username and password). It also supports refresh tokens, which helps maintain session continuity without requiring users to repeatedly enter their credentials. Although this flow should be used cautiously due to credential exposure risks, it is common in trusted first-party applications.

Why Not the Others?

A. JWT Bearer Token Flow:
This flow is primarily intended for server-to-server communication where a JWT asserts identity and authorization without user involvement. It does not use refresh tokens because tokens are typically short-lived and the server can generate new tokens as needed.

D. User-Agent Flow:
Also called the Implicit Flow, it is designed for client-side applications like SPAs (Single Page Applications). It issues access tokens directly but does not provide refresh tokens due to security concerns with storing refresh tokens in browsers. Tokens are short-lived, and users must re-authenticate once they expire.

In summary, the Architect should prioritize Web Server and Username-Password flows because these support refresh tokens, allowing applications to maintain persistent and secure access without frequent user logins.

Question 8:

An Architect needs to instruct the Identity Provider team on how to uniquely identify Salesforce among multiple Service Providers in a SAML SSO setup. Which Salesforce SAML setting allows this distinction?

A. SAML Identity Location
B. Identity Provider Login URL
C. Entity Id
D. Issuer

Correct Answer: C

Explanation:

In a SAML Single Sign-On (SSO) configuration, multiple Service Providers (SPs) may use the same Identity Provider (IdP). To ensure the IdP directs authentication responses correctly, each SP must have a unique identifier. Salesforce uses the Entity Id setting to fulfill this purpose.

What is Entity Id?
The Entity Id is a unique string that identifies Salesforce as a specific Service Provider in the SAML transaction. When a user initiates SSO, the IdP uses the Entity Id to determine which SP the authentication request or response corresponds to. This ensures that the SAML assertion is sent to the correct application — in this case, Salesforce — among potentially many others.

Why Not the Other Options?

• A. SAML Identity Location:
  This defines where the user identity is found in the SAML assertion (Subject vs Attribute statement). While essential for parsing user details, it does not uniquely identify Salesforce in the SAML flow.

• B. Identity Provider Login URL:
  This URL points to the IdP’s login page and is used to route users for authentication. It does not differentiate Salesforce from other SPs; it merely directs users to the IdP.

• D. Issuer:
  The Issuer element usually identifies the IdP issuing the assertion. While crucial for validating trust and authenticity, it does not distinguish the Service Provider.

In conclusion, the Entity Id setting is the critical identifier that tells the Identity Provider, “This SAML response is intended for Salesforce.” This ensures proper routing and authentication flow in a multi-SP environment.

Question 9:

Universal Containers (UC) wants to integrate its middleware with Salesforce but has a strict rule against storing usernames and passwords anywhere in their systems. 

How should UC configure authentication from their middleware to Salesforce while meeting this security requirement?

A) Use a Connected App that supports the Refresh Token OAuth Flow.
B) Use a Connected App that supports the JWT Bearer Token OAuth Flow.
C) Use a Connected App that supports the User-Agent OAuth Flow.
D) Use a Connected App that supports the Web Server OAuth Flow.

Correct Answer: B

Explanation:

Universal Containers has a strict policy forbidding the storage of usernames and passwords within their middleware systems, which makes certain OAuth authentication flows unsuitable. To meet this requirement, the JWT Bearer Token OAuth Flow (answer B) is the ideal approach. This flow allows secure server-to-server authentication using digitally signed JSON Web Tokens (JWTs), which include claims such as the client ID, audience, and scope. The JWT is signed with a private key, and Salesforce validates it to grant access without requiring the middleware to store any username or password credentials.

This flow is particularly well suited for backend integrations where there is no interactive user session, and credentials must not be saved on the middleware side.

Option A, the Refresh Token OAuth Flow, involves storing refresh tokens that can be used to generate new access tokens. Because refresh tokens are sensitive and essentially grant ongoing access, storing them would violate UC’s security rule against saving credentials.

Option C, the User-Agent OAuth Flow, is designed for browser-based applications where the user authenticates interactively. It requires user login and does not fit middleware-to-Salesforce integration without user interaction.

Option D, the Web Server OAuth Flow, is typically used for web applications with user interaction where credentials are provided by users via login pages. This flow requires storing client secrets and often user credentials indirectly, conflicting with UC’s restriction.

Therefore, the JWT Bearer Token OAuth Flow provides a secure, scalable, and credential-free authentication method perfectly aligned with UC’s requirement of not storing usernames or passwords in any system.

Question 10:

At Universal Containers, Customer Service Representatives report that when they click links to specific case records and are prompted to log in via SAML SSO, they are redirected only to the Salesforce Home page instead of the targeted case. 

What should the architect recommend the identity team to check first?

A) Verify that My Domain is configured and enabled in Salesforce.
B) Ensure users have the correct Federation ID set in Salesforce.
C) Confirm that Salesforce SSO settings are configured to use HTTP POST.
D) Check that the Identity Provider correctly preserves the RelayState parameter.

Correct Answer: D

Explanation:

The issue described involves users being redirected to the default Salesforce Home page after authenticating with SAML Single Sign-On (SSO), rather than being taken to the specific case record they originally requested. The most common cause of this behavior lies with the RelayState parameter, making option D the correct answer.

RelayState is an essential component in SAML authentication flows. It holds the URL or destination the user initially tried to access before being redirected to the login page. When the Identity Provider (IdP) authenticates the user, it should preserve and return this RelayState back to Salesforce so that the user lands on the intended page after login.

If the RelayState is lost, overwritten, or not correctly handled by the IdP, users will be sent to the default landing page—in this case, the Salesforce Home tab—regardless of which record or URL they originally clicked.

Option A (My Domain configuration) is important to enable SSO and customized URLs, but it does not directly control where users land post-login.

Option B (correct Federation ID) ensures proper user mapping for SSO login but would typically cause login failures or errors, not redirect issues.

Option C (using HTTP POST for SSO) relates to how SAML assertions are transmitted but generally does not cause users to be redirected away from their intended page.

Hence, the architect should advise the identity team to investigate how the IdP handles the RelayState parameter during the SSO process. Ensuring RelayState is preserved correctly will resolve the redirect problem and improve user experience by taking users to the precise case records after authentication.