Salesforce-Platform-Identity-and-Access-Management-Architect Exam Questions With Explanations

The best unofficial Salesforce-Platform-Identity-and-Access-Management-Architect exam questions with research based explanations of each question will help you Prepare & Pass the exam for FREE!

Start Practice Free
Over 15K Students have given a five star review to SalesforceKing

Why choose our Practice Test

By familiarizing yourself with the Salesforce-Platform-Identity-and-Access-Management-Architect exam format and question types, you can reduce test-day anxiety and improve your overall performance.

Up-to-date Content

Ensure you're studying with the latest exam objectives and content.

Unlimited Retakes

We offer unlimited retakes, ensuring you'll prepare each questions properly.

Realistic Exam Questions

Experience exam-like questions designed to mirror the actual Salesforce-Platform-Identity-and-Access-Management-Architect test.

Targeted Learning

Detailed explanations help you understand the reasoning behind correct and incorrect answers.

Increased Confidence

The more you practice, the more confident you will become in your knowledge to pass the exam.

Study whenever you want, from any place in the world.

Salesforce Salesforce-Platform-Identity-and-Access-Management-Architect Exam Sample Questions 2025

Start practicing today and take the fast track to becoming Salesforce Salesforce-Platform-Identity-and-Access-Management-Architect certified.

22554 already prepared
Salesforce Spring 25 Release18-Sep-2025
255 Questions
4.9/5.0

After a recent audit, universal containers was advised to implement Two-factor Authentication for all of their critical systems, including salesforce. Which two actions should UC consider to meet this requirement? Choose 2 answers

A. Require users to provide their RSA token along with their credentials.

B. Require users to supply their email and phone number, which gets validated.

C. Require users to enter a second password after the first Authentication

D. Require users to use a biometric reader as well as their password

A.   Require users to provide their RSA token along with their credentials.
D.   Require users to use a biometric reader as well as their password

Explanation:

A is correct because requiring users to provide their RSA token along with their credentials is a form of two￾factor authentication. An RSA token is a hardware device that generates a one-time password (OTP) that changes every few seconds. The user needs to enter both their password and the OTP to log in to Salesforce.

D is correct because requiring users to use a biometric reader as well as their password is another form oftwo￾factor authentication. A biometric reader is a device that scans a user’s fingerprint, face, iris, or other physical characteristics to verify their identity. The user needs to provide both their password and their biometric data to log in to Salesforce.

B is incorrect because requiring users to supply their email and phone number, which gets validated, is not a form of two-factor authentication. This is a form of identity verification, which is used to confirm that the user owns the email and phone number they provided. However, this does not add an extra layer of protection beyond their password when they log in to Salesforce.

C is incorrect because requiring users to enter a second password after the first authentication is not a form of two-factor authentication. This is a form of single-factor authentication, which only relies on something the user knows (their passwords). This does not increase security against unauthorized account access.

References: 4: Multi-Factor Authentication - Salesforce 5: Salesforce Multi-Factor Authentication 6: Two Factor Authentication - Salesforce India 7: Customer 360 | Increase Productivity - Salesforce UK 8: Secure Salesforce Login Using Two-Factor Authentication and Salesforce …

Universal containers (UC) built a customer Community for customers to buy products, review orders, and manage their accounts. UC has provided three different options for customers to log in to the customer Community: salesforce, Google, and Facebook. Which two role combinations are represented by the systems in the scenario? (Choose 2 answers)

A. Google is the service provider and Facebook is the identity provider

B. Salesforce is the service provider and Google is the identity provider

C. Facebook is the service provider and salesforce is the identity provider

D. Salesforce is the service provider and Facebook is the identity provider

B.   Salesforce is the service provider and Google is the identity provider
D.   Salesforce is the service provider and Facebook is the identity provider

Explanation:

The two role combinations that are represented by the systems in the scenario are Salesforce as the service provider and Google as the identity provider, and Salesforce as the service provider and Facebook as the identity provider. This means that Salesforce hosts the customer community app and relies on Google or Facebook to authenticate the users who log in with those options4. Therefore, option B and D are the correct answers.

Northern Trail Outfitters (NTO) uses a Security Assertion Markup Language (SAML)-based Identity Provider (idP) to authenticate employees to all systems. The IdP authenticates users against a Lightweight Directory Access Protocol (LDAP) directory and has access to user information. NTO wants to minimize Salesforce license usage since only a small percentage of users need Salesforce.
What is recommended to ensure new employees have immediate access to Salesforce using their current IdP?

A. Install Salesforce Identity Connect to automatically provision new users in Salesforce the first time they attempt to login.

B. Build an integration that queries LDAP periodically and creates new active users in Salesforce.

C. Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.

D. Build an integration that queries LDAP and creates new inactive users in Salesforce and use a login flow to activate the user at first login.

C.   Configure Just-in-Time provisioning using SAML attributes to create new Salesforce users as necessary when a new user attempts to login to Salesforce.

Explanation:

Just-in-Time (JIT) provisioning is a feature that allows Salesforce to create or update user records on the fly when users log in through an external identity provider, such as a SAML-based IdP. This eliminates the need for manual or batch user provisioning in Salesforce and minimizes license usage. To use JIT provisioning, the identity architect needs to configure the SAML settings in Salesforce and include the user attributes in the SAML assertion sent by the IdP.

Reference:

Just-in-Time Provisioning for SAML and OpenID Connect, Identity 101: Design Patterns for Access Management

Which two are valid choices for digital certificates when setting up two-way SSL between Salesforce and an external system. Choose 2 answers

A. Use a trusted CA-signed certificate for salesforce and a trusted CA-signed cert for the external system

B. Use a trusted CA-signed certificate for salesforce and a self-signed cert for the external system

C. Use a self-signed certificate for salesforce and a self-signed cert for the external system

D. Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

C.   Use a self-signed certificate for salesforce and a self-signed cert for the external system
D.   Use a self-signed certificate for salesforce and a trusted CA-signed cert for the external system

Explanation:

Two-way SSL is a method of mutual authentication between two parties using digital certificates. A digital certificate is an electronic document that contains information about the identity of the certificate owner and a public key that can be used to verify their signature. A digital certificate can be either self-signed or CA-signed. A self- signed certificate is created and signed by its owner, while a CA-signed certificate is created by its owner but signed by a trusted Certificate Authority (CA). For setting up two- way SSL between Salesforce and an external system, two valid choices for digital certificates are:
Use a self-signed certificate for Salesforce and a self-signed certificate for the external system. This option is simple and cost-effective, but requires both parties to trust each other’s self-signed certificates explicitly.
Use a self-signed certificate for Salesforce and a trusted CA-signed certificate for the external system. This option is more secure and reliable, but requires Salesforce to trust the CA that signed the external system’s certificate implicitly.

A global company's Salesforce Identity Architect is reviewing its Salesforce production org login history and is seeing some intermittent Security Assertion Markup Language (SAML SSO) 'Replay Detected and Assertion Invalid' login errors. Which two issues would cause these errors?
(Choose 2 answers)

A. The subject element is missing from the assertion sent to salesforce.

B. The certificate loaded into SSO configuration does not match the certificate used by the IdP.

C. The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.

D. The assertion sent to 5alesforce contains an assertion ID previously used.

C.   The current time setting of the company's identity provider (IdP) and Salesforce platform is out of sync by more than eight minutes.
D.   The assertion sent to 5alesforce contains an assertion ID previously used.

Explanation:

A SAML SSO ‘Replay Detected and Assertion Invalid’ error occurs when Salesforce detects that the same assertion has been used more than once within the validity period. This can happen if the assertion ID is reused by the IdP or if the assertion is resent by the user. Another possible cause is that the time settings of the IdP and Salesforce are not synchronized, which can result in an assertion being valid for a shorter or longer period than expected.

References:

SAML Single Sign-On Settings, Troubleshoot SAML Single Sign-On

Prep Smart, Pass Easy Your Success Starts Here!

Transform Your Test Prep with Realistic Salesforce-Platform-Identity-and-Access-Management-Architect Exam Questions That Build Confidence and Drive Success!