Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Free Practice Test

Question 1

Universal Containers wants to allow its customers to log in to its Experience Cloud via a third party authentication provider that supports only the OAuth protocol.
What should an identity architect do to fulfill this requirement?

A. Use certificate-based authentication.

B. Configure OpenID Connect authentication provider.

C. Create a custom external authentication provider.

D. Contact Salesforce Support and enable delegate single sign-on.

Correct Answer: C

Question 2

Northern Trail Outfitters want to allow its consumer to self-register on it business-to-consumer (B2C) portal that is built on Experience Cloud. The identity architect has recommended to use Person Accounts.
Which three steps need to be configured to enable self-registration using person accounts?
Choose 3 answers

A. Set organization-wide default sharing for Contact to Public Read Only.

B. Contact Salesforce Support to enable business accounts.

C. Contact Salesforce Support to enable person accounts.

D. Enable access to person and business account record types under Public Access Settings.

E. Under Login and Registration settings, ensure that the default account field is empty.

Correct Answer: C,D,E

Question 3

Universal Containers (UC) wants its closed Won opportunities to be synced to a Data warehouse in near real time. UC has implemented Outbound Message to enable near real-time data sync. UC wants to ensure that communication between Salesforce and Target System is secure. What certificate is sent along with the Outbound Message?

A. The Self-signed Certificates from the Certificate & Key Management menu.

B. The default client Certificate or the Certificate and Key Management menu.

C. The default client Certificate from the Develop--> API menu.

D. The CA-signed Certificate from the Certificate and Key Management Menu.

Correct Answer: C

Question 4

An administrator created a connected app for a custom wet) application in Salesforce which needs to be visible as a tile in App Launcher The tile for the custom web application is missing in the app launcher for all users in Salesforce. The administrator requested assistance from an identity architect to resolve the issue.
Which two reasons are the source of the issue?
Choose 2 answers

A. Session Policy is set as 'High Assurance Session required' for this connected app.

B. The connected app is not set in the App menu as 'Visible in App Launcher".

C. StartURL for the connected app is not set in Connected App settings.

D. OAuth scope does not include "openid*.

Correct Answer: A,C

Question 5

The security team at Universal containers(UC) has identified exporting reports as a high-risk action and would like to require users to be logged into salesforce with their active directory (AD) credentials when doing so. For all other uses of Salesforce, Users should be allowed to use AD credentials or salesforce credentials. What solution should be recommended to prevent exporting reports except when logged in using AD credentials while maintaining the ability to view reports when logged in with salesforce credentials?

A. Use SAML Federated Authentication and block access to reports when accesses through a standard assurance session.

B. Use SAML Federated Authentication and Custom SAML jit provisioning to dynamically add or remove a permission set that grants the Export Reports permission.

C. Use SAML Federated Authentication, treat SAML sessions as high assurance, and raise the session level required for exporting reports.

D. Use SAML Federated Authentication with a login flow to dynamically add or remove a permission set that grants the export reports permission.

Correct Answer: A

Question 6

An Identity and Access Management (IAM) architect is tasked with unifying multiple B2C Commerce sites and an Experience Cloud community with a single identity. The solution needs to support more than 1,000 logins per minute.
What should the IAM do to fulfill this requirement?

A. Configure both the community and the commerce sites as OAuth2 RPs (relying party) with an external identity provider.

B. Configure community as a Security Assertion Markup Language (SAML) identity provider and enable Just-in-Time Provisioning to B2C Commerce.

C. Create a default account for capturing all ecommerce contacts registered on the community because personAccount is not supported for this case.

D. Confirm performance considerations with Salesforce Customer Support due to high peaks.

Correct Answer: D

Question 7

Universal containers (UC) has a classified information system that it's call centre team uses only when they are working on a case with a record type of "classified". They are only allowed to access the system when they own an open "classified" case, and their access to the system is removed at all other times. They would like to implement SAML SSO with salesforce as the IDP, and automatically allow or deny the staff's access to the classified information system based on whether they currently own an open "classified" case record when they try to access the system using SSO. What is the recommended solution for automatically allowing or denying access to the classified information system based on the open "classified" case record criteria?

A. Use salesforce reports to identify users that currently owns open "classified" cases and should be granted access to the classified information system.

B. Use apex trigger on case to dynamically assign permission sets that grant access when a user is assigned with an open "classified" case, and remove it when the case is closed.

C. Use custom SAML jit provisioning to dynamically query the user's open "classified" cases when attempting to access the classified information system

D. Use a custom connected App handler using apex to dynamically allow access to the system based on whether the staff owns any open "classified" cases.

Correct Answer: D

Question 8

Universal containers (UC) has implemented ansp-Initiated SAML flow between an external IDP and salesforce. A user at UC is attempting to login to salesforce1 for the first time and is being prompted for salesforce credentials instead of being shown the IDP login page. What is the likely cause of the issue?

A. The "Redirect to Identity Provider" option has been selected in the my domain configuration.

B. The "Redirect to identity provider" option has not been selected the SAML configuration.

C. The user has not configured the salesforce1 mobile app to use my domain for login

D. The user has not been granted the "Enable single Sign-on" permission

Correct Answer: C

Welcome to TestSimulate

Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Free Practice Test