C Certs Club
Home
Oracle SAP Microsoft Cisco CompTIA Fortinet Salesforce Nutanix Linux Foundation Amazon View All Vendors →
Login Register

Salesforce Identity-and-Access-Management-designer - Salesforce Identity and Access Management Designer Certification Exam

Download Exam View Entire Exam
Page: 1 / 1
Question #1 (Topic: demo questions)

What information does the 'Relaystate' parameter contain in sp-Initiated Single Sign-on?


A.
Reference to a URL redirect parameter at the identity provider.


B.
Reference to a URL redirect parameter at the service provider.


C.
Reference to the login address URL of the service provider.


D.
Reference to the login address URL of the identity Provider.
Correct Answer: B
Explanation:
In SP-initiated Single Sign-On (SSO), the RelayState parameter is used by the Identity Provider (IdP) to redirect the user back to a specific page at the Service Provider (SP) after successful authentication. It essentially stores the target URL or state information from the Service Provider side, so that once login is complete, the user is returned to the correct destination within the SP application. It does not represent the login URL of either provider, nor does it originate from the IdP redirect logic. Therefore, the correct understanding is that RelayState is tied to the Service Provider’s redirect destination URL or state information.
Question #2 (Topic: demo questions)

Universal Containers (UC) has a custom, internal-only, mobile billing application for users who are
commonly out of the office. The app is configured as a connected App in Salesforce. Due to the
nature of this app, UC would like to take the appropriate measures to properly secure access to the
app. Which two are recommendations to make the UC? Choose 2 answers 

A.
Disallow the use of
Single Sign-on for any users of the mobile app. 
B.
Require High Assurance sessions in order to use
the Connected App. 
C.
Set Login IP Ranges to the internal network for all of the app users Profiles.


D.
Use Google Authenticator as an additional part of the login process
Correct Answer: B, D
Explanation:

In SP-initiated Single Sign-On (SSO), the RelayState parameter is used by the Identity Provider (IdP) to redirect the user back to a specific page at the Service Provider (SP) after successful authentication. It essentially stores the target URL or state information from the Service Provider side, so that once login is complete, the user is returned to the correct destination within the SP application. It does not represent the login URL of either provider, nor does it originate from the IdP redirect logic. Therefore, the correct understanding is that RelayState is tied to the Service Provider’s redirect destination URL or state information.
Question #3 (Topic: demo questions)

Universal Containers (UC) has an e-commerce website where customers can buy products, make
payments and manage their accounts. UC decides to build a Customer Community on Salesforce
and wants to allow the customers to access the community from their accounts without logging in
again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp. In this scenario
where Salesforce is the Service Provider, which two activities must be performed in Salesforce to
make SP- initiated SSO work? Choose 2 answers

A.
Configure SAML SSO settings.


B.
Create a Connected App.


C.
Configure Delegated Authentication.


D.
Set up My Domain.
Correct Answer: A, D
Explanation:
For SP-initiated SAML Single Sign-On in Salesforce (where Salesforce is the Service Provider), the system must be configured to trust and communicate with the external Identity Provider (IdP). Option A (Configure SAML SSO settings) is required because Salesforce must define the SAML configuration, including issuer, certificate, and IdP login URL, to enable SSO authentication. Option D (Set up My Domain) is also required because Salesforce SSO (especially SAML-based and SP-initiated flows) depends on My Domain to provide a custom login URL that supports redirection and authentication routing. Option B (Create a Connected App) is incorrect because Connected Apps are typically used when Salesforce acts as the Identity Provider, not the Service Provider in this context. Option C (Delegated Authentication) is not used for SAML-based SSO since it is an older authentication method that relies on external validation via API rather than SAML assertions.
Question #4 (Topic: demo questions)

How should an Architect automatically redirect users to the login page of the external Identity
provider when using an SP-Initiated SAML flow with Salesforce as a Service Provider?


A.
Use visualforce as the landing page for My Domain to redirect users to the Identity Provider login
Page.
B.
Enable the Redirect to the Identity Provider setting under Authentication Services on the My
domain Configuration.

C.
Remove the Login page from the list of Authentication Services on the My Domain configuration.

D.
Set the Identity Provider as default and enable the Redirect to the Identity Provider setting on the
SAML Configuration
Correct Answer: C
Explanation:

In an SP-initiated SAML SSO flow in Salesforce, when a user tries to access Salesforce (Service Provider), the system must automatically redirect the user to the external Identity Provider for authentication. This behavior is enabled through the My Domain authentication configuration, specifically by turning on the “Redirect to the Identity Provider” setting under Authentication Services. This ensures that instead of showing the Salesforce login page, users are seamlessly redirected to the IdP login page. Option A is incorrect because Visualforce pages are not required for SSO routing. Option C is incorrect because removing the login page does not control IdP redirection behavior. Option D is incorrect because marking an IdP as default is not what triggers automatic redirection in SP-initiated flows.
Question #5 (Topic: demo questions)

Universal Containers (UC) has a classified information system that its call center team uses only
when they are working on a case with a record type "Classified"
. They are only allowed to access
the system when they own an open "Classified" case, and their access to the system is removed
at all other times. They would like to implement SAML SSO eith Salesforce as the Idp, and
automatically allow or deny the staff's access to the classified information system based on
whether they currently own an open "Classified" case record when they try to access the system
using SSO. What is the recommended solution for automatically allowing or denying the access to
the classified information system based on the open "classified" case record criteria?

A.
Use Salesforce reports to identify users that currently own open "Classified" cases and should be granted access to the Classified information system.
B.
Use Apex trigger on case to dynamically assign permission sets that grant access when a user is assigned an open "Classified" case, and remove it when the case is closed.
C.
Use Custom SAML JIT Provisioning to dynamically query the user's open "Classified" cases when attempting to access the classified information system.
D.
Use a Common Connected App Handler using Apex to dynamically allow access to the system based on whether the staff owns any open "Classified" Cases.
Correct Answer: D
Explanation:

C is correct because Custom SAML Just-In-Time (JIT) provisioning allows Salesforce (as the Identity Provider) to make real-time decisions during the SSO login process by evaluating user attributes and business logic at authentication time. In this scenario, it can dynamically check whether the user currently owns an open “Classified” case and then include that logic in the SAML assertion to either grant or deny access to the external system immediately during login, which makes it the only option capable of enforcing access based on live record data at the moment of authentication.
Download Exam
Page: 1 / 1
Next Page