Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Question and Answers

When Salesforce is acting as an identity provider and the goal is to make a third-party application available from within Salesforce, two standard tools work together: a connected app to define trust and single sign-on behavior, and the App Launcher to give users a discoverable entry point. The connected app handles the identity relationship and protocol settings, while the launcher exposes the application from the Salesforce UI. Delegated Authentication and external data sources solve different problems and don’t provide the same app-launch experience. In Salesforce Identity architecture, this combination is common because it aligns governance and usability: the app is centrally configured through a connected app and then delivered to users as part of their Salesforce app catalog. This is why options A, C work together as the correct solution.

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

Identity Connect is positioned primarily as a user provisioning and deprovisioning bridge between Microsoft Active Directory and Salesforce. In designs where AD is the authoritative source for user status, deactivating a user upstream should be reflected quickly in Salesforce access. That is why architects pay attention to what happens to existing sessions when a user is disabled in the source directory. The feature is not a managed package, and it is not an identity provider that automatically brokers SSO by itself. It also does not “solve” license overages by disabling users in a FIFO pattern. The relevant capability is operational user-state synchronization: when identity status changes in directory services, Salesforce access should be withdrawn in a controlled, security-focused way. This is why option D is the best answer in Salesforce terms.

Salesforce Embedded Login exists specifically to place a Salesforce-backed login experience inside another application or service provider, which makes it the right feature to consider for a seamless sign-in widget. However, the architectural caveat is browser behavior. Embedded login can rely on third-party cookies, and modern browser privacy controls can affect how that experience behaves. That dependency is often the deciding consideration before recommending it. REST APIs and generic OAuth flows are part of the broader identity toolbox, but they don’t answer the executive sponsor’s question about embedding a login widget directly into another application. The recommendation should therefore focus on Embedded Login and on whether the target browser landscape will tolerate the cookie model it depends on. This is why option D is the best answer in Salesforce terms.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.

Salesforce Experience Cloud includes out-of-the-box branding options for login and registration experiences, and those can be extended through Experience Builder for related pages such as forgot-password and reset-password journeys. The standard site administration and branding controls can cover logos, colors, and certain visual treatments of the login page. Where the business wants branded password-management pages as well, Experience Builder is the supported way to build those experiences consistently. That is better than creating fully custom pages for everything unless the requirement truly goes beyond what the platform supports. The architecture point is to use the built-in branding framework first and extend through Experience Builder where branded identity pages are needed. This is why options A, D work together as the correct solution.

The AMR field in Salesforce Login History is meaningful only when the upstream identity provider includes authentication-method information in a way Salesforce can understand. Salesforce can surface AMR information from modern federation patterns, but the actual authentication methods must be asserted by the IdP. That is why architects need to think about protocol support and IdP implementation. The field is useful because it shows how the user authenticated upstream, for example whether MFA or another method was used. High-assurance session settings are related to policy enforcement, but they do not by themselves populate AMR. The key design point is that AMR is an observation of the IdP’s authentication methods, not an independent Salesforce-generated fact. This is why options A, C work together as the correct solution.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why option D is the best answer in Salesforce terms.

Salesforce treats SAML assertions as short-lived, unique security artifacts. Two classic reasons for “Replay Detected” or “Assertion Invalid” errors are a reused assertion ID and an assertion structure problem such as a missing subject. A replay error occurs when Salesforce sees an assertion identifier that was already used. An invalid-assertion error can also occur when required elements are missing or malformed. Time skew and certificate mismatches can cause SSO failures too, but the question specifically points to replay and assertion validity symptoms that align most directly with assertion uniqueness and required content. This reflects a core SAML security principle: assertions must be complete, signed correctly, timely, and never reused. This is why options B, D work together as the correct solution.

When an architect needs to enforce IP restrictions, session timeouts, or related access controls for a connected app, the place to do that is the connected app’s OAuth policies. Those policies let Salesforce administrators shape how the app can be used, from permitted-user policy to IP relaxation behavior and session-related restrictions. Login IP ranges on profiles are broader user controls, while custom permissions don’t govern the connected app’s OAuth runtime behavior. The important architecture distinction is that connected-app security should be controlled where the app trust is defined. Salesforce puts those controls in the connected app’s policy layer, which is why OAuth policies are the right answer for app-specific session and network enforcement. This is why option D is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options A, C work together as the correct solution.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option C is the best answer in Salesforce terms.

When a service provider needs to continue making calls back to Salesforce on behalf of the user after login, OpenID Connect is usually the more natural choice because it sits in the OAuth family and aligns well with token-based delegated access. SAML is excellent for browser-based federation, but it is not as naturally suited to modern API token usage after the interactive sign-in event. The question is not simply “which protocol is more secure.” It is about post-login application behavior. If the downstream application needs identity plus a token-friendly pattern for additional calls, that use case pushes the architect toward OIDC. In other words, the deciding factor is what the service provider must do after the initial authentication succeeds. This is why option B is the best answer in Salesforce terms.

When users must be allowed to launch an external service provider from Salesforce only if the organization has explicitly authorized them, the connected app should use the Admin Pre-Approved access policy. That setting moves app access out of end-user consent and into administrator control. Profiles or permission sets then determine exactly which users can use the app. This is the standard Salesforce pattern for governed OAuth access in enterprise environments. Assigning authentication providers to profiles or simply exposing the app to a community does not replace the approval and entitlement model of the connected app itself. The architectural point is that app access and user authorization should be centrally controlled, auditable, and limited to approved users. This is why options C, D work together as the correct solution.

For real-time visibility into login events and other security-relevant user activity, Salesforce Event Monitoring is the purpose-built monitoring feature. Event Monitoring and Event Log Files give security and identity teams access to detailed telemetry about login behavior, session activity, API usage, and other actions that matter for threat detection and investigation. Profiles and encryption settings do not provide operational monitoring, and Data Loader is unrelated. The architectural distinction is between preventive controls and detective controls. Event Monitoring is a detective control: it helps the organization observe behavior, identify anomalies, and react quickly. When the requirement mentions unusual login patterns, security incidents, or real-time monitoring, Salesforce documentation points architects toward Event Monitoring rather than ordinary administrative setup screens. This is why option A is the best answer in Salesforce terms.

Identity Verification Credits are consumed when Salesforce sends verification challenges through the configured channel, and SMS-based passwordless login specifically depends on SMS verification activity. Therefore the right estimation approach is to forecast how many SMS verification events the portal will generate, not how many community licenses exist. Some Salesforce identity offerings include baseline entitlements, but capacity planning still centers on expected verification traffic. If the portal intends to let customers log in with one-time passcodes sent by text, then every challenge can consume credits. The architecture question is really an operational one: estimate the expected volume of SMS-based login verification and size the verification-credit requirement to match that demand. This is why option C is the best answer in Salesforce terms.

When creating an authentication provider in Salesforce, architects can configure operational settings that shape the user experience and downstream provisioning behavior. A custom error URL is supported so failed sign-ins can be routed to a branded or informative destination. A custom registration handler is also supported, giving the org control over how incoming identities are mapped to Salesforce users and related records. By contrast, options like a “default login user” or a generic default certificate setting do not describe the primary provider-creation controls in the same way. The important architecture concept is that an authentication provider defines both the trust with the external source and the user-lifecycle handling logic inside Salesforce. This is why options B, D work together as the correct solution.

Once SAML SSO is already configured, enabling Just-in-Time provisioning in Salesforce is done on the SAML Single Sign-On setting itself. The architect turns on JIT user provisioning, selects the provisioning type, and supplies the SAML JIT handler if custom logic is needed. That is the expected configuration path because JIT is part of the federation handshake, not a sharing model or permission-set feature. Creating a random Apex class without wiring it into the SAML setting would not enable JIT on its own. The architectural distinction is that JIT rides inside the SAML login process. Therefore it must be enabled and configured where Salesforce processes the incoming assertion. This is why option A is the best answer in Salesforce terms.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option B is the best answer in Salesforce terms.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

Just-in-Time provisioning is designed for exactly this onboarding pattern: a user authenticates through an external identity provider, and Salesforce creates the user automatically on first successful login. That avoids preloading every external user into Salesforce before they ever visit the site. Middleware and custom web services can do similar work, but JIT is the native, lower-complexity mechanism built into Salesforce federation. Login flows by themselves do not create the user record during the authentication handshake. The architectural value of JIT is that it keeps the source of identity external while letting Salesforce create and update the user only when the person actually needs access. It is efficient, standard, and commonly used with Experience Cloud. This is why option C is the best answer in Salesforce terms.

In OAuth-based Salesforce integrations, intermittent logout behavior is often tied to token lifecycle rather than to general platform permissions. Salesforce documentation distinguishes clearly between authentication, authorization, and token validity. Even if the initial login succeeds, the user can appear to be “randomly logged out” when an access token expires, is revoked, or can no longer be refreshed according to policy. That is why token status and refresh behavior should be checked early in troubleshooting. Browser version, network delay, or missing Salesforce permissions can cause other access problems, but they do not typically explain an established SSO session ending intermittently in an OAuth flow. The first architectural checkpoint is whether the token issued by the identity provider remains valid for the expected duration. This is why option A is the best answer in Salesforce terms.

For Experience Cloud self-registration with Person Accounts, Salesforce requires the org and site configuration to line up with how external users are created. Person Accounts must first be enabled at the org level. On the site, the default account field must be left blank so the self-registration process doesn’t force users into a shared business account model. Public access settings also need access to the relevant Person Account and business account record types so the registration process can create the right record. This is the documented pattern when self-registration is meant to create people as customers rather than contacts under a standard account. The key idea is that registration must be allowed to create the correct account model from the start. This is why options B, C, D work together as the correct solution.

When a single identity design must support very high external login volumes, performance becomes part of the architecture, not just feature selection. Salesforce Experience Cloud and identity features can support large-scale CIAM scenarios, but official guidance encourages validating expected login peaks and performance assumptions with Salesforce for unusually high throughput requirements. That is especially important when the solution spans communities and commerce experiences and expects more than a thousand logins per minute. The question is not just whether the platform supports federation, Person Accounts, or an external identity provider; it is whether the design has been reviewed for operational scale. Confirming performance considerations with Salesforce is therefore the prudent architectural step before finalizing the rollout model. This is why option B is the best answer in Salesforce terms.

Salesforce’s JWT bearer flow is intended for server-to-server or noninteractive scenarios where a signed assertion is exchanged for an access token. Because the assertion is signed, the connected app must be configured to use a digital signature. The integration also needs the api scope so that the resulting token can call Salesforce APIs. Other scopes, such as generic web access, do not address the core requirement of API access through a JWT assertion. The design principle behind this flow is that no user is present to approve access interactively, so trust is established through certificate-based signing and the connected app’s policy configuration. That is why the digital signature setting is essential, not optional, in a JWT-based Salesforce integration. This is why options A, C work together as the correct solution.

When multiple identity providers must coexist in one Salesforce org, the standard pattern is to surface them through My Domain authentication settings so users can authenticate against the correct IdP. That is particularly important when generated email links bring users back into Salesforce and the org has to present the proper login options consistently. Rather than modifying every email with custom query logic or relying on IdP-initiated links, Salesforce can expose multiple login services at the domain level. This keeps the experience aligned with the org’s authentication service configuration. In multi-IdP organizations, the identity architecture should steer users through the My Domain login service so the correct SSO path is available when they arrive from system-generated links. This is why option C is the best answer in Salesforce terms.