Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Questions and Answers

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why options B, C work together as the correct solution.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.

For a mobile app using the user-agent flow, two connected-app controls work together when the business wants a long-lived session without repeated approval prompts. First, the app should be set to Admin Approved Users Are Pre-Authorized so users are not asked to approve API access inside the mobile experience. Second, the refresh-token policy should be configured for the required lifetime, such as three months, so the app can keep renewing access without forcing the user to log in again. A session timeout controls the UI session but not the refresh-token lifecycle in the same way. The architectural point is that user consent suppression and durable reauthentication behavior are governed by separate connected-app policies. This is why options C, D work together as the correct solution.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

When Salesforce already provides built-in authentication provider support for the social networks required by the business, the simplest architecture is to use those predefined authentication providers. That avoids building custom provider logic for well-known services such as Facebook and, in many exam scenarios, Twitter. The point of the predefined provider is to reduce custom work, accelerate setup, and stay within the Salesforce-supported social sign-in pattern. A custom provider would only be necessary when the external source is not supported through the standard templates or protocols available. The architecture principle is to use standard provider support first and reserve custom provider work for gaps. That keeps the implementation easier to manage and easier to troubleshoot. This is why option C is the best answer in Salesforce terms.

For Experience Cloud self-registration with Person Accounts, Salesforce requires the org and site configuration to line up with how external users are created. Person Accounts must first be enabled at the org level. On the site, the default account field must be left blank so the self-registration process doesn’t force users into a shared business account model. Public access settings also need access to the relevant Person Account and business account record types so the registration process can create the right record. This is the documented pattern when self-registration is meant to create people as customers rather than contacts under a standard account. The key idea is that registration must be allowed to create the correct account model from the start. This is why options B, C, D work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.

When a third-party service wants Salesforce to provision users through a service endpoint before they access the app, the relevant feature is user provisioning on the connected app. Salesforce supports outbound provisioning patterns for connected apps so that a user can be created in the downstream application according to the app’s provisioning configuration. This is better than redirecting users into a separate registration experience because the requirement is to provision them as part of the Salesforce-controlled access path. Canvas and generic SAML alone do not provide the provisioning endpoint behavior described. The architectural value of connected-app provisioning is that it links app access and lifecycle management, allowing administrators to govern who gets created in the external service and when. This is why option C is the best answer in Salesforce terms.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.

When an organization operates many brands, duplicating communities or orgs just to achieve branded login becomes expensive to build and maintain. Salesforce’s scalable answer is to use the Experience ID so the login journey can render the correct branding dynamically for each sub-brand. This preserves a centralized identity service while allowing multiple brand experiences across the same platform. Audiences are useful for content targeting after authentication, but they are not the core mechanism for routing a multi-brand login experience. The architecture principle is to separate identity infrastructure from visual brand presentation. Experience ID lets the organization keep one identity backbone and many branded entry experiences, which is exactly the type of scalability the requirement calls for. This is why option B is the best answer in Salesforce terms.

Delegated Authentication is the Salesforce mechanism intended for organizations that must keep password validation and authentication processing in an external system reachable through a web service. In this model, Salesforce sends the authentication request outward and relies on the external service to decide whether the credentials are valid. That is a strong fit when regulations or internal policy require the external system to remain authoritative for passwords and authentication logic. JIT provisioning and SAML SSO solve adjacent problems, but they do not match the stated SOAP-based password-validation requirement. The important architecture cue is the external SOAP web service: that points directly to delegated authentication rather than to token-based federation or user-provisioning features. This is why option B is the best answer in Salesforce terms.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why option C is the best answer in Salesforce terms.

In OAuth-based Salesforce integrations, intermittent logout behavior is often tied to token lifecycle rather than to general platform permissions. Salesforce documentation distinguishes clearly between authentication, authorization, and token validity. Even if the initial login succeeds, the user can appear to be “randomly logged out” when an access token expires, is revoked, or can no longer be refreshed according to policy. That is why token status and refresh behavior should be checked early in troubleshooting. Browser version, network delay, or missing Salesforce permissions can cause other access problems, but they do not typically explain an established SSO session ending intermittently in an OAuth flow. The first architectural checkpoint is whether the token issued by the identity provider remains valid for the expected duration. This is why option A is the best answer in Salesforce terms.

A Canvas integration relies on a connected app to establish trust between Salesforce and the external application. To let agents open the pricing application without a second login, the connected app should be pre-authorized for the intended users so consent is not prompted at runtime. When the external application participates in enterprise SSO, SAML settings on the connected app can also support the federated sign-in pattern expected by the pricing service. The key Salesforce design principle is that Canvas is not only an iframe placement technology; it also depends on connected app security and identity configuration. Pre-authorization controls user access, while SSO settings determine how the external app accepts the Salesforce-initiated identity context. This is why options A, D work together as the correct solution.

The AMR field in Salesforce Login History is meaningful only when the upstream identity provider includes authentication-method information in a way Salesforce can understand. Salesforce can surface AMR information from modern federation patterns, but the actual authentication methods must be asserted by the IdP. That is why architects need to think about protocol support and IdP implementation. The field is useful because it shows how the user authenticated upstream, for example whether MFA or another method was used. High-assurance session settings are related to policy enforcement, but they do not by themselves populate AMR. The key design point is that AMR is an observation of the IdP’s authentication methods, not an independent Salesforce-generated fact. This is why options A, C work together as the correct solution.

Identity Verification Credits are consumed when Salesforce sends verification challenges through the configured channel, and SMS-based passwordless login specifically depends on SMS verification activity. Therefore the right estimation approach is to forecast how many SMS verification events the portal will generate, not how many community licenses exist. Some Salesforce identity offerings include baseline entitlements, but capacity planning still centers on expected verification traffic. If the portal intends to let customers log in with one-time passcodes sent by text, then every challenge can consume credits. The architecture question is really an operational one: estimate the expected volume of SMS-based login verification and size the verification-credit requirement to match that demand. This is why option C is the best answer in Salesforce terms.

For guest checkout scenarios that later convert a shopper into a registered customer, Salesforce self-registration is the natural starting point because it gives the site a controlled way to create an external user account. The self-registration experience can be customized so that the user enters just enough order information for the site to locate the previously collected guest data and then complete the registration. SAML and social login don’t solve the core problem, which is linking an existing guest transaction to a newly created community identity. A Connected App Handler is also not the standard Experience Cloud tool for this registration pattern. The right design is to keep registration in Salesforce and tailor the page to reconcile the new user with the known order record. This is why option A is the best answer in Salesforce terms.

Salesforce’s user-agent flow implements the OAuth 2.0 implicit grant model for browser-based or mobile applications that obtain authorization through a browser. In that flow, the client uses a client ID and requests specific scopes. The user authorizes the app, and the resulting token is delivered through the browser-based redirect. In Salesforce identity examples, refresh-related behavior is often part of the mobile discussion, while an authorization code is not a characteristic of the implicit model. That is the key concept to remember: implicit or user-agent flow is centered on browser-mediated authorization without a back-end code exchange. So the valid concepts align with client identity and requested access, not with the server-side authorization-code step used in the web server flow. This is why options A, B, E work together as the correct solution.

When a service provider needs to continue making calls back to Salesforce on behalf of the user after login, OpenID Connect is usually the more natural choice because it sits in the OAuth family and aligns well with token-based delegated access. SAML is excellent for browser-based federation, but it is not as naturally suited to modern API token usage after the interactive sign-in event. The question is not simply “which protocol is more secure.” It is about post-login application behavior. If the downstream application needs identity plus a token-friendly pattern for additional calls, that use case pushes the architect toward OIDC. In other words, the deciding factor is what the service provider must do after the initial authentication succeeds. This is why option B is the best answer in Salesforce terms.

Salesforce’s JWT bearer flow is intended for server-to-server or noninteractive scenarios where a signed assertion is exchanged for an access token. Because the assertion is signed, the connected app must be configured to use a digital signature. The integration also needs the api scope so that the resulting token can call Salesforce APIs. Other scopes, such as generic web access, do not address the core requirement of API access through a JWT assertion. The design principle behind this flow is that no user is present to approve access interactively, so trust is established through certificate-based signing and the connected app’s policy configuration. That is why the digital signature setting is essential, not optional, in a JWT-based Salesforce integration. This is why options A, C work together as the correct solution.

To enable social sign-on for Experience Cloud, Salesforce expects the architect to create an authentication provider for each social identity source, expose those providers on the login page, and use the registration handler logic that creates or updates the external user in Salesforce. SAML federation is not required for Facebook or LinkedIn sign-in. Connected apps are not how those social providers are registered for Experience Cloud login; the trust is established through authentication providers. The architect also needs the login page to actually show the provider buttons so users can choose those sign-in methods. In short, the implementation has three moving parts: provider setup, login-page exposure, and user-provisioning logic through the registration handler. This is why options A, C, D work together as the correct solution.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

When SAML sign-on fails during setup, the fastest Salesforce-native diagnostic tool is the SAML Validator. It breaks down the assertion and shows where validation fails, such as certificate issues, audience mismatches, subject formatting, missing attributes, or timestamp problems. That is much more useful than simply reviewing connected app settings or downloading metadata again, because the architect needs visibility into the actual assertion being posted to Salesforce. SAML integrations succeed or fail based on the signed XML and the trust configuration around it, so a validator that exposes the assertion details is the right troubleshooting instrument. In practice, this is the tool admins use to determine whether the issue sits in the identity provider output or in Salesforce configuration. This is why option A is the best answer in Salesforce terms.

Salesforce’s user-agent flow implements the OAuth 2.0 implicit grant model for browser-based or mobile applications that obtain authorization through a browser. In that flow, the client uses a client ID and requests specific scopes. The user authorizes the app, and the resulting token is delivered through the browser-based redirect. In Salesforce identity examples, refresh-related behavior is often part of the mobile discussion, while an authorization code is not a characteristic of the implicit model. That is the key concept to remember: implicit or user-agent flow is centered on browser-mediated authorization without a back-end code exchange. So the valid concepts align with client identity and requested access, not with the server-side authorization-code step used in the web server flow. This is why options A, B, E work together as the correct solution.

When an account may be compromised, the first Salesforce-native source to review is Login History. It shows authentication attempts, source IP addresses, login status, browser and platform information, and the methods used to access the org. That makes it the most direct starting point for identifying suspicious access patterns or confirming when and how a user session was established. Setup Audit Trail tracks administrative configuration changes, not end-user sign-in behavior, and the user record itself doesn’t provide the same detailed authentication trail. In a forensic workflow, the early question is usually “did someone log in, from where, and by what method?” Login History is the fastest place to answer that inside Salesforce. This is why option B is the best answer in Salesforce terms.

Login Discovery is the Salesforce feature built for identifier-first sign-in experiences that start with an email address or phone number and then route the user into the next authentication step. It is especially relevant for passwordless designs because the user can enter an email address or mobile number and then receive a verification code through the configured handler and verification service. That matches the stated requirement much more closely than social sign-on or a generic external IdP recommendation. The key platform point is that Login Discovery separates “who are you?” from “how do we authenticate you?” and allows Salesforce to branch appropriately. For citizen or customer portals, it is the standard entry point for phone-or-email-based identification before code verification. This is why option B is the best answer in Salesforce terms.