Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Questions and Answers

When some users sign in through Salesforce credentials and others through an external IdP that already performs MFA, the goal is to avoid prompting everyone twice while still requiring MFA-strength assurance. Salesforce handles that through session security levels. By requiring High Assurance at login and recognizing the corporate identity provider as satisfying High Assurance, the org can accept the IdP’s MFA result while still enforcing stronger authentication for direct Salesforce logins. Enabling the generic “MFA for UI Logins” control alone can force an extra challenge on top of the IdP’s MFA. The architecture lesson is that assurance level mapping is what prevents duplicate prompts across mixed authentication paths. This is why option D is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options C, D, E work together as the correct solution.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

Customer 360 Identity contributes to a broader Customer 360 strategy by giving the organization a consistent sign-up and sign-in layer across digital properties and by helping correlate user behavior across those properties. It is especially valuable in multi-brand environments because the identity service can remain centralized even while user experiences differ by site or brand. From an architecture standpoint, this creates continuity: the organization understands login behavior and user journeys more holistically instead of treating each application as an isolated identity silo. Customer 360 Identity is not simply a data loader for all customer data products. Its core value is identity continuity, cross-property recognition, and a unified access experience that supports the larger goal of a single, trusted customer view. This is why options B, C work together as the correct solution.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options A, C work together as the correct solution.

When customers can authenticate with multiple social identities but Salesforce must maintain only one user record per person, the logic belongs in the authentication provider and registration-handler pattern. Authentication providers handle the external trust with the social platforms, while a custom registration handler can locate an existing Salesforce identity, link the new social identity to it, and update profile details if the source data changes. Login flows are not the primary mechanism for social identity linking, and forcing the user through an extra selection page creates unnecessary friction. In Salesforce CIAM, the registration handler is the lifecycle control point: it decides whether to create, update, or link the user so the portal maintains a single consolidated identity per customer. This is why options B, C work together as the correct solution.

If the concern is that an SP-initiated SAML request could be altered on the way to the identity provider, the additional control is request signing. Salesforce supports signing the SAML request with a request-signing certificate so the IdP can verify integrity and origin. HTTPS protects the transport channel, but it does not provide the same message-level assurance that a signed request provides inside the SAML trust model. Issuer and ACS configuration are necessary for setup, yet they do not prove that the request was not modified. The architecture principle here is layered trust: transport security protects the channel, while signature validation protects the SAML message itself. That is why the request-signing certificate is the feature that directly addresses tampering concerns. This is why option D is the best answer in Salesforce terms.

Login Flows are the least-custom way to present user-specific messaging before a user lands on an Experience Cloud home page. Salesforce designed login flows to insert screens into the authentication journey, which makes them a strong fit for pre-homepage alerts, acknowledgments, and decision points. A custom homepage component can display alerts after login, but it does not satisfy the “before they land on the homepage” requirement as directly. Custom metadata with LWC or a specialized registration handler introduces more build effort than needed. The important platform distinction is timing: login flows run during authentication and can show a screen before the session continues to the destination page. That is why they are commonly chosen for policy notices, onboarding prompts, and personalized pre-entry messages. This is why option B is the best answer in Salesforce terms.

When multiple identity providers must coexist in one Salesforce org, the standard pattern is to surface them through My Domain authentication settings so users can authenticate against the correct IdP. That is particularly important when generated email links bring users back into Salesforce and the org has to present the proper login options consistently. Rather than modifying every email with custom query logic or relying on IdP-initiated links, Salesforce can expose multiple login services at the domain level. This keeps the experience aligned with the org’s authentication service configuration. In multi-IdP organizations, the identity architecture should steer users through the My Domain login service so the correct SSO path is available when they arrive from system-generated links. This is why option C is the best answer in Salesforce terms.

When an external brand such as Amazon supports OpenID Connect and the requirement is to let customers use those credentials to sign in to Experience Cloud, the straightforward Salesforce approach is to configure an OpenID Connect authentication provider. A connected app represents an app trust relationship, not the external identity source for community login. A predefined provider can be used only when Salesforce offers that exact template; otherwise standards-based OIDC is the general answer. Building a custom provider would be unnecessary if the external source already speaks OpenID Connect. The architectural decision is simply to use the standard protocol that the provider supports and let Salesforce consume that identity through an authentication provider. This is why option C is the best answer in Salesforce terms.

If AWS holds the workforce credentials and Salesforce must trust that external identity for authentication, OpenID Connect is the natural standards-based fit when AWS can operate as the identity provider. Salesforce can consume an OIDC provider for authentication and authorization scenarios in a way that avoids building a custom authentication server unnecessarily. A connected app by itself does not make AWS the identity source, and a custom external auth provider is only needed when there is no suitable standard protocol support. The architecture requirement is to let Salesforce trust the external identity system while preserving standards and minimizing custom code. Configuring AWS as an OpenID Connect provider satisfies that need cleanly. This is why option D is the best answer in Salesforce terms.

When an architect needs to enforce IP restrictions, session timeouts, or related access controls for a connected app, the place to do that is the connected app’s OAuth policies. Those policies let Salesforce administrators shape how the app can be used, from permitted-user policy to IP relaxation behavior and session-related restrictions. Login IP ranges on profiles are broader user controls, while custom permissions don’t govern the connected app’s OAuth runtime behavior. The important architecture distinction is that connected-app security should be controlled where the app trust is defined. Salesforce puts those controls in the connected app’s policy layer, which is why OAuth policies are the right answer for app-specific session and network enforcement. This is why option D is the best answer in Salesforce terms.

If the external portal supports OAuth-based identity and Salesforce must accept its users for single sign-on, OpenID Connect is the right standards-based pattern because it adds identity semantics on top of OAuth. That is why Salesforce can be configured to trust the portal as an identity provider through OIDC rather than through generic delegated authentication. A connected app alone would not make Salesforce treat the portal as the identity source. Delegated Authentication is also a different model centered on username/password validation through a web service. The architectural advantage of OIDC is that the portal can remain the source of identity while Salesforce consumes verified user information and establishes a federated session. This is why option D is the best answer in Salesforce terms.

When Salesforce receives a SAML assertion and needs to translate external directory group membership into Salesforce entitlements at login, Apex Just-in-Time provisioning is the right hook. A JIT handler can read custom SAML attributes, interpret the incoming group values, and then create or update the user record and assign the appropriate permission sets. Login flows run after authentication and are not the normal mechanism for parsing assertion content into provisioning logic. Standard SAML attributes also don’t carry every organization-specific group mapping, which is why custom attributes are typically used for permission translation. The design goal is to make access decisions based on identity-provider claims at sign-in, and the JIT Apex handler is where Salesforce expects that provisioning and entitlement logic to be implemented. This is why option A is the best answer in Salesforce terms.

Salesforce login flows are designed to interrupt the sign-in journey and collect information, present screens, or enforce conditions before the user reaches the destination app or site. In this case, the requirement is conditional and mandatory: users must accept updated rules and complete missing profile data before doing anything else. A login flow is stronger than a banner, task, or email campaign because it runs at authentication time and can branch based on user data. That makes it suitable for compliance-style steps such as terms acceptance, privacy notices, or profile completion. The architect can evaluate user fields, display the required screen only when needed, and block progress until the data and acknowledgment are captured. This is why option D is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options C, D work together as the correct solution.

For an Experience Cloud site that uses Salesforce as the identity provider, the supported login experiences are the standard page types intended for authentication. Salesforce supports a Login Discovery page, which helps identify the user and route them appropriately, and an Embedded Login page, which allows the login experience to be embedded into a branded front-end. These are purpose-built for sign-in scenarios. By contrast, a generic Experience Builder content page or a Lightning Experience page is not the same thing as a supported login page type for the site’s authentication flow. The important distinction in Salesforce documentation is between pages designed for site content and pages designed to participate directly in the authentication journey. This is why options A, C work together as the correct solution.

Salesforce Activations gives administrators visibility into the devices that users have activated for certain trusted access experiences and the ability to revoke those device activations when necessary. That aligns directly with compliance requirements to track devices used for login and to invalidate a device if it should no longer be trusted. Login History shows session data but not the same activation-management control plane. A custom object plus login flow would create a partial record, but it would not provide the built-in revocation semantics the requirement asks for. The important distinction is between observing a login event and managing device trust. Activations addresses device trust management, which is why it is the better fit here. This is why option D is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option D is the best answer in Salesforce terms.

Login Discovery is the Salesforce feature built for identifier-first sign-in experiences that start with an email address or phone number and then route the user into the next authentication step. It is especially relevant for passwordless designs because the user can enter an email address or mobile number and then receive a verification code through the configured handler and verification service. That matches the stated requirement much more closely than social sign-on or a generic external IdP recommendation. The key platform point is that Login Discovery separates “who are you?” from “how do we authenticate you?” and allows Salesforce to branch appropriately. For citizen or customer portals, it is the standard entry point for phone-or-email-based identification before code verification. This is why option B is the best answer in Salesforce terms.

Delegated Authentication is the Salesforce mechanism intended for organizations that must keep password validation and authentication processing in an external system reachable through a web service. In this model, Salesforce sends the authentication request outward and relies on the external service to decide whether the credentials are valid. That is a strong fit when regulations or internal policy require the external system to remain authoritative for passwords and authentication logic. JIT provisioning and SAML SSO solve adjacent problems, but they do not match the stated SOAP-based password-validation requirement. The important architecture cue is the external SOAP web service: that points directly to delegated authentication rather than to token-based federation or user-provisioning features. This is why option B is the best answer in Salesforce terms.

If users must log in to the Salesforce mobile app with their Active Directory credentials and cannot rely on a mobile VPN, the architecture usually combines Salesforce Identity Connect with the appropriate Active Directory authentication plug-in or federation integration that allows Salesforce to honor those AD credentials without direct VPN dependency. Identity Connect helps bridge AD user management into Salesforce, while the directory-side authentication component handles password validation against Active Directory. Custom triggers or load balancers do not solve the identity problem. The important architecture idea is that workforce users should continue using their corporate directory password, and Salesforce should trust that directory-driven authentication path in a mobile-friendly way. This is why options A, B work together as the correct solution.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option B is the best answer in Salesforce terms.

If the organization already has a SAML setup and wants to obtain OAuth access to Salesforce APIs based on that existing federation trust, the correct bridge is the OAuth 2.0 SAML Bearer Assertion Flow. This flow allows a client to present a SAML assertion and exchange it for an OAuth access token. That is different from standard user-agent or JWT flows, and it is more specific than simply saying “SAML assertion” without naming the OAuth flow. The exam point is that SAML is being reused to obtain API authorization, not merely to log a person into the user interface. Salesforce documents this pattern specifically for environments that already depend on SAML and want to extend that trust into API access. This is why option B is the best answer in Salesforce terms.

Identity Connect can synchronize several Salesforce security constructs from Active Directory-driven administration, particularly the identity and authorization artifacts attached to users. Profiles and permission sets are directly relevant because they define user capabilities in Salesforce. Roles also matter because they shape record access and hierarchy behavior. Public groups can participate in permission design and assignment patterns as well. By contrast, sharing rules and permission set licenses are not the core mapping focus in the same way. The main architectural takeaway is that Identity Connect is about translating directory-based user management into Salesforce access structures, especially those that determine who a user is, what they can do, and where they sit in the org’s access model. This is why option D is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option B is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why options B, D work together as the correct solution.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option C is the best answer in Salesforce terms.