Salesforce Identity-and-Access-Management-Architect Dumps

For guest checkout scenarios that later convert a shopper into a registered customer, Salesforce self-registration is the natural starting point because it gives the site a controlled way to create an external user account. The self-registration experience can be customized so that the user enters just enough order information for the site to locate the previously collected guest data and then complete the registration. SAML and social login don’t solve the core problem, which is linking an existing guest transaction to a newly created community identity. A Connected App Handler is also not the standard Experience Cloud tool for this registration pattern. The right design is to keep registration in Salesforce and tailor the page to reconcile the new user with the known order record. This is why option A is the best answer in Salesforce terms.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option B is the best answer in Salesforce terms.

Delegated Authentication is the Salesforce mechanism intended for organizations that must keep password validation and authentication processing in an external system reachable through a web service. In this model, Salesforce sends the authentication request outward and relies on the external service to decide whether the credentials are valid. That is a strong fit when regulations or internal policy require the external system to remain authoritative for passwords and authentication logic. JIT provisioning and SAML SSO solve adjacent problems, but they do not match the stated SOAP-based password-validation requirement. The important architecture cue is the external SOAP web service: that points directly to delegated authentication rather than to token-based federation or user-provisioning features. This is why option B is the best answer in Salesforce terms.

When Salesforce is acting as an identity provider and the goal is to make a third-party application available from within Salesforce, two standard tools work together: a connected app to define trust and single sign-on behavior, and the App Launcher to give users a discoverable entry point. The connected app handles the identity relationship and protocol settings, while the launcher exposes the application from the Salesforce UI. Delegated Authentication and external data sources solve different problems and don’t provide the same app-launch experience. In Salesforce Identity architecture, this combination is common because it aligns governance and usability: the app is centrally configured through a connected app and then delivered to users as part of their Salesforce app catalog. This is why options B, D work together as the correct solution.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.

When users must be allowed to launch an external service provider from Salesforce only if the organization has explicitly authorized them, the connected app should use the Admin Pre-Approved access policy. That setting moves app access out of end-user consent and into administrator control. Profiles or permission sets then determine exactly which users can use the app. This is the standard Salesforce pattern for governed OAuth access in enterprise environments. Assigning authentication providers to profiles or simply exposing the app to a community does not replace the approval and entitlement model of the connected app itself. The architectural point is that app access and user authorization should be centrally controlled, auditable, and limited to approved users. This is why options C, D work together as the correct solution.

External Identity is the Salesforce license intended for business-to-consumer and other external audience identity scenarios. When the requirement is to provide single sign-on or authentication services for customers rather than internal employees, this is the licensing model architects evaluate first. Identity Only is typically used for internal workforce users who need identity services without broad CRM access, while partner licenses address collaboration models tied to partner accounts. The design driver here is audience type: the users are external consumers of a B2C-style application. Salesforce separates those audiences in licensing because the underlying access model, scale expectations, and Experience Cloud use cases differ from workforce identity. That is why External Identity is the appropriate license choice. This is why option C is the best answer in Salesforce terms.

If Salesforce is brokering identity from an enterprise SSO platform to downstream applications, then in its relationship with the enterprise SSO system Salesforce is acting as a service provider. It is consuming authentication from the enterprise identity source and then using that result to participate in further federation to third-party apps. That distinction matters because the same platform can be an SP upstream and an IdP downstream in the same overall architecture. Resource server and client-application labels do not describe the identity role Salesforce is playing in that specific trust relationship. The key point is directional trust: Salesforce receives the authentication from the enterprise SSO provider, so it is the service provider in that connection. This is why option A is the best answer in Salesforce terms.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

When SAML sign-on fails during setup, the fastest Salesforce-native diagnostic tool is the SAML Validator. It breaks down the assertion and shows where validation fails, such as certificate issues, audience mismatches, subject formatting, missing attributes, or timestamp problems. That is much more useful than simply reviewing connected app settings or downloading metadata again, because the architect needs visibility into the actual assertion being posted to Salesforce. SAML integrations succeed or fail based on the signed XML and the trust configuration around it, so a validator that exposes the assertion details is the right troubleshooting instrument. In practice, this is the tool admins use to determine whether the issue sits in the identity provider output or in Salesforce configuration. This is why option A is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option B is the best answer in Salesforce terms.

Salesforce’s user-agent flow implements the OAuth 2.0 implicit grant model for browser-based or mobile applications that obtain authorization through a browser. In that flow, the client uses a client ID and requests specific scopes. The user authorizes the app, and the resulting token is delivered through the browser-based redirect. In Salesforce identity examples, refresh-related behavior is often part of the mobile discussion, while an authorization code is not a characteristic of the implicit model. That is the key concept to remember: implicit or user-agent flow is centered on browser-mediated authorization without a back-end code exchange. So the valid concepts align with client identity and requested access, not with the server-side authorization-code step used in the web server flow. This is why options A, B, E work together as the correct solution.

Salesforce login flows are designed to interrupt the sign-in journey and collect information, present screens, or enforce conditions before the user reaches the destination app or site. In this case, the requirement is conditional and mandatory: users must accept updated rules and complete missing profile data before doing anything else. A login flow is stronger than a banner, task, or email campaign because it runs at authentication time and can branch based on user data. That makes it suitable for compliance-style steps such as terms acceptance, privacy notices, or profile completion. The architect can evaluate user fields, display the required screen only when needed, and block progress until the data and acknowledgment are captured. This is why option D is the best answer in Salesforce terms.

In delegated authentication, Salesforce hands off password validation to the external system that owns the credentials. Because the password is not managed by Salesforce, the user must change that password in the enterprise authentication source, such as the LDAP or SSO portal. Salesforce reset links and in-app change-password pages are not authoritative in that model. This is a common exam theme: once credential management is delegated, the downstream service does not become the place where users administer those credentials. The architectural boundary matters. Salesforce still consumes the authentication result, but the source system retains responsibility for password storage, password policy, and password changes. Therefore the end-user password-management experience belongs to the external identity store. This is why option A is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why option D is the best answer in Salesforce terms.

My Domain is a prerequisite for many modern Salesforce identity capabilities because it gives the org a unique and predictable login domain. In multi-org environments, that matters when users click record links from emails and must be routed into the correct instance and authentication path. Without My Domain, identity routing and branded login behavior become harder to control, especially when multiple orgs and external identity providers are involved. MFA and Identity Provider settings address other aspects of security, but they do not provide the unique domain-level entry point required here. The architectural role of My Domain is both technical and user-facing: it standardizes the login endpoint and helps ensure that generated links take users to the proper org context. This is why option B is the best answer in Salesforce terms.

For a portal that wants users to enter a phone number or email address first and then receive a one-time verification code, Salesforce’s recommended pattern is a Login Discovery page backed by a Login Discovery handler. This supports identifier-first authentication and lets the org decide how to route or verify the user once the identifier is known. Building a custom login page and controller can work, but it bypasses the purpose-built experience Salesforce provides for this exact passwordless entry pattern. Authentication providers and login flows solve different phases of the login journey. The architectural advantage of Login Discovery is that it cleanly supports phone-or-email identification before the platform or handler triggers the verification step. This is why option C is the best answer in Salesforce terms.

Customer 360 Identity contributes to a broader Customer 360 strategy by giving the organization a consistent sign-up and sign-in layer across digital properties and by helping correlate user behavior across those properties. It is especially valuable in multi-brand environments because the identity service can remain centralized even while user experiences differ by site or brand. From an architecture standpoint, this creates continuity: the organization understands login behavior and user journeys more holistically instead of treating each application as an isolated identity silo. Customer 360 Identity is not simply a data loader for all customer data products. Its core value is identity continuity, cross-property recognition, and a unified access experience that supports the larger goal of a single, trusted customer view. This is why options B, C work together as the correct solution.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option B is the best answer in Salesforce terms.

If the organization already has a SAML setup and wants to obtain OAuth access to Salesforce APIs based on that existing federation trust, the correct bridge is the OAuth 2.0 SAML Bearer Assertion Flow. This flow allows a client to present a SAML assertion and exchange it for an OAuth access token. That is different from standard user-agent or JWT flows, and it is more specific than simply saying “SAML assertion” without naming the OAuth flow. The exam point is that SAML is being reused to obtain API authorization, not merely to log a person into the user interface. Salesforce documents this pattern specifically for environments that already depend on SAML and want to extend that trust into API access. This is why option B is the best answer in Salesforce terms.

Contactless users in Experience Cloud are tied to a narrower external identity model than full community users associated with contacts. That is the important architectural tradeoff. The feature can reduce overhead for certain external identity scenarios, but it also limits what license model and functionality are available. In practice, architects need to recognize that contactless users are associated with External Identity use cases rather than the richer Experience Cloud collaboration capabilities that depend on account-contact relationships. That is why the decision affects portal design, entitlement options, and downstream business processes. The right answer focuses on the license and capability limitation, not on speculative behavior about passwordless login or automatic contact creation during a later license change. This is why option C is the best answer in Salesforce terms.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

When a third-party service wants Salesforce to provision users through a service endpoint before they access the app, the relevant feature is user provisioning on the connected app. Salesforce supports outbound provisioning patterns for connected apps so that a user can be created in the downstream application according to the app’s provisioning configuration. This is better than redirecting users into a separate registration experience because the requirement is to provision them as part of the Salesforce-controlled access path. Canvas and generic SAML alone do not provide the provisioning endpoint behavior described. The architectural value of connected-app provisioning is that it links app access and lifecycle management, allowing administrators to govern who gets created in the external service and when. This is why option A is the best answer in Salesforce terms.

When the external identity source supports only OAuth and there is no predefined provider type available in Salesforce, the architect should use a custom external authentication provider. Prebuilt OpenID Connect support assumes an OIDC-compliant provider, which is more specific than raw OAuth. Delegated authentication and certificate-based patterns solve different identity problems and are not meant to retrofit a nonstandard OAuth provider into Experience Cloud sign-in. The custom provider option exists precisely for this gap: it lets Salesforce participate in an authentication exchange with an external service that does not fit one of the standard built-in provider templates. In practice, this gives the architect control over how Salesforce obtains and interprets the external identity information. This is why option C is the best answer in Salesforce terms.

When a third-party enterprise identity provider already validates users against LDAP and the organization wants employees to remember as few passwords as possible, Salesforce should be configured as the service provider. That lets the existing IdP remain the authoritative login system while Salesforce trusts the resulting assertion. Salesforce Connect is unrelated to password synchronization, and making Salesforce the IdP would invert the current enterprise architecture. This is a classic workforce SSO pattern: the corporate identity layer owns credentials, and Salesforce consumes that identity through federation. The architectural win is reduced password sprawl. Users authenticate once against the enterprise identity provider and then reach Salesforce without maintaining a separate Salesforce password. This is why option D is the best answer in Salesforce terms.

In OAuth-based Salesforce integrations, intermittent logout behavior is often tied to token lifecycle rather than to general platform permissions. Salesforce documentation distinguishes clearly between authentication, authorization, and token validity. Even if the initial login succeeds, the user can appear to be “randomly logged out” when an access token expires, is revoked, or can no longer be refreshed according to policy. That is why token status and refresh behavior should be checked early in troubleshooting. Browser version, network delay, or missing Salesforce permissions can cause other access problems, but they do not typically explain an established SSO session ending intermittently in an OAuth flow. The first architectural checkpoint is whether the token issued by the identity provider remains valid for the expected duration. This is why option A is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options C, D work together as the correct solution.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options C, D, E work together as the correct solution.

Salesforce’s JWT bearer flow is intended for server-to-server or noninteractive scenarios where a signed assertion is exchanged for an access token. Because the assertion is signed, the connected app must be configured to use a digital signature. The integration also needs the api scope so that the resulting token can call Salesforce APIs. Other scopes, such as generic web access, do not address the core requirement of API access through a JWT assertion. The design principle behind this flow is that no user is present to approve access interactively, so trust is established through certificate-based signing and the connected app’s policy configuration. That is why the digital signature setting is essential, not optional, in a JWT-based Salesforce integration. This is why options A, C work together as the correct solution.

When an external brand such as Amazon supports OpenID Connect and the requirement is to let customers use those credentials to sign in to Experience Cloud, the straightforward Salesforce approach is to configure an OpenID Connect authentication provider. A connected app represents an app trust relationship, not the external identity source for community login. A predefined provider can be used only when Salesforce offers that exact template; otherwise standards-based OIDC is the general answer. Building a custom provider would be unnecessary if the external source already speaks OpenID Connect. The architectural decision is simply to use the standard protocol that the provider supports and let Salesforce consume that identity through an authentication provider. This is why option C is the best answer in Salesforce terms.