Identity-and-Access-Management-Architect Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Questions and Answers

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.

Frequent identity verification prompts in Salesforce are often a session security issue rather than an SSO design defect. One of the standard administrator controls for reducing repeated verification in known corporate environments is to define trusted IP ranges. When a login originates from a recognized network, Salesforce can apply lower-friction verification behavior consistent with the org’s policies. Simply enabling MFA or 2FA does not reduce prompts; those controls often introduce stronger verification requirements. Similarly, moving to an external identity provider changes the sign-in architecture but does not automatically tell Salesforce to trust the user’s network context. The trusted IP model is the documented way to reduce unnecessary verification challenges while keeping the org’s perimeter assumptions explicit. This is why option B is the best answer in Salesforce terms.

If the external wellness application needs user attributes returned in an ID token, the mechanism must be OpenID Connect. OIDC extends OAuth with identity semantics and introduces the ID token as the standard carrier for authenticated user information. A plain user-agent or web-server OAuth flow by itself does not guarantee an ID token, because OAuth alone is about authorization, not identity. JWT bearer flow is also for noninteractive token exchange, not end-user identity assertion to a relying party. The architecture requirement points directly to the artifact being requested: an ID token. In Salesforce identity design, once the requirement says “return attributes in an ID token,” the answer is to use OpenID Connect. This is why option B is the best answer in Salesforce terms.

A native mobile app that must call Salesforce APIs, keep users signed in, and avoid the approval screen needs two things from the connected app configuration: the right scopes and administrator-controlled authorization. The API scope allows REST access, and the offline_access scope allows the app to obtain a refresh token so it can continue working without repeated interactive sign-in. To suppress the approval page for end users, the connected app should be set to Admin Pre-Approved rather than allowing self-authorization. JWT bearer flow is not necessary when the scenario already states a native app user flow. Salesforce guidance for mobile apps consistently focuses on choosing the appropriate OAuth scopes first and then pairing them with the correct connected app access policy. This is why option C is the best answer in Salesforce terms.

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

Salesforce’s secure MFA guidance is based on two independent factors, not simply any second code that can be sent to the user. Strong MFA methods include possession-based authenticators and standards-compliant mechanisms such as security keys, approved authenticator apps, and trusted third-party SSO solutions that themselves enforce strong MFA. Lightning Login is also treated as a passwordless, device-based secure approach in the Salesforce ecosystem. By contrast, SMS and email verification do not meet Salesforce’s general MFA requirement for secure user-interface logins in the same way. The architecture point is that Salesforce distinguishes between convenience verifications and strong authentication factors. For compliance-driven MFA, architects should choose the methods Salesforce classifies as high-assurance. This is why options A, B, D work together as the correct solution.

If AWS holds the workforce credentials and Salesforce must trust that external identity for authentication, OpenID Connect is the natural standards-based fit when AWS can operate as the identity provider. Salesforce can consume an OIDC provider for authentication and authorization scenarios in a way that avoids building a custom authentication server unnecessarily. A connected app by itself does not make AWS the identity source, and a custom external auth provider is only needed when there is no suitable standard protocol support. The architecture requirement is to let Salesforce trust the external identity system while preserving standards and minimizing custom code. Configuring AWS as an OpenID Connect provider satisfies that need cleanly. This is why option D is the best answer in Salesforce terms.

Login Flows are the least-custom way to present user-specific messaging before a user lands on an Experience Cloud home page. Salesforce designed login flows to insert screens into the authentication journey, which makes them a strong fit for pre-homepage alerts, acknowledgments, and decision points. A custom homepage component can display alerts after login, but it does not satisfy the “before they land on the homepage” requirement as directly. Custom metadata with LWC or a specialized registration handler introduces more build effort than needed. The important platform distinction is timing: login flows run during authentication and can show a screen before the session continues to the destination page. That is why they are commonly chosen for policy notices, onboarding prompts, and personalized pre-entry messages. This is why option B is the best answer in Salesforce terms.

When an architect needs to enforce IP restrictions, session timeouts, or related access controls for a connected app, the place to do that is the connected app’s OAuth policies. Those policies let Salesforce administrators shape how the app can be used, from permitted-user policy to IP relaxation behavior and session-related restrictions. Login IP ranges on profiles are broader user controls, while custom permissions don’t govern the connected app’s OAuth runtime behavior. The important architecture distinction is that connected-app security should be controlled where the app trust is defined. Salesforce puts those controls in the connected app’s policy layer, which is why OAuth policies are the right answer for app-specific session and network enforcement. This is why option D is the best answer in Salesforce terms.

If the concern is that an SP-initiated SAML request could be altered on the way to the identity provider, the additional control is request signing. Salesforce supports signing the SAML request with a request-signing certificate so the IdP can verify integrity and origin. HTTPS protects the transport channel, but it does not provide the same message-level assurance that a signed request provides inside the SAML trust model. Issuer and ACS configuration are necessary for setup, yet they do not prove that the request was not modified. The architecture principle here is layered trust: transport security protects the channel, while signature validation protects the SAML message itself. That is why the request-signing certificate is the feature that directly addresses tampering concerns. This is why option D is the best answer in Salesforce terms.

When creating an authentication provider in Salesforce, architects can configure operational settings that shape the user experience and downstream provisioning behavior. A custom error URL is supported so failed sign-ins can be routed to a branded or informative destination. A custom registration handler is also supported, giving the org control over how incoming identities are mapped to Salesforce users and related records. By contrast, options like a “default login user” or a generic default certificate setting do not describe the primary provider-creation controls in the same way. The important architecture concept is that an authentication provider defines both the trust with the external source and the user-lifecycle handling logic inside Salesforce. This is why options B, D work together as the correct solution.

When the external identity source supports only OAuth and there is no predefined provider type available in Salesforce, the architect should use a custom external authentication provider. Prebuilt OpenID Connect support assumes an OIDC-compliant provider, which is more specific than raw OAuth. Delegated authentication and certificate-based patterns solve different identity problems and are not meant to retrofit a nonstandard OAuth provider into Experience Cloud sign-in. The custom provider option exists precisely for this gap: it lets Salesforce participate in an authentication exchange with an external service that does not fit one of the standard built-in provider templates. In practice, this gives the architect control over how Salesforce obtains and interprets the external identity information. This is why option C is the best answer in Salesforce terms.

For a portal that wants users to enter a phone number or email address first and then receive a one-time verification code, Salesforce’s recommended pattern is a Login Discovery page backed by a Login Discovery handler. This supports identifier-first authentication and lets the org decide how to route or verify the user once the identifier is known. Building a custom login page and controller can work, but it bypasses the purpose-built experience Salesforce provides for this exact passwordless entry pattern. Authentication providers and login flows solve different phases of the login journey. The architectural advantage of Login Discovery is that it cleanly supports phone-or-email identification before the platform or handler triggers the verification step. This is why option C is the best answer in Salesforce terms.

Salesforce login flows are designed to interrupt the sign-in journey and collect information, present screens, or enforce conditions before the user reaches the destination app or site. In this case, the requirement is conditional and mandatory: users must accept updated rules and complete missing profile data before doing anything else. A login flow is stronger than a banner, task, or email campaign because it runs at authentication time and can branch based on user data. That makes it suitable for compliance-style steps such as terms acceptance, privacy notices, or profile completion. The architect can evaluate user fields, display the required screen only when needed, and block progress until the data and acknowledgment are captured. This is why option D is the best answer in Salesforce terms.

OAuth scopes are the mechanism Salesforce uses to define what an external application can request access to. If the requirement is to control access to protected resources in a flexible and granular way, custom scopes are the right enhancement. They let the architect express purpose-specific access boundaries beyond coarse app approval alone. Admin-preapproved access and permission sets govern who can use the connected app, but scopes govern what the token is intended to do. External objects and data classification don’t solve the token-authorization problem. The design principle is least privilege at the API boundary. By carefully defining and assigning scopes, the organization can limit access in a way that is meaningful to both the application and the resource server. This is why option B is the best answer in Salesforce terms.

When an external brand such as Amazon supports OpenID Connect and the requirement is to let customers use those credentials to sign in to Experience Cloud, the straightforward Salesforce approach is to configure an OpenID Connect authentication provider. A connected app represents an app trust relationship, not the external identity source for community login. A predefined provider can be used only when Salesforce offers that exact template; otherwise standards-based OIDC is the general answer. Building a custom provider would be unnecessary if the external source already speaks OpenID Connect. The architectural decision is simply to use the standard protocol that the provider supports and let Salesforce consume that identity through an authentication provider. This is why option C is the best answer in Salesforce terms.

The AMR field in Salesforce Login History is meaningful only when the upstream identity provider includes authentication-method information in a way Salesforce can understand. Salesforce can surface AMR information from modern federation patterns, but the actual authentication methods must be asserted by the IdP. That is why architects need to think about protocol support and IdP implementation. The field is useful because it shows how the user authenticated upstream, for example whether MFA or another method was used. High-assurance session settings are related to policy enforcement, but they do not by themselves populate AMR. The key design point is that AMR is an observation of the IdP’s authentication methods, not an independent Salesforce-generated fact. This is why options A, C work together as the correct solution.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.

Just-in-Time provisioning is designed for exactly this onboarding pattern: a user authenticates through an external identity provider, and Salesforce creates the user automatically on first successful login. That avoids preloading every external user into Salesforce before they ever visit the site. Middleware and custom web services can do similar work, but JIT is the native, lower-complexity mechanism built into Salesforce federation. Login flows by themselves do not create the user record during the authentication handshake. The architectural value of JIT is that it keeps the source of identity external while letting Salesforce create and update the user only when the person actually needs access. It is efficient, standard, and commonly used with Experience Cloud. This is why option C is the best answer in Salesforce terms.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

When Salesforce is acting as an identity provider and the goal is to make a third-party application available from within Salesforce, two standard tools work together: a connected app to define trust and single sign-on behavior, and the App Launcher to give users a discoverable entry point. The connected app handles the identity relationship and protocol settings, while the launcher exposes the application from the Salesforce UI. Delegated Authentication and external data sources solve different problems and don’t provide the same app-launch experience. In Salesforce Identity architecture, this combination is common because it aligns governance and usability: the app is centrally configured through a connected app and then delivered to users as part of their Salesforce app catalog. This is why options B, D work together as the correct solution.

To enable social sign-on for Experience Cloud, Salesforce expects the architect to create an authentication provider for each social identity source, expose those providers on the login page, and use the registration handler logic that creates or updates the external user in Salesforce. SAML federation is not required for Facebook or LinkedIn sign-in. Connected apps are not how those social providers are registered for Experience Cloud login; the trust is established through authentication providers. The architect also needs the login page to actually show the provider buttons so users can choose those sign-in methods. In short, the implementation has three moving parts: provider setup, login-page exposure, and user-provisioning logic through the registration handler. This is why options A, C, D work together as the correct solution.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option A is the best answer in Salesforce terms.

When Salesforce already provides built-in authentication provider support for the social networks required by the business, the simplest architecture is to use those predefined authentication providers. That avoids building custom provider logic for well-known services such as Facebook and, in many exam scenarios, Twitter. The point of the predefined provider is to reduce custom work, accelerate setup, and stay within the Salesforce-supported social sign-in pattern. A custom provider would only be necessary when the external source is not supported through the standard templates or protocols available. The architecture principle is to use standard provider support first and reserve custom provider work for gaps. That keeps the implementation easier to manage and easier to troubleshoot. This is why option C is the best answer in Salesforce terms.

Salesforce’s user-agent flow implements the OAuth 2.0 implicit grant model for browser-based or mobile applications that obtain authorization through a browser. In that flow, the client uses a client ID and requests specific scopes. The user authorizes the app, and the resulting token is delivered through the browser-based redirect. In Salesforce identity examples, refresh-related behavior is often part of the mobile discussion, while an authorization code is not a characteristic of the implicit model. That is the key concept to remember: implicit or user-agent flow is centered on browser-mediated authorization without a back-end code exchange. So the valid concepts align with client identity and requested access, not with the server-side authorization-code step used in the web server flow. This is why options A, B, E work together as the correct solution.

Salesforce Embedded Login exists specifically to place a Salesforce-backed login experience inside another application or service provider, which makes it the right feature to consider for a seamless sign-in widget. However, the architectural caveat is browser behavior. Embedded login can rely on third-party cookies, and modern browser privacy controls can affect how that experience behaves. That dependency is often the deciding consideration before recommending it. REST APIs and generic OAuth flows are part of the broader identity toolbox, but they don’t answer the executive sponsor’s question about embedding a login widget directly into another application. The recommendation should therefore focus on Embedded Login and on whether the target browser landscape will tolerate the cookie model it depends on. This is why option D is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.