Pass the Salesforce Identity and Access Management Designer Identity-and-Access-Management-Architect Questions and answers with CertsForce

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options B, C, D work together as the correct solution.

For a mobile-first external identity use case, Salesforce requires both the right base license and the right verification channel entitlement. External Identity licenses support authentication for external users such as consumers, while SMS verification credits support sending one-time verification codes to mobile phones for passwordless or verification-based login experiences. Email verification credits would address email delivery, not SMS-based verification. Identity Connect is unrelated because it is an AD synchronization product for workforce identity, not a CIAM licensing option. The architecture requirement here is straightforward: external users authenticate to Salesforce-backed digital experiences, and mobile number verification is part of the sign-in model. That combination points to External Identity plus SMS verification capacity. This is why options A, D work together as the correct solution.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option D is the best answer in Salesforce terms.

To enable social sign-on for Experience Cloud, Salesforce expects the architect to create an authentication provider for each social identity source, expose those providers on the login page, and use the registration handler logic that creates or updates the external user in Salesforce. SAML federation is not required for Facebook or LinkedIn sign-in. Connected apps are not how those social providers are registered for Experience Cloud login; the trust is established through authentication providers. The architect also needs the login page to actually show the provider buttons so users can choose those sign-in methods. In short, the implementation has three moving parts: provider setup, login-page exposure, and user-provisioning logic through the registration handler. This is why options A, C, D work together as the correct solution.

Just-in-Time provisioning is designed for exactly this onboarding pattern: a user authenticates through an external identity provider, and Salesforce creates the user automatically on first successful login. That avoids preloading every external user into Salesforce before they ever visit the site. Middleware and custom web services can do similar work, but JIT is the native, lower-complexity mechanism built into Salesforce federation. Login flows by themselves do not create the user record during the authentication handshake. The architectural value of JIT is that it keeps the source of identity external while letting Salesforce create and update the user only when the person actually needs access. It is efficient, standard, and commonly used with Experience Cloud. This is why option C is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option C is the best answer in Salesforce terms.

Login Discovery is the Salesforce feature built for identifier-first sign-in experiences that start with an email address or phone number and then route the user into the next authentication step. It is especially relevant for passwordless designs because the user can enter an email address or mobile number and then receive a verification code through the configured handler and verification service. That matches the stated requirement much more closely than social sign-on or a generic external IdP recommendation. The key platform point is that Login Discovery separates “who are you?” from “how do we authenticate you?” and allows Salesforce to branch appropriately. For citizen or customer portals, it is the standard entry point for phone-or-email-based identification before code verification. This is why option B is the best answer in Salesforce terms.

Salesforce’s JWT bearer flow is intended for server-to-server or noninteractive scenarios where a signed assertion is exchanged for an access token. Because the assertion is signed, the connected app must be configured to use a digital signature. The integration also needs the api scope so that the resulting token can call Salesforce APIs. Other scopes, such as generic web access, do not address the core requirement of API access through a JWT assertion. The design principle behind this flow is that no user is present to approve access interactively, so trust is established through certificate-based signing and the connected app’s policy configuration. That is why the digital signature setting is essential, not optional, in a JWT-based Salesforce integration. This is why options A, C work together as the correct solution.

If Salesforce is brokering identity from an enterprise SSO platform to downstream applications, then in its relationship with the enterprise SSO system Salesforce is acting as a service provider. It is consuming authentication from the enterprise identity source and then using that result to participate in further federation to third-party apps. That distinction matters because the same platform can be an SP upstream and an IdP downstream in the same overall architecture. Resource server and client-application labels do not describe the identity role Salesforce is playing in that specific trust relationship. The key point is directional trust: Salesforce receives the authentication from the enterprise SSO provider, so it is the service provider in that connection. This is why option A is the best answer in Salesforce terms.

For a website that doesn’t natively speak SAML or OAuth but still wants Salesforce-backed social sign-in, the architecture typically combines authentication providers with Embedded Login, and the integration is supported through the connected app framework around Salesforce Identity. Authentication providers establish trust with the social sources, while Embedded Login brings the Salesforce-controlled sign-in experience into the existing site. Delegated Authentication is for username/password validation against an external system and doesn’t provide social sign-in. Identity Connect is also unrelated because it is aimed at directory synchronization. The key architectural move is to let Salesforce handle the identity transaction and present that capability inside the existing website, rather than trying to make the legacy site implement standards it doesn’t already support. This is why options A, B, D work together as the correct solution.