Pass the Salesforce Identity and Access Management Designer Identity-and-Access-Management-Architect Questions and answers with CertsForce

Once SAML SSO is already configured, enabling Just-in-Time provisioning in Salesforce is done on the SAML Single Sign-On setting itself. The architect turns on JIT user provisioning, selects the provisioning type, and supplies the SAML JIT handler if custom logic is needed. That is the expected configuration path because JIT is part of the federation handshake, not a sharing model or permission-set feature. Creating a random Apex class without wiring it into the SAML setting would not enable JIT on its own. The architectural distinction is that JIT rides inside the SAML login process. Therefore it must be enabled and configured where Salesforce processes the incoming assertion. This is why option A is the best answer in Salesforce terms.

When a third-party service wants Salesforce to provision users through a service endpoint before they access the app, the relevant feature is user provisioning on the connected app. Salesforce supports outbound provisioning patterns for connected apps so that a user can be created in the downstream application according to the app’s provisioning configuration. This is better than redirecting users into a separate registration experience because the requirement is to provision them as part of the Salesforce-controlled access path. Canvas and generic SAML alone do not provide the provisioning endpoint behavior described. The architectural value of connected-app provisioning is that it links app access and lifecycle management, allowing administrators to govern who gets created in the external service and when. This is why option C is the best answer in Salesforce terms.

For large-scale analysis of suspicious login behavior, the feature often referred to as login forensics or forensic login analysis depends on the deeper telemetry available through Salesforce Shield and related monitoring capabilities. The goal is to identify patterns such as average login volume, off-hours behavior, unusual spikes, and outlier users. Basic Login History shows individual events, but forensic analysis is about aggregating and investigating behavior at scale. That is why the organization needs the analytics-oriented login forensics capability rather than a simple list of logins. The architectural point is that fraud detection usually requires richer monitoring and analysis than the standard admin screens provide, especially in a 15,000-user environment. This is why option B is the best answer in Salesforce terms.

Salesforce Activations gives administrators visibility into the devices that users have activated for certain trusted access experiences and the ability to revoke those device activations when necessary. That aligns directly with compliance requirements to track devices used for login and to invalidate a device if it should no longer be trusted. Login History shows session data but not the same activation-management control plane. A custom object plus login flow would create a partial record, but it would not provide the built-in revocation semantics the requirement asks for. The important distinction is between observing a login event and managing device trust. Activations addresses device trust management, which is why it is the better fit here. This is why option D is the best answer in Salesforce terms.

When customers are invited into an Experience Cloud site rather than self-registering, the normal Salesforce pattern is to create them as contacts, add them to the site, and enable the welcome email so they can establish their own password from the invitation. Login flows are not the primary mechanism for initial password setup, and updating site membership through an API does not replace the standard invitation process. The important architectural idea is that the user lifecycle begins with site membership and an activation journey, not with self-service reset logic. Salesforce’s welcome-email flow is specifically designed for this moment: it gives the invited external user a secure path to activate access and define their password for the community. This is why options A, D work together as the correct solution.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

When the external identity source supports only OAuth and there is no predefined provider type available in Salesforce, the architect should use a custom external authentication provider. Prebuilt OpenID Connect support assumes an OIDC-compliant provider, which is more specific than raw OAuth. Delegated authentication and certificate-based patterns solve different identity problems and are not meant to retrofit a nonstandard OAuth provider into Experience Cloud sign-in. The custom provider option exists precisely for this gap: it lets Salesforce participate in an authentication exchange with an external service that does not fit one of the standard built-in provider templates. In practice, this gives the architect control over how Salesforce obtains and interprets the external identity information. This is why option C is the best answer in Salesforce terms.

If the external wellness application needs user attributes returned in an ID token, the mechanism must be OpenID Connect. OIDC extends OAuth with identity semantics and introduces the ID token as the standard carrier for authenticated user information. A plain user-agent or web-server OAuth flow by itself does not guarantee an ID token, because OAuth alone is about authorization, not identity. JWT bearer flow is also for noninteractive token exchange, not end-user identity assertion to a relying party. The architecture requirement points directly to the artifact being requested: an ID token. In Salesforce identity design, once the requirement says “return attributes in an ID token,” the answer is to use OpenID Connect. This is why option B is the best answer in Salesforce terms.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

Identity Connect is positioned primarily as a user provisioning and deprovisioning bridge between Microsoft Active Directory and Salesforce. In designs where AD is the authoritative source for user status, deactivating a user upstream should be reflected quickly in Salesforce access. That is why architects pay attention to what happens to existing sessions when a user is disabled in the source directory. The feature is not a managed package, and it is not an identity provider that automatically brokers SSO by itself. It also does not “solve” license overages by disabling users in a FIFO pattern. The relevant capability is operational user-state synchronization: when identity status changes in directory services, Salesforce access should be withdrawn in a controlled, security-focused way. This is why option D is the best answer in Salesforce terms.