Pass the Salesforce Identity and Access Management Designer Identity-and-Access-Management-Architect Questions and answers with CertsForce

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option A is the best answer in Salesforce terms.

In this design, Salesforce plays two separate identity roles. Because Okta authenticates the workforce and sends users into Salesforce via federation, Salesforce is acting as the SAML service provider. At the same time, when the forecasting web application asks users to authorize access to Salesforce records, Salesforce is the OAuth resource owner’s platform and the external application is the client. From Salesforce’s perspective in that authorization exchange, it participates as the OAuth authorization platform and the ecosystem around it treats Salesforce as the protected resource. The important exam distinction is that one platform can play different identity roles in different flows. Here, Salesforce accepts a SAML assertion for login and also participates in an OAuth pattern for delegated data access. This is why options B, C work together as the correct solution.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why options B, D work together as the correct solution.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why option C is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why option D is the best answer in Salesforce terms.

When customers sign in to an Experience Cloud site with Facebook or LinkedIn credentials, Salesforce is consuming identity from those providers. In federation terms, that means Salesforce is the service provider and the social platforms are acting as the identity providers. This is a foundational identity concept and helps explain why the configuration happens through authentication providers in Salesforce. Salesforce is not issuing the social credential; it is trusting the identity assertion or token from the external provider and then creating or locating the user locally. Understanding that role assignment is important because it determines where trust is configured, where profile data originates, and how the registration handler fits into the login process. This is why option C is the best answer in Salesforce terms.

If users must log in to the Salesforce mobile app with their Active Directory credentials and cannot rely on a mobile VPN, the architecture usually combines Salesforce Identity Connect with the appropriate Active Directory authentication plug-in or federation integration that allows Salesforce to honor those AD credentials without direct VPN dependency. Identity Connect helps bridge AD user management into Salesforce, while the directory-side authentication component handles password validation against Active Directory. Custom triggers or load balancers do not solve the identity problem. The important architecture idea is that workforce users should continue using their corporate directory password, and Salesforce should trust that directory-driven authentication path in a mobile-friendly way. This is why options A, B work together as the correct solution.

External Identity and self-service onboarding can be combined so a guest begins registration without immediately being tied to a permanent contact record. In this design, the site uses the configurable self-registration page and enables new customers or partners to self-register. The registration handler can be customized so the initial user record is created according to the temporary onboarding model the architect wants. After the onboarding process is complete, the flow can create the full account and contact structure and update the user linkage appropriately. The key architectural point is that configurable self-registration gives the team control over how and when the external identity is materialized in Salesforce, instead of forcing the final business relationship to exist at the first screen. This is why options A, B, D work together as the correct solution.