Pass the Salesforce Integration Architecture Designer Integration-Architect Questions and answers with CertsForce

When comparing Platform Events and Outbound Messaging for a near-real-time architecture, a Salesforce Platform Integration Architect must evaluate fundamental differences in their delivery models and governance. While both provide declarative, asynchronous "Fire-and-Forget" capabilities, their technical constraints differ significantly, particularly regarding scalability and platform limits.

The key architectural highlight in this scenario is that Platform Events operate on a specialized event bus with specific Event Publishing and Event Delivery limits. Unlike Outbound Messaging, which is governed by more general daily outbound call limits (often tied to user licenses), Platform Events have a dedicated allocation for the number of events that can be published per hour and delivered in a 24-hour period to external clients via the Pub/Sub API or CometD. For example, the number of concurrent subscribers to a Platform Event channel is typically capped at 2,000 for standard configurations. Since the customer expects 3,000 customers to view these messages, this limit is a critical evaluation point; the architecture would need to account for this gap, perhaps by using middleware to fan out messages to the larger audience.

In contrast, Outbound Messaging does not have an "Event Delivery" limit in the same sense. It is a point-to-point SOAP-based push mechanism where Salesforce manages retries for up to 24 hours if the receiving endpoint is unavailable. However, it is less flexible for multi-consumer scenarios because it requires a separate configuration for every unique destination.

Regarding the other options: Option A is incorrect because neither system strictly guarantees "exactly-once" delivery without the possibility of duplicates; in fact, Outbound Messaging may deliver a message more than once if it doesn't receive a timely acknowledgment. Option B is incorrect because Platform Events do not have built-in "fault recovery" handled by Salesforce in the same way as Outbound Messaging's automatic retry queue; with Platform Events, it is the subscriber’s responsibility to use a Replay ID to retrieve missed events within the 72-hour retention window. Therefore, highlighting the unique delivery and publishing limits is the most vital step for the architect.

When building custom mobile or web applications that aim to replicate the look and feel of Salesforce Lightning Experience, the User Interface (UI) API is the architecturally recommended choice.

The UI API is specifically designed to provide the metadata and data needed to build high-fidelity user interfaces. Unlike the standard REST API (Option B), which returns raw record data, the UI API returns both data and metadata in a single response. This includes information about page layouts, field-level security, picklist values, and localized labels. By using the UI API, the mobile app can dynamically render fields according to the user's permissions and the organization's layout configurations, ensuring that the custom app stays in sync with changes made in Salesforce Setup without requiring code updates in the mobile app.

Connect REST API (Option A) is primarily used for Chatter, Communities (Experience Cloud), and CMS content, and while it is useful for those specific social features, it does not provide the layout and record-level metadata required for a full CRM interface. The UI API is the same underlying technology that powers the Salesforce mobile app and Lightning Experience itself. Therefore, utilizing this API allows NTO's developers to build a native app that perfectly mimics the Lightning Experience while reducing the amount of custom logic needed to handle complex Salesforce UI requirements.

Comprehensive and Detailed 250 to 350 words of Explanation From Salesforce Pl14atform Integration Architect documents: In the rol15e of a Salesforce Platform Integration Architect, evaluating a legacy landscape requires a clinical mapping of current system functions against Salesforce’s native capabilities, while strictly adhering to the "Constraints and Goals" provided by the business. The objective here is to maximize the ROI of the Salesforce implementation by consolidating redundant systems into the core platform.

According to Goal 2, the business intends to utilize Salesforce for Marketing, Sales, and Service processes. Salesforce is architected to handle these three domains through its core clouds: Marketing Cloud (replacing the legacy Email Marketing System), Sales Cloud (replacing the Sales Activity System), and Service Cloud (replacing the Case Management System). By consolidating these three specific functions into Salesforce, the organization achieves Goal 1, which is the creation of a 360-degree view of the customer. When these activities occur on a single platform, the data is unified, eliminating the silos that existed in the previous landscape.

However, the architect must also respect the technical constraints defined in Goal 3, which explicitly states the need to reuse enterprise capabilities built for quoting and order management. In architectural design, this designates the "Quoting System" and the "Order Management System" as systems of record that must remain in the future-state landscape. These systems likely contain complex, proprietary logic or are tightly coupled with back-end ERP systems like SAP Business Suite, making them "non-negotiable" for retirement at this stage.

Therefore, because Email Marketing, Sales Activity, and Case Management map directly to Salesforce’s primary strengths and are not excluded by the "reuse" requirement, they are the three systems that should be retired. This strategic retirement simplifies the integration architecture, allowing the architect to focus on building robust integration patterns (such as Request-Reply or Fire-and-Forget) between Salesforce and the remaining Quoting and Order Management systems.

In a synchronous Request-Reply scenario where a bank agent is waiting "on the spot" for a credit check, the error-handling strategy must balance immediate feedback with system resilience.

Option A is the recommended architectural approach for enterprise resiliency. By placing a Middleware layer (like MuleSoft) between Salesforce and the credit agencies, the architect can implement sophisticated error-handling patterns that are invisible to the user but critical for success. If a credit agency's API is momentarily unreachable, the middleware can perform automated retries (e.g., three attempts with 500ms intervals). If the retries still fail, the middleware sends a clean, structured error response back to Salesforce.

Option B (Fire and Forget) is fundamentally unsuitable for this use case because the agent needs the result immediately to open the account; they cannot wait for a callback that might arrive hours later. Option C (Mock service) is only a testing tool and provides no value in a production environment where real financial data is required. By delegating the retry logic to the middleware, the architect protects Salesforce's concurrent request limits (since the agent only occupies a thread for the duration of the final response) and ensures that transient network issues do not result in a "failed" bank account application for the customer.

In a complex landscape where multiple systems contain overlapping customer data, each with its own primary key, the core architectural challenge is Identity Management. To ensure that an update in Salesforce (the System of Record) correctly updates "Customer A" in the ERP and "Customer A" in the Data Lake, a Master Data Management (MDM) strategy is required.

An MDM solution creates a Cross-Reference (X-Ref) Table or a "Golden Record" that maps the unique identifiers from all systems. In the Salesforce record, the architect should implement External ID fields for each corresponding system (e.g., ERP_ID__c, Ticket_System_ID__c).

Why this is the superior recommendation:

Bidirectional Integrity: When the middleware receives an update from the ERP, it uses the ERP_ID__c to perform an "upsert" in Salesforce, ensuring no duplicates are created.

Traceability: It allows for easy auditing of data lineage across the enterprise.

Decoupling: Salesforce doesn't need to know the internal logic of the ERP; it simply holds the reference key.

Option B (CDC) is a delivery mechanism, not an identity management strategy; it tells you that something changed, but not which record in the ERP it corresponds to without the ID mapping. Option C (Local caching in middleware) is an "anti-pattern" because it makes the middleware stateful; if the middleware cache is lost or out of sync, the entire integration breaks. By designing an MDM-based mapping solution directly within the data model, the architect ensures a robust, scalable, and transparent identity framework for the entire enterprise.

The scenario highlights vulnerabilities in unmanaged packages where secrets (usernames, passwords, OAuth tokens) are stored in plain text and easily accessible. The goal is to protect these secrets from exposure in callouts, especially in unpackaged or unmanaged code contexts.

Why A (Protected Custom Metadata Types and Named Credentials)?

Named Credentials is the primary Salesforce-recommended mechanism for securely storing authentication details (including passwords, tokens, and secrets) for HTTP callouts. Secrets are encrypted, not visible in debug logs, and Salesforce handles authentication without exposing them in Apex code.

However, in Named Credentials, admins with "Customize Application" permission can view/edit the secrets.

To further protect secrets (e.g., hide them completely from admins or in packaged scenarios), use Protected Custom Metadata Types (preferably in a managed package). These allow Apex code in the same namespace/package to access the secrets while hiding them from users, API queries, or subscriber orgs.

This combination addresses both standard callouts (via Named Credentials) and cases needing maximum obfuscation (via Protected Custom Metadata), directly mitigating plain-text exposure in unmanaged packages.

Why not B (Encrypted Custom Fields and Protected Custom Settings)?

Encrypted Custom Fields are suitable for sensitive data like PII (e.g., credit cards, SSNs) but explicitly not recommended for storing authentication secrets or credentials used in callouts (per Salesforce Secure Coding guidelines).

Protected Custom Settings offer similar protection to Protected Custom Metadata but are less preferred for configuration-like data (secrets are configuration). Custom Metadata is deployable as metadata, better for packaging and migrations.

Why not C (Named Credentials and Protected Custom Settings)?

While Named Credentials are ideal, pairing with Protected Custom Settings is valid but suboptimal. Salesforce documentation and Trailhead modules favor Protected Custom Metadata Types over Custom Settings for secret storage due to better deployability, caching, and metadata API support.

This aligns with Salesforce Trailhead ("Securely Store Secrets with Salesforce Features") and secure coding guidelines, emphasizing Named Credentials for callouts and Protected Custom Metadata for high-security secret storage in packages. For unmanaged code vulnerabilities, migrating to these mechanisms (ideally with packaging) prevents exposure.

When building a distributable package (likely a Managed Package) that must securely communicate back to a central "Hub" org, the architect must use a framework that supports OAuth 2.0 flows. Storing plain-text or even encrypted passwords (Option B) is a security violation and is brittle across different environments.

The architecturally sound solution is to leverage the Authentication Provider and Named Credentials framework. In the central org, a Connected App is created to act as the OAuth endpoint. In the package, an Authentication Provider is configured using the Consumer Key and Consumer Secret from that Connected App. This setup allows the administrator in the "Subscriber" org (the org where the package is installed) to initiate an OAuth flow.

When the security team "authorizes" the integration after installation, they are essentially completing the OAuth handshake. This grants the subscriber org an Access Token and a Refresh Token associated with the specific integration user in the central org. This mechanism ensures:

Credential Security: No passwords are ever stored in the code or metadata.

Centralized Control: The security team in the central org can revoke the Refresh Token at any time to kill the integration.

Scalability: The same package can be distributed to hundreds of orgs, each with its own unique, secure connection to the central Hub.

By using an Authentication Provider combined with a Named Credential, the Apex code in the package can simply call the endpoint by its developer name, and Salesforce handles the entire authentication header injection automatically, ensuring a robust and secure cross-org integration.

Salesforce Connect is a powerful tool for data virtualization, allowing users to view and manage data in external systems (via OData) as if it were stored natively in Salesforce. However, a critical security decision during the setup of an External Data Source is determining the Identity Type.

The Identity Type determines how the external system authenticates the Salesforce user. There are two primary options:

Named Principal: Every Salesforce user accesses the external system using the same set of credentials. This is easier to maintain but provides less granular security tracking in the target system.

Per User: Each individual Salesforce user must provide their own credentials for the external system. This ensures that the data visible in Salesforce respects the user's specific permissions in the external source.

Configuring the Identity Type is the fundamental way an architect secures OData requests because it defines the authentication boundary between the platforms. While certificates (Option A) can be used for transport layer security, the "Identity Type" configuration is the specific Salesforce Connect setting that governs how a session is authorized. Option B (Special Compatibility) is a technical setting used to handle non-standard OData implementations and does not directly relate to securing the request. By recommending the correct Identity Type, the architect ensures that the integration adheres to the "Principle of Least Privilege," ensuring that users only see the external data they are authorized to access.