Identity-and-Access-Management-Architect Exam Dumps - Salesforce Identity and Access Management Designer Questions and Answers

Identity Verification Credits are consumed when Salesforce sends verification challenges through the configured channel, and SMS-based passwordless login specifically depends on SMS verification activity. Therefore the right estimation approach is to forecast how many SMS verification events the portal will generate, not how many community licenses exist. Some Salesforce identity offerings include baseline entitlements, but capacity planning still centers on expected verification traffic. If the portal intends to let customers log in with one-time passcodes sent by text, then every challenge can consume credits. The architecture question is really an operational one: estimate the expected volume of SMS-based login verification and size the verification-credit requirement to match that demand. This is why option C is the best answer in Salesforce terms.

When a third-party enterprise identity provider already validates users against LDAP and the organization wants employees to remember as few passwords as possible, Salesforce should be configured as the service provider. That lets the existing IdP remain the authoritative login system while Salesforce trusts the resulting assertion. Salesforce Connect is unrelated to password synchronization, and making Salesforce the IdP would invert the current enterprise architecture. This is a classic workforce SSO pattern: the corporate identity layer owns credentials, and Salesforce consumes that identity through federation. The architectural win is reduced password sprawl. Users authenticate once against the enterprise identity provider and then reach Salesforce without maintaining a separate Salesforce password. This is why option D is the best answer in Salesforce terms.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

The AMR field in Salesforce Login History is meaningful only when the upstream identity provider includes authentication-method information in a way Salesforce can understand. Salesforce can surface AMR information from modern federation patterns, but the actual authentication methods must be asserted by the IdP. That is why architects need to think about protocol support and IdP implementation. The field is useful because it shows how the user authenticated upstream, for example whether MFA or another method was used. High-assurance session settings are related to policy enforcement, but they do not by themselves populate AMR. The key design point is that AMR is an observation of the IdP’s authentication methods, not an independent Salesforce-generated fact. This is why options A, C work together as the correct solution.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options C, D, E work together as the correct solution.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options C, D work together as the correct solution.

If the external portal supports OAuth-based identity and Salesforce must accept its users for single sign-on, OpenID Connect is the right standards-based pattern because it adds identity semantics on top of OAuth. That is why Salesforce can be configured to trust the portal as an identity provider through OIDC rather than through generic delegated authentication. A connected app alone would not make Salesforce treat the portal as the identity source. Delegated Authentication is also a different model centered on username/password validation through a web service. The architectural advantage of OIDC is that the portal can remain the source of identity while Salesforce consumes verified user information and establishes a federated session. This is why option D is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why options B, D work together as the correct solution.

If Salesforce is brokering identity from an enterprise SSO platform to downstream applications, then in its relationship with the enterprise SSO system Salesforce is acting as a service provider. It is consuming authentication from the enterprise identity source and then using that result to participate in further federation to third-party apps. That distinction matters because the same platform can be an SP upstream and an IdP downstream in the same overall architecture. Resource server and client-application labels do not describe the identity role Salesforce is playing in that specific trust relationship. The key point is directional trust: Salesforce receives the authentication from the enterprise SSO provider, so it is the service provider in that connection. This is why option A is the best answer in Salesforce terms.