Identity-and-Access-Management-Architect Exam Dumps - Salesforce Identity and Access Management Designer Questions and Answers

When creating an authentication provider in Salesforce, architects can configure operational settings that shape the user experience and downstream provisioning behavior. A custom error URL is supported so failed sign-ins can be routed to a branded or informative destination. A custom registration handler is also supported, giving the org control over how incoming identities are mapped to Salesforce users and related records. By contrast, options like a “default login user” or a generic default certificate setting do not describe the primary provider-creation controls in the same way. The important architecture concept is that an authentication provider defines both the trust with the external source and the user-lifecycle handling logic inside Salesforce. This is why options B, D work together as the correct solution.

For a website that doesn’t natively speak SAML or OAuth but still wants Salesforce-backed social sign-in, the architecture typically combines authentication providers with Embedded Login, and the integration is supported through the connected app framework around Salesforce Identity. Authentication providers establish trust with the social sources, while Embedded Login brings the Salesforce-controlled sign-in experience into the existing site. Delegated Authentication is for username/password validation against an external system and doesn’t provide social sign-in. Identity Connect is also unrelated because it is aimed at directory synchronization. The key architectural move is to let Salesforce handle the identity transaction and present that capability inside the existing website, rather than trying to make the legacy site implement standards it doesn’t already support. This is why options A, B, D work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

My Domain is a prerequisite for many modern Salesforce identity capabilities because it gives the org a unique and predictable login domain. In multi-org environments, that matters when users click record links from emails and must be routed into the correct instance and authentication path. Without My Domain, identity routing and branded login behavior become harder to control, especially when multiple orgs and external identity providers are involved. MFA and Identity Provider settings address other aspects of security, but they do not provide the unique domain-level entry point required here. The architectural role of My Domain is both technical and user-facing: it standardizes the login endpoint and helps ensure that generated links take users to the proper org context. This is why option B is the best answer in Salesforce terms.

For guest checkout scenarios that later convert a shopper into a registered customer, Salesforce self-registration is the natural starting point because it gives the site a controlled way to create an external user account. The self-registration experience can be customized so that the user enters just enough order information for the site to locate the previously collected guest data and then complete the registration. SAML and social login don’t solve the core problem, which is linking an existing guest transaction to a newly created community identity. A Connected App Handler is also not the standard Experience Cloud tool for this registration pattern. The right design is to keep registration in Salesforce and tailor the page to reconcile the new user with the known order record. This is why option A is the best answer in Salesforce terms.

For a connected app to appear as a tile in the Salesforce App Launcher, two things generally matter: the app must be marked visible in the App Launcher, and the connected app configuration must include the required launch details such as the start URL or equivalent launch settings. High-assurance session requirements or OIDC scopes do not by themselves control whether the tile shows up. The absence of a launch target can keep the app from being presented meaningfully to users even when the connected app exists. From an architecture and administration perspective, discovery in the launcher depends on app-visibility settings plus a valid launch configuration. Without those, users can be entitled to the app and still not see it in the launcher. This is why options B, C work together as the correct solution.

In delegated authentication, Salesforce hands off password validation to the external system that owns the credentials. Because the password is not managed by Salesforce, the user must change that password in the enterprise authentication source, such as the LDAP or SSO portal. Salesforce reset links and in-app change-password pages are not authoritative in that model. This is a common exam theme: once credential management is delegated, the downstream service does not become the place where users administer those credentials. The architectural boundary matters. Salesforce still consumes the authentication result, but the source system retains responsibility for password storage, password policy, and password changes. Therefore the end-user password-management experience belongs to the external identity store. This is why option A is the best answer in Salesforce terms.

In the OAuth 2.0 web server flow, the main concepts are scopes, an access token, and a client secret. This is the authorization-code pattern for confidential web applications, so the server-side client can safely hold the client secret and exchange the authorization code for an access token. Verification URLs and generic “authentication tokens” are not the defining exam concepts here. Salesforce documentation emphasizes that the web server flow is appropriate when the application can securely store secrets and needs to access APIs on behalf of the user. That is why the flow combines requested scopes, a confidential client, and a token issued after the secure code exchange. Those are the concepts that matter most when reasoning about this flow. This is why options C, D, E work together as the correct solution.

If the organization wants users to sign in only through SSO and not by entering credentials at login.salesforce.com, two standard controls are used together. My Domain can be configured to prevent login from the generic Salesforce login page, forcing users onto the org-specific authentication entry point. In addition, the user can be marked as “Is Single Sign-On Enabled,” which prevents password-based Salesforce login for that user. Those two controls reinforce each other: one redirects the entry point, and the other removes the fallback credential path. Delegated authentication is not required just to enforce SSO, and simply enabling SSO never means Salesforce credentials stop working automatically. The architecture goal is to remove non-SSO login paths deliberately. This is why options A, D work together as the correct solution.