Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

External Identity is the Salesforce license intended for business-to-consumer and other external audience identity scenarios. When the requirement is to provide single sign-on or authentication services for customers rather than internal employees, this is the licensing model architects evaluate first. Identity Only is typically used for internal workforce users who need identity services without broad CRM access, while partner licenses address collaboration models tied to partner accounts. The design driver here is audience type: the users are external consumers of a B2C-style application. Salesforce separates those audiences in licensing because the underlying access model, scale expectations, and Experience Cloud use cases differ from workforce identity. That is why External Identity is the appropriate license choice. This is why option C is the best answer in Salesforce terms.

If the order-tracking application supports SAML SSO and should only be accessible to active Salesforce users from inside Salesforce, the clean approach is to make Salesforce the identity provider and expose the app through Salesforce as a Canvas-style embedded experience or equivalent app launch pattern. Using Salesforce as the IdP ensures that only valid Salesforce users can obtain the SAML identity needed to enter the external system. A separate corporate identity store or a custom REST validation step introduces more moving parts than needed. The architectural goal is to let Salesforce govern access to the application that is surfaced from within Salesforce. That points to Salesforce-led federation and an in-platform application entry point. This is why options C, D work together as the correct solution.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

When an external brand such as Amazon supports OpenID Connect and the requirement is to let customers use those credentials to sign in to Experience Cloud, the straightforward Salesforce approach is to configure an OpenID Connect authentication provider. A connected app represents an app trust relationship, not the external identity source for community login. A predefined provider can be used only when Salesforce offers that exact template; otherwise standards-based OIDC is the general answer. Building a custom provider would be unnecessary if the external source already speaks OpenID Connect. The architectural decision is simply to use the standard protocol that the provider supports and let Salesforce consume that identity through an authentication provider. This is why option C is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

Dynamic branding in Experience Cloud relies on the Experience ID, sometimes carried as the expid parameter or equivalent placeholder in the URL, so Salesforce can render the right login experience for the selected brand. This is the scalable way to vary the look and feel without duplicating entire identity stacks. The community template choice can matter because not every template exposes branding capabilities the same way, but the central concept is still the Experience ID. External CMS tools are not required just to route the login experience by brand. From an architecture standpoint, this keeps the login framework centralized while letting the entry experience adapt to whichever brand, campaign, or sub-experience the user selected before authentication. This is why option D is the best answer in Salesforce terms.

In the OAuth 2.0 web server flow, the main concepts are scopes, an access token, and a client secret. This is the authorization-code pattern for confidential web applications, so the server-side client can safely hold the client secret and exchange the authorization code for an access token. Verification URLs and generic “authentication tokens” are not the defining exam concepts here. Salesforce documentation emphasizes that the web server flow is appropriate when the application can securely store secrets and needs to access APIs on behalf of the user. That is why the flow combines requested scopes, a confidential client, and a token issued after the secure code exchange. Those are the concepts that matter most when reasoning about this flow. This is why options C, D, E work together as the correct solution.

For large-scale analysis of suspicious login behavior, the feature often referred to as login forensics or forensic login analysis depends on the deeper telemetry available through Salesforce Shield and related monitoring capabilities. The goal is to identify patterns such as average login volume, off-hours behavior, unusual spikes, and outlier users. Basic Login History shows individual events, but forensic analysis is about aggregating and investigating behavior at scale. That is why the organization needs the analytics-oriented login forensics capability rather than a simple list of logins. The architectural point is that fraud detection usually requires richer monitoring and analysis than the standard admin screens provide, especially in a 15,000-user environment. This is why option B is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.

Customer 360 Identity contributes to a broader Customer 360 strategy by giving the organization a consistent sign-up and sign-in layer across digital properties and by helping correlate user behavior across those properties. It is especially valuable in multi-brand environments because the identity service can remain centralized even while user experiences differ by site or brand. From an architecture standpoint, this creates continuity: the organization understands login behavior and user journeys more holistically instead of treating each application as an isolated identity silo. Customer 360 Identity is not simply a data loader for all customer data products. Its core value is identity continuity, cross-property recognition, and a unified access experience that supports the larger goal of a single, trusted customer view. This is why options B, C work together as the correct solution.