Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why option C is the best answer in Salesforce terms.

When an account may be compromised, the first Salesforce-native source to review is Login History. It shows authentication attempts, source IP addresses, login status, browser and platform information, and the methods used to access the org. That makes it the most direct starting point for identifying suspicious access patterns or confirming when and how a user session was established. Setup Audit Trail tracks administrative configuration changes, not end-user sign-in behavior, and the user record itself doesn’t provide the same detailed authentication trail. In a forensic workflow, the early question is usually “did someone log in, from where, and by what method?” Login History is the fastest place to answer that inside Salesforce. This is why option B is the best answer in Salesforce terms.

My Domain is a prerequisite for many modern Salesforce identity capabilities because it gives the org a unique and predictable login domain. In multi-org environments, that matters when users click record links from emails and must be routed into the correct instance and authentication path. Without My Domain, identity routing and branded login behavior become harder to control, especially when multiple orgs and external identity providers are involved. MFA and Identity Provider settings address other aspects of security, but they do not provide the unique domain-level entry point required here. The architectural role of My Domain is both technical and user-facing: it standardizes the login endpoint and helps ensure that generated links take users to the proper org context. This is why option B is the best answer in Salesforce terms.

When a mobile application uses refresh tokens to preserve login state, the strongest control for forcing re-verification after inactivity is the refresh token policy. Salesforce lets administrators define when refresh tokens expire, including inactivity-based expiration. That is more aligned with the stated requirement than a generic session timeout, because the app renews access through the refresh token even after individual access tokens expire. Denying refresh_token scope would break the usability requirement, and manually maintaining permitted users would be operationally weak. The architecture question is about reauthentication after the device has been idle from an OAuth perspective. In Salesforce connected apps, that control sits with the refresh token policy, especially the “expire if not used for X days” style setting. This is why option D is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option A is the best answer in Salesforce terms.

The OAuth 2.0 Asset Token Flow is Salesforce’s purpose-built answer for connected devices and IoT-style integrations. It is designed for assets that need to act on behalf of a physical device or asset record rather than a human user. That makes it the correct fit for sensors, GPS trackers, or smart devices that must securely post telemetry or create service actions in Salesforce. User-agent, web-server, or username-password flows are built around user identity or generic application access, not around a registered device/asset relationship. The architectural advantage of the asset token model is that it ties the authorization context back to the asset, which is exactly what you want when the platform must know which device generated the event or maintenance alert. This is why option D is the best answer in Salesforce terms.

If the external wellness application needs user attributes returned in an ID token, the mechanism must be OpenID Connect. OIDC extends OAuth with identity semantics and introduces the ID token as the standard carrier for authenticated user information. A plain user-agent or web-server OAuth flow by itself does not guarantee an ID token, because OAuth alone is about authorization, not identity. JWT bearer flow is also for noninteractive token exchange, not end-user identity assertion to a relying party. The architecture requirement points directly to the artifact being requested: an ID token. In Salesforce identity design, once the requirement says “return attributes in an ID token,” the answer is to use OpenID Connect. This is why option B is the best answer in Salesforce terms.

A native mobile app that must call Salesforce APIs, keep users signed in, and avoid the approval screen needs two things from the connected app configuration: the right scopes and administrator-controlled authorization. The API scope allows REST access, and the offline_access scope allows the app to obtain a refresh token so it can continue working without repeated interactive sign-in. To suppress the approval page for end users, the connected app should be set to Admin Pre-Approved rather than allowing self-authorization. JWT bearer flow is not necessary when the scenario already states a native app user flow. Salesforce guidance for mobile apps consistently focuses on choosing the appropriate OAuth scopes first and then pairing them with the correct connected app access policy. This is why option C is the best answer in Salesforce terms.

The requirements call for two distinct capabilities: federation for sign-in and standards-based lifecycle management for provisioning. In Salesforce terms, that means Salesforce should act as a SAML service provider for authentication while SCIM handles create, update, and deactivate operations from the central IAM system. Just-in-Time provisioning alone is not enough here because the requirement includes provisioning and deprovisioning triggered by user status changes in the central identity service, not just first-login user creation. Identity Connect is aimed at Active Directory synchronization and is not the general answer for cloud IAM-to-Salesforce lifecycle management. Pairing SAML for SSO with SCIM for provisioning is the clean standards-based architecture when identity governance happens outside Salesforce. This is why option C is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options A, C work together as the correct solution.