Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

If Salesforce is brokering identity from an enterprise SSO platform to downstream applications, then in its relationship with the enterprise SSO system Salesforce is acting as a service provider. It is consuming authentication from the enterprise identity source and then using that result to participate in further federation to third-party apps. That distinction matters because the same platform can be an SP upstream and an IdP downstream in the same overall architecture. Resource server and client-application labels do not describe the identity role Salesforce is playing in that specific trust relationship. The key point is directional trust: Salesforce receives the authentication from the enterprise SSO provider, so it is the service provider in that connection. This is why option A is the best answer in Salesforce terms.

If the external portal supports OAuth-based identity and Salesforce must accept its users for single sign-on, OpenID Connect is the right standards-based pattern because it adds identity semantics on top of OAuth. That is why Salesforce can be configured to trust the portal as an identity provider through OIDC rather than through generic delegated authentication. A connected app alone would not make Salesforce treat the portal as the identity source. Delegated Authentication is also a different model centered on username/password validation through a web service. The architectural advantage of OIDC is that the portal can remain the source of identity while Salesforce consumes verified user information and establishes a federated session. This is why option D is the best answer in Salesforce terms.