Salesforce Identity-and-Access-Management-Architect - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

When a single identity design must support very high external login volumes, performance becomes part of the architecture, not just feature selection. Salesforce Experience Cloud and identity features can support large-scale CIAM scenarios, but official guidance encourages validating expected login peaks and performance assumptions with Salesforce for unusually high throughput requirements. That is especially important when the solution spans communities and commerce experiences and expects more than a thousand logins per minute. The question is not just whether the platform supports federation, Person Accounts, or an external identity provider; it is whether the design has been reviewed for operational scale. Confirming performance considerations with Salesforce is therefore the prudent architectural step before finalizing the rollout model. This is why option B is the best answer in Salesforce terms.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

For a website that doesn’t natively speak SAML or OAuth but still wants Salesforce-backed social sign-in, the architecture typically combines authentication providers with Embedded Login, and the integration is supported through the connected app framework around Salesforce Identity. Authentication providers establish trust with the social sources, while Embedded Login brings the Salesforce-controlled sign-in experience into the existing site. Delegated Authentication is for username/password validation against an external system and doesn’t provide social sign-in. Identity Connect is also unrelated because it is aimed at directory synchronization. The key architectural move is to let Salesforce handle the identity transaction and present that capability inside the existing website, rather than trying to make the legacy site implement standards it doesn’t already support. This is why options A, B, D work together as the correct solution.

To enable social sign-on for Experience Cloud, Salesforce expects the architect to create an authentication provider for each social identity source, expose those providers on the login page, and use the registration handler logic that creates or updates the external user in Salesforce. SAML federation is not required for Facebook or LinkedIn sign-in. Connected apps are not how those social providers are registered for Experience Cloud login; the trust is established through authentication providers. The architect also needs the login page to actually show the provider buttons so users can choose those sign-in methods. In short, the implementation has three moving parts: provider setup, login-page exposure, and user-provisioning logic through the registration handler. This is why options A, C, D work together as the correct solution.

In OAuth-based Salesforce integrations, intermittent logout behavior is often tied to token lifecycle rather than to general platform permissions. Salesforce documentation distinguishes clearly between authentication, authorization, and token validity. Even if the initial login succeeds, the user can appear to be “randomly logged out” when an access token expires, is revoked, or can no longer be refreshed according to policy. That is why token status and refresh behavior should be checked early in troubleshooting. Browser version, network delay, or missing Salesforce permissions can cause other access problems, but they do not typically explain an established SSO session ending intermittently in an OAuth flow. The first architectural checkpoint is whether the token issued by the identity provider remains valid for the expected duration. This is why option A is the best answer in Salesforce terms.

In delegated authentication, Salesforce hands off password validation to the external system that owns the credentials. Because the password is not managed by Salesforce, the user must change that password in the enterprise authentication source, such as the LDAP or SSO portal. Salesforce reset links and in-app change-password pages are not authoritative in that model. This is a common exam theme: once credential management is delegated, the downstream service does not become the place where users administer those credentials. The architectural boundary matters. Salesforce still consumes the authentication result, but the source system retains responsibility for password storage, password policy, and password changes. Therefore the end-user password-management experience belongs to the external identity store. This is why option A is the best answer in Salesforce terms.

When partners need a single login and some do business across multiple country operations, the lowest-customization answer is often to federate access across org boundaries with SAML rather than replicate identities manually in each org. A partner can maintain a primary login context and use federation to reach the additional orgs or communities they need. Consolidating everything into one org may not be feasible if country-based orgs already exist for operational reasons, while APIs and login flows create more custom work. The architectural point is that identity should be centralized even if application data remains distributed. SAML federation is built precisely for that: one user identity can be trusted across multiple Salesforce-based service providers without forcing separate sign-in credentials per country. This is why option A is the best answer in Salesforce terms.

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options C, D work together as the correct solution.