Free Salesforce Identity-and-Access-Management-Architect Practice Exam with Questions & Answers | Set: 2

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

Salesforce supports dynamic branding for Experience Cloud login journeys through the Experience ID parameter. The Experience ID tells Salesforce which branded experience to render, allowing a single identity implementation to serve multiple brands or sub-brands without building separate authentication stacks. This is more scalable than asking users to pick a brand after arrival or inventing custom parameters and branding logic outside the standard experience framework. It also works cleanly with OAuth and SAML-based sign-in patterns, which is why it is commonly recommended in multi-brand CIAM designs. When the requirement is to reliably present the correct branded Salesforce experience during login, the Experience ID is the built-in mechanism intended for that routing and presentation layer. This is why option B is the best answer in Salesforce terms.

In this design, Salesforce plays two separate identity roles. Because Okta authenticates the workforce and sends users into Salesforce via federation, Salesforce is acting as the SAML service provider. At the same time, when the forecasting web application asks users to authorize access to Salesforce records, Salesforce is the OAuth resource owner’s platform and the external application is the client. From Salesforce’s perspective in that authorization exchange, it participates as the OAuth authorization platform and the ecosystem around it treats Salesforce as the protected resource. The important exam distinction is that one platform can play different identity roles in different flows. Here, Salesforce accepts a SAML assertion for login and also participates in an OAuth pattern for delegated data access. This is why options B, C work together as the correct solution.

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why option C is the best answer in Salesforce terms.

Salesforce’s user-agent flow implements the OAuth 2.0 implicit grant model for browser-based or mobile applications that obtain authorization through a browser. In that flow, the client uses a client ID and requests specific scopes. The user authorizes the app, and the resulting token is delivered through the browser-based redirect. In Salesforce identity examples, refresh-related behavior is often part of the mobile discussion, while an authorization code is not a characteristic of the implicit model. That is the key concept to remember: implicit or user-agent flow is centered on browser-mediated authorization without a back-end code exchange. So the valid concepts align with client identity and requested access, not with the server-side authorization-code step used in the web server flow. This is why options A, B, E work together as the correct solution.

When customers are invited into an Experience Cloud site rather than self-registering, the normal Salesforce pattern is to create them as contacts, add them to the site, and enable the welcome email so they can establish their own password from the invitation. Login flows are not the primary mechanism for initial password setup, and updating site membership through an API does not replace the standard invitation process. The important architectural idea is that the user lifecycle begins with site membership and an activation journey, not with self-service reset logic. Salesforce’s welcome-email flow is specifically designed for this moment: it gives the invited external user a secure path to activate access and define their password for the community. This is why options A, D work together as the correct solution.

If the concern is that an SP-initiated SAML request could be altered on the way to the identity provider, the additional control is request signing. Salesforce supports signing the SAML request with a request-signing certificate so the IdP can verify integrity and origin. HTTPS protects the transport channel, but it does not provide the same message-level assurance that a signed request provides inside the SAML trust model. Issuer and ACS configuration are necessary for setup, yet they do not prove that the request was not modified. The architecture principle here is layered trust: transport security protects the channel, while signature validation protects the SAML message itself. That is why the request-signing certificate is the feature that directly addresses tampering concerns. This is why option D is the best answer in Salesforce terms.

Salesforce Activations gives administrators visibility into the devices that users have activated for certain trusted access experiences and the ability to revoke those device activations when necessary. That aligns directly with compliance requirements to track devices used for login and to invalidate a device if it should no longer be trusted. Login History shows session data but not the same activation-management control plane. A custom object plus login flow would create a partial record, but it would not provide the built-in revocation semantics the requirement asks for. The important distinction is between observing a login event and managing device trust. Activations addresses device trust management, which is why it is the better fit here. This is why option D is the best answer in Salesforce terms.

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.