Salesforce Updated Identity-and-Access-Management-Architect Exam Questions and Answers by marcel

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options B, C, D work together as the correct solution.

For fine-grained delegated access and long-lived sessions, the Authorization Code flow is the strongest mainstream OAuth choice. It supports user consent, server-side token exchange, and refresh-token issuance in the patterns Salesforce documents for confidential applications. Client Credentials is for app-to-app integration without a user context, and Implicit/User-Agent is less suitable for strong control and durable token management. Username-password is a special-case flow that trades off security and user experience. The reason this matters architecturally is that the authorization code pattern separates user authentication from token exchange and allows the client to keep secrets securely on the server side. That is why it remains the preferred model for robust delegated access to protected Salesforce resources. This is why option B is the best answer in Salesforce terms.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

The OAuth 2.0 web server flow follows the authorization-code pattern documented by Salesforce. First, the client requests an authorization code. The user then authenticates and authorizes access. Salesforce returns the authorization code to the client, after which the client exchanges that code at the token endpoint. Salesforce finally issues the access token. The reason this sequence matters is security: the code is a short-lived intermediary credential that is exchanged server to server, rather than exposing the access token directly in the browser. That is why the web server flow is recommended for confidential applications that can protect a client secret. Any sequence that skips the code exchange or grants the token before authorization is not the correct Salesforce authorization-code flow. This is why option A is the best answer in Salesforce terms.