Salesforce Updated Identity-and-Access-Management-Architect Exam Questions and Answers by mikey

If the external portal supports OAuth-based identity and Salesforce must accept its users for single sign-on, OpenID Connect is the right standards-based pattern because it adds identity semantics on top of OAuth. That is why Salesforce can be configured to trust the portal as an identity provider through OIDC rather than through generic delegated authentication. A connected app alone would not make Salesforce treat the portal as the identity source. Delegated Authentication is also a different model centered on username/password validation through a web service. The architectural advantage of OIDC is that the portal can remain the source of identity while Salesforce consumes verified user information and establishes a federated session. This is why option D is the best answer in Salesforce terms.

When a mobile application uses refresh tokens to preserve login state, the strongest control for forcing re-verification after inactivity is the refresh token policy. Salesforce lets administrators define when refresh tokens expire, including inactivity-based expiration. That is more aligned with the stated requirement than a generic session timeout, because the app renews access through the refresh token even after individual access tokens expire. Denying refresh_token scope would break the usability requirement, and manually maintaining permitted users would be operationally weak. The architecture question is about reauthentication after the device has been idle from an OAuth perspective. In Salesforce connected apps, that control sits with the refresh token policy, especially the “expire if not used for X days” style setting. This is why option D is the best answer in Salesforce terms.

Delegated Authentication is the Salesforce mechanism intended for organizations that must keep password validation and authentication processing in an external system reachable through a web service. In this model, Salesforce sends the authentication request outward and relies on the external service to decide whether the credentials are valid. That is a strong fit when regulations or internal policy require the external system to remain authoritative for passwords and authentication logic. JIT provisioning and SAML SSO solve adjacent problems, but they do not match the stated SOAP-based password-validation requirement. The important architecture cue is the external SOAP web service: that points directly to delegated authentication rather than to token-based federation or user-provisioning features. This is why option B is the best answer in Salesforce terms.

Frequent identity verification prompts in Salesforce are often a session security issue rather than an SSO design defect. One of the standard administrator controls for reducing repeated verification in known corporate environments is to define trusted IP ranges. When a login originates from a recognized network, Salesforce can apply lower-friction verification behavior consistent with the org’s policies. Simply enabling MFA or 2FA does not reduce prompts; those controls often introduce stronger verification requirements. Similarly, moving to an external identity provider changes the sign-in architecture but does not automatically tell Salesforce to trust the user’s network context. The trusted IP model is the documented way to reduce unnecessary verification challenges while keeping the org’s perimeter assumptions explicit. This is why option B is the best answer in Salesforce terms.