Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203) Identity-and-Access-Management-Architect Exam Questions with Experts Answers Updated Recently

To enable social sign-on for Experience Cloud, Salesforce expects the architect to create an authentication provider for each social identity source, expose those providers on the login page, and use the registration handler logic that creates or updates the external user in Salesforce. SAML federation is not required for Facebook or LinkedIn sign-in. Connected apps are not how those social providers are registered for Experience Cloud login; the trust is established through authentication providers. The architect also needs the login page to actually show the provider buttons so users can choose those sign-in methods. In short, the implementation has three moving parts: provider setup, login-page exposure, and user-provisioning logic through the registration handler. This is why options A, C, D work together as the correct solution.

Salesforce connected-app user provisioning can be combined with internal approval so downstream accounts are created only after the right business authorization is complete. The connected app must have user provisioning enabled, and the target application must be represented as a connected app in Salesforce. To control timing, the approval process should be associated with the provisioning request object that participates in the provisioning lifecycle rather than with the generic User object. That allows the organization to hold or approve the provisioning action itself. This pattern is useful when HR or compliance wants a formal checkpoint before external accounts are created. The architecture separates identity eligibility from final outbound provisioning execution. This is why options C, D, E work together as the correct solution.