Identity-and-Access-Management-Architect Exam Dumps - Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)

Salesforce supports token revocation through the revoke token endpoint. When an external application logs the user out and the existing OAuth token must be invalidated immediately, the application should make the appropriate HTTP request to that revocation endpoint and include the current token. That explicitly tells Salesforce the token should no longer be accepted. Requesting a new refresh token or calling unrelated endpoints would not invalidate the existing authorization. Single Logout can help in federated browser journeys, but the requirement here is specifically about invalidating the OAuth token itself. The architecture distinction is important: session logout and token revocation are related but not identical operations, and Salesforce provides a dedicated endpoint for revocation. This is why option A is the best answer in Salesforce terms.

When a third-party enterprise identity provider already validates users against LDAP and the organization wants employees to remember as few passwords as possible, Salesforce should be configured as the service provider. That lets the existing IdP remain the authoritative login system while Salesforce trusts the resulting assertion. Salesforce Connect is unrelated to password synchronization, and making Salesforce the IdP would invert the current enterprise architecture. This is a classic workforce SSO pattern: the corporate identity layer owns credentials, and Salesforce consumes that identity through federation. The architectural win is reduced password sprawl. Users authenticate once against the enterprise identity provider and then reach Salesforce without maintaining a separate Salesforce password. This is why option D is the best answer in Salesforce terms.

In the OAuth 2.0 web server flow, the main concepts are scopes, an access token, and a client secret. This is the authorization-code pattern for confidential web applications, so the server-side client can safely hold the client secret and exchange the authorization code for an access token. Verification URLs and generic “authentication tokens” are not the defining exam concepts here. Salesforce documentation emphasizes that the web server flow is appropriate when the application can securely store secrets and needs to access APIs on behalf of the user. That is why the flow combines requested scopes, a confidential client, and a token issued after the secure code exchange. Those are the concepts that matter most when reasoning about this flow. This is why options C, D, E work together as the correct solution.

For social sign-on into Experience Cloud, Salesforce relies on authentication providers to establish trust with each social identity source and on a registration handler to create or update the Salesforce user and related records. That pattern applies whether the provider is Facebook, LinkedIn, Twitter, or a standards-based OpenID Connect provider. Process Builder or Flow does not replace the registration handler in this identity handshake. The registration handler is where Salesforce decides how to map the incoming identity to an existing user, when to create a new one, and how to update profile information over time. From an architecture standpoint, authentication providers solve the external trust, and the registration handler solves the user lifecycle inside Salesforce. This is why options B, C work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option A is the best answer in Salesforce terms.

For an Experience Cloud site that uses Salesforce as the identity provider, the supported login experiences are the standard page types intended for authentication. Salesforce supports a Login Discovery page, which helps identify the user and route them appropriately, and an Embedded Login page, which allows the login experience to be embedded into a branded front-end. These are purpose-built for sign-in scenarios. By contrast, a generic Experience Builder content page or a Lightning Experience page is not the same thing as a supported login page type for the site’s authentication flow. The important distinction in Salesforce documentation is between pages designed for site content and pages designed to participate directly in the authentication journey. This is why options A, C work together as the correct solution.

If the order-tracking application supports SAML SSO and should only be accessible to active Salesforce users from inside Salesforce, the clean approach is to make Salesforce the identity provider and expose the app through Salesforce as a Canvas-style embedded experience or equivalent app launch pattern. Using Salesforce as the IdP ensures that only valid Salesforce users can obtain the SAML identity needed to enter the external system. A separate corporate identity store or a custom REST validation step introduces more moving parts than needed. The architectural goal is to let Salesforce govern access to the application that is surfaced from within Salesforce. That points to Salesforce-led federation and an in-platform application entry point. This is why options C, D work together as the correct solution.

Just-in-Time provisioning is designed for exactly this onboarding pattern: a user authenticates through an external identity provider, and Salesforce creates the user automatically on first successful login. That avoids preloading every external user into Salesforce before they ever visit the site. Middleware and custom web services can do similar work, but JIT is the native, lower-complexity mechanism built into Salesforce federation. Login flows by themselves do not create the user record during the authentication handshake. The architectural value of JIT is that it keeps the source of identity external while letting Salesforce create and update the user only when the person actually needs access. It is efficient, standard, and commonly used with Experience Cloud. This is why option C is the best answer in Salesforce terms.