Salesforce Identity & Access Management Architect Exam Guide | SSO, OAuth & Security

Salesforce Architect • Domain Credential

Salesforce Identity & Access Management Architect Exam Guide

Design secure single sign-on, federated identity, and access strategies across Salesforce orgs and external systems. Use this guide to understand the exam format, topic weightage, and how to prepare effectively for the Salesforce Certified Identity & Access Management Architect exam.

Who is the Identity & Access Management Architect for?

This credential is aimed at architects and senior practitioners who design enterprise identity, SSO, and access strategies with Salesforce at the center. You are a good fit if you:

• Own or influence SSO, MFA and authentication standards in your Salesforce landscape.
• Work with security teams, identity providers and multiple Salesforce orgs.
• Design solutions using SAML, OAuth, OpenID Connect, SCIM and other identity protocols.
• Need to balance user experience, security, compliance and governance.

This exam also contributes towards the composite Application Architect and System Architect credentials as part of your long-term architect journey.

Exam Overview

📊 Exam at a Glance

Exam Name	Salesforce Certified Identity & Access Management Architect
Format	Proctored, multiple-choice / multiple-select
Duration	~105–120 minutes (check current exam guide)
Number of Questions	~60 scored questions (+ a few unscored items)
Passing Score	Mid-60% range (verify latest value before booking)
Registration Fee	$400 USD (Retake: $200 USD)
Prerequisites	No mandatory certification prerequisite, but strong experience with SSO, identity providers, Salesforce security & governance is highly recommended.

🧭 What this Exam Focuses On

Expect scenario-based questions that test your ability to:

• Choose between IdP-initiated vs SP-initiated SSO flows.
• Design secure OAuth/OpenID Connect integrations.
• Plan MFA, login flows, and session security for different user types.
• Handle user lifecycle, provisioning, and de-provisioning at scale.
• Architect identity across multiple Salesforce orgs and external apps.

SAML & OAuth Single Sign-On External Identity MFA & Zero-Trust

Identity & Access Exam Domains

Salesforce periodically updates domain names and exact percentages, but the following high-level areas remain consistent. Always cross-check with the latest official exam guide before you finalize your study plan.

🔍 View High-Level Domains & Weightage

• Identity Concepts & Requirements – Identity types, trust boundaries, protocols, terminology.
• Single Sign-On & Federation – SAML, OAuth/OIDC, IdP vs SP, flow choices, logout patterns.
• Authentication, MFA & Session Security – Policies, login flows, device trust, session settings.
• User Lifecycle & Provisioning – JIT, SCIM, HR-driven provisioning, de-activation models.
• Access Management & Governance – Policies across multiple orgs, compliance, audits.

Note: official domain names and percentages can change with new releases. Treat this breakdown as a guiding structure rather than an exact mapping.

🆕 Recent Exam & Platform Trends (High-Level)

• Stronger emphasis on MFA-by-default and secure baseline policies.
• More scenarios involving multiple Salesforce orgs and different identity provider options.
• Additional focus on session security, login flows and device-level trust signals.
• Consideration of compliance & data residency requirements in global organizations.

Key Identity & Access Architecture Decisions

🌐 Choosing SSO & Federation Patterns

• Decide when Salesforce acts as IdP vs Service Provider.
• Compare IdP-initiated vs SP-initiated SSO UX and security implications.
• Choose SAML vs OpenID Connect based on app type and requirements.
• Handle cross-org SSO and partner communities / Experience Cloud users.

🔐 MFA, Policies & Session Security

• Apply MFA policies consistently across user groups.
• Configure Session Security and trusted IP strategies.
• Use Login Flows for additional checks and user journeys.
• Balance usability vs risk for different personas (employees, partners, customers).

👥 User Lifecycle & Provisioning

• Design JIT provisioning for SAML/OIDC SSO logins.
• Integrate with HR systems using SCIM or custom APIs.
• Ensure predictable de-provisioning and license recovery.
• Handle role changes, transfers and re-hires cleanly.

🏛️ Governance & Compliance

• Define central identity ownership with security & IAM teams.
• Support audit, logging and monitoring for access events.
• Document policies for local vs global identity patterns.
• Align with regulatory requirements (e.g., MFA mandates, regional laws).

4-Week Study Plan (Flexible)

Adjust this plan based on your experience and available time. It assumes ~1–2 hours per day plus weekend deep-dives.

Week 1 – Foundations & Identity Concepts

• Read the official exam guide once end-to-end.
• Review Salesforce docs on Authentication, SSO, MFA and Session Security.
• Draw simple diagrams of IdP/SP relationships and trust boundaries.

Week 2 – SSO, Protocols & Flows

• Deep-dive into SAML assertions, flows and error handling.
• Study OAuth 2.0 grants (web server, JWT bearer, user-agent, device, etc.).
• Implement at least one SAML SSO and one OAuth/OIDC integration in a sandbox.

Week 3 – Lifecycle, Governance & Multi-Org

• Practice JIT provisioning and account linking scenarios.
• Study patterns for multiple Salesforce orgs under one identity provider.
• Review governance, compliance, logging and monitoring options.

Week 4 – Practice Questions & Mock Scenarios

• Do multiple rounds of practice questions and analyze wrong answers deeply.
• Time yourself on 60-question mixed sets to simulate the real exam.
• Revisit weak domains and update your “go-to patterns” for common scenarios.

Sample Scenario-Style Questions

Question 1

A global company uses an enterprise IdP for all employee applications. They want Salesforce to use the same identities, with seamless login from the corporate portal. Salesforce must not store employee passwords. What is the most appropriate pattern?

1. Salesforce as Identity Provider with SAML to the corporate portal.
2. Salesforce as Service Provider with SAML SSO, IdP-initiated login from the portal.
3. Social sign-on using OpenID Connect with a public identity provider.
4. Username/password authentication directly in Salesforce with password policies.

Correct Answer: B

The enterprise IdP should remain the source of authentication. Salesforce acts as Service Provider, using SAML SSO from the corporate portal (IdP-initiated) so passwords remain only with the IdP.

Question 2

A partner community user base is expanding rapidly. Partners must use their own corporate identities, and accounts should be created on first login. Which approach best meets this requirement?

1. Manual user creation in Salesforce by partner managers.
2. JIT provisioning with SAML SSO from each partner’s IdP.
3. Username/password logins with self-registration turned on.
4. Delegated authentication using the Partner’s LDAP server.

Correct Answer: B

Just-in-time provisioning with SAML SSO lets partners use their corporate IdP while Salesforce creates/updates users automatically on first successful login.

Question 3

Security wants to enforce MFA for all internal Salesforce users, but some legacy integrations use username and password authentication. What should the architect recommend?

1. Disable MFA for all users to avoid breaking integrations.
2. Use login flows to bypass MFA for all API logins.
3. Move integrations to OAuth flows with connected apps and use MFA for human users only.
4. Share interactive user credentials with integration owners and whitelist their IPs.

Correct Answer: C

Best practice is to separate human access (with MFA) from integration access using OAuth and connected apps. This preserves strong security without breaking legacy interface patterns.

Tip: Bookmark this page and revisit it after each Salesforce release to keep your identity & access designs up to date.