Salesforce Identity & Access Management Architect Exam Guide | SSO, OAuth & Security

📋 Quick Navigation

📊 Exam Overview 🎯 Exam Objectives ❓ Practice Questions 📚 Study Resources 💡 Exam Tips

---

Salesforce Architect • Domain Credential

Salesforce Identity & Access Management Architect Exam Guide

Design secure single sign-on, federated identity, and access strategies across Salesforce orgs and external systems. Use this guide to understand the exam format, topic weightage, and how to prepare effectively for the Salesforce Certified Identity & Access Management Architect exam.

Who is the Identity & Access Management Architect for?

This credential is aimed at architects and senior practitioners who design enterprise identity, SSO, and access strategies with Salesforce at the center. You are a good fit if you:

• Own or influence SSO, MFA and authentication standards in your Salesforce landscape.
• Work with security teams, identity providers and multiple Salesforce orgs.
• Design solutions using SAML, OAuth, OpenID Connect, SCIM and other identity protocols.
• Need to balance user experience, security, compliance and governance.

This exam also contributes towards the composite Application Architect and System Architect credentials as part of your long-term architect journey.

Exam Overview

📊 Exam at a Glance

Exam Name	Salesforce Certified Identity & Access Management Architect
Format	Proctored, multiple-choice / multiple-select
Duration	~105–120 minutes (check current exam guide)
Number of Questions	~60 scored questions (+ a few unscored items)
Passing Score	Mid-60% range (verify latest value before booking)
Registration Fee	$400 USD (Retake: $200 USD)
Prerequisites	No mandatory certification prerequisite, but strong experience with SSO, identity providers, Salesforce security & governance is highly recommended.

🧭 What this Exam Focuses On

Expect scenario-based questions that test your ability to:

• Choose between IdP-initiated vs SP-initiated SSO flows.
• Design secure OAuth/OpenID Connect integrations.
• Plan MFA, login flows, and session security for different user types.
• Handle user lifecycle, provisioning, and de-provisioning at scale.
• Architect identity across multiple Salesforce orgs and external apps.

SAML & OAuth Single Sign-On External Identity MFA & Zero-Trust

Identity & Access Exam Domains

Salesforce periodically updates domain names and exact percentages, but the following high-level areas remain consistent. Always cross-check with the latest official exam guide before you finalize your study plan.

🔍 View High-Level Domains & Weightage

• Identity Concepts & Requirements – Identity types, trust boundaries, protocols, terminology.
• Single Sign-On & Federation – SAML, OAuth/OIDC, IdP vs SP, flow choices, logout patterns.
• Authentication, MFA & Session Security – Policies, login flows, device trust, session settings.
• User Lifecycle & Provisioning – JIT, SCIM, HR-driven provisioning, de-activation models.
• Access Management & Governance – Policies across multiple orgs, compliance, audits.

Note: official domain names and percentages can change with new releases. Treat this breakdown as a guiding structure rather than an exact mapping.

🆕 Recent Exam & Platform Trends (High-Level)

• Stronger emphasis on MFA-by-default and secure baseline policies.
• More scenarios involving multiple Salesforce orgs and different identity provider options.
• Additional focus on session security, login flows and device-level trust signals.
• Consideration of compliance & data residency requirements in global organizations.

Key Identity & Access Architecture Decisions

🌐 Choosing SSO & Federation Patterns

• Decide when Salesforce acts as IdP vs Service Provider.
• Compare IdP-initiated vs SP-initiated SSO UX and security implications.
• Choose SAML vs OpenID Connect based on app type and requirements.
• Handle cross-org SSO and partner communities / Experience Cloud users.

🔐 MFA, Policies & Session Security

• Apply MFA policies consistently across user groups.
• Configure Session Security and trusted IP strategies.
• Use Login Flows for additional checks and user journeys.
• Balance usability vs risk for different personas (employees, partners, customers).

👥 User Lifecycle & Provisioning

• Design JIT provisioning for SAML/OIDC SSO logins.
• Integrate with HR systems using SCIM or custom APIs.
• Ensure predictable de-provisioning and license recovery.
• Handle role changes, transfers and re-hires cleanly.

🏛️ Governance & Compliance

• Define central identity ownership with security & IAM teams.
• Support audit, logging and monitoring for access events.
• Document policies for local vs global identity patterns.
• Align with regulatory requirements (e.g., MFA mandates, regional laws).

4-Week Study Plan (Flexible)

Adjust this plan based on your experience and available time. It assumes ~1–2 hours per day plus weekend deep-dives.

Week 1 – Foundations & Identity Concepts

• Read the official exam guide once end-to-end.
• Review Salesforce docs on Authentication, SSO, MFA and Session Security.
• Draw simple diagrams of IdP/SP relationships and trust boundaries.

Week 2 – SSO, Protocols & Flows

• Deep-dive into SAML assertions, flows and error handling.
• Study OAuth 2.0 grants (web server, JWT bearer, user-agent, device, etc.).
• Implement at least one SAML SSO and one OAuth/OIDC integration in a sandbox.

Week 3 – Lifecycle, Governance & Multi-Org

• Practice JIT provisioning and account linking scenarios.
• Study patterns for multiple Salesforce orgs under one identity provider.
• Review governance, compliance, logging and monitoring options.

Week 4 – Practice Questions & Mock Scenarios

• Do multiple rounds of practice questions and analyze wrong answers deeply.
• Time yourself on 60-question mixed sets to simulate the real exam.
• Revisit weak domains and update your “go-to patterns” for common scenarios.

Sample Scenario-Style Questions

Question 1

A global company uses an enterprise IdP for all employee applications. They want Salesforce to use the same identities, with seamless login from the corporate portal. Salesforce must not store employee passwords. What is the most appropriate pattern?

1. Salesforce as Identity Provider with SAML to the corporate portal.
2. Salesforce as Service Provider with SAML SSO, IdP-initiated login from the portal.
3. Social sign-on using OpenID Connect with a public identity provider.
4. Username/password authentication directly in Salesforce with password policies.

Correct Answer: B

The enterprise IdP should remain the source of authentication. Salesforce acts as Service Provider, using SAML SSO from the corporate portal (IdP-initiated) so passwords remain only with the IdP.

Question 2

A partner community user base is expanding rapidly. Partners must use their own corporate identities, and accounts should be created on first login. Which approach best meets this requirement?

1. Manual user creation in Salesforce by partner managers.
2. JIT provisioning with SAML SSO from each partner’s IdP.
3. Username/password logins with self-registration turned on.
4. Delegated authentication using the Partner’s LDAP server.

Correct Answer: B

Just-in-time provisioning with SAML SSO lets partners use their corporate IdP while Salesforce creates/updates users automatically on first successful login.

Question 3

Security wants to enforce MFA for all internal Salesforce users, but some legacy integrations use username and password authentication. What should the architect recommend?

1. Disable MFA for all users to avoid breaking integrations.
2. Use login flows to bypass MFA for all API logins.
3. Move integrations to OAuth flows with connected apps and use MFA for human users only.
4. Share interactive user credentials with integration owners and whitelist their IPs.

Correct Answer: C

Best practice is to separate human access (with MFA) from integration access using OAuth and connected apps. This preserves strong security without breaking legacy interface patterns.

Tip: Bookmark this page and revisit it after each Salesforce release to keep your identity & access designs up to date.

❓ Salesforce Identity & Access Management Architect FAQ

What are the prerequisites for the Salesforce Identity & Access Management Architect exam? ▼

Check the official Salesforce certification page for current prerequisites. Most certifications recommend having relevant hands-on experience (typically 6-12 months) with the specific Salesforce product or feature area.

General recommendations:

• Complete relevant Trailhead trails and superbadges
• Get hands-on experience in a Developer Edition org
• Review the official exam guide thoroughly
• Complete practice exams and aim for 80%+ consistently

How should I prepare for the Salesforce Identity & Access Management Architect exam? ▼

Recommended preparation steps:

1. Study the exam guide: Review all exam objectives and weightage carefully
2. Complete Trailhead: Finish all recommended trails and superbadges for this certification
3. Hands-on practice: Use a Developer Edition org to practice the features and scenarios covered in the exam
4. Practice exams: Take multiple practice exams and aim for 80%+ consistently
5. Review release notes: Study Winter '26 release notes for new features that may appear in exam questions
6. Focus on weak areas: Use exam weightage to prioritize study time on higher-weighted domains

What topics are covered in the Salesforce Identity & Access Management Architect exam? ▼

Refer to the "Exam Objectives & Weightage" section above for detailed topic breakdown. The exam covers multiple domains with varying weightage. Focus more study time on domains with higher percentages.

Pro tip: Review the exam guide's domain breakdown carefully and ensure you have hands-on experience with all topics, especially those with higher weightage.

How long should I study before taking the Salesforce Identity & Access Management Architect exam? ▼

Preparation time varies based on your background and experience:

• With relevant experience: 2-3 months of focused study (10-15 hours per week)
• Without experience: 4-6 months of dedicated study (15-20 hours per week)
• With similar certifications: 1-2 months if you have related credentials

Best practice: Don't schedule your exam until you're consistently scoring 80%+ on practice tests and feel confident about all exam domains.

What is the passing score for the Salesforce Identity & Access Management Architect exam? ▼

Most Salesforce certification exams require a passing score of 65-68%. The exact passing score is not disclosed by Salesforce and may vary slightly by exam version.

Important: Salesforce uses a scaled scoring system, meaning not all questions have equal weight. Focus on understanding all domains thoroughly rather than memorizing specific answers.

Strategy: Aim to score consistently above 80% on practice exams before scheduling your real exam to ensure a comfortable passing margin.

💡 Exam Success Tips

📚 Study the Exam Guide

Review the official exam guide thoroughly. Understand each domain's weightage and prioritize higher-weighted topics during your final review.

🛠️ Hands-On Practice

Use a Developer Edition org to practice all features covered in the exam. Real hands-on experience is invaluable for scenario-based questions.

📝 Practice Exams

Take multiple practice exams and aim for 80%+ consistently. Understand WHY answers are correct, not just memorizing them.

🆕 Review Release Notes

Study Winter '26 release notes. New features often appear in exam questions. This guide highlights key Winter '26 updates.

⏱️ Time Management

Manage your time during the exam. Flag difficult questions and return to them later. Ensure you answer all questions before time runs out.

🎯 Focus on Weak Areas

Review practice exam results and dedicate extra study time to domains where you scored lower. Use exam weightage to prioritize.