IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Exam Details

  • Exam Code
    :IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT
  • Exam Name
    :Salesforce Certified Platform Identity and Access Management Architect (Plat-Arch-203)
  • Certification
    :Salesforce Certifications
  • Vendor
    :Salesforce
  • Total Questions
    :261 Q&As
  • Last Updated
    :Jul 14, 2026

Salesforce IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT Online Questions & Answers

  • Question 251:

    A third-party app provider would like to have users provisioned via a service endpoint before users access their app from Salesforce.

    What should an identity architect recommend to configure the requirement with limited changes to the third-party app?

    A. Use a connected app with user provisioning flow.
    B. Create Canvas app in Salesforce for third-party app to provision users.
    C. Redirect users to the third-party app for registration.
    D. Use Salesforce identity with Security Assertion Markup Language (SAML) for provisioning users.

  • Question 252:

    Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce,

    Which Salesforce OAuth authorization flow should be used?

    A. OAuth 2.0 SAML Bearer Assertion Flow
    B. A SAML Assertion Row
    C. OAuth 2.0 User-Agent Flow
    D. OAuth 2.0 JWT Bearer Flow

  • Question 253:

    Universal Containers (UC) has decided to use Salesforce as an Identity Provider for multiple external applications. UC wants to use the salesforce App Launcher to control the Apps that are available to individual users.

    Which three steps are required to make this happen?

    A. Add each connected App to the App Launcher with a Start URL.
    B. Set up an Auth Provider for each External Application.
    C. Set up Salesforce as a SAML Idp with My Domain.
    D. Set up Identity Connect to Synchronize user data.
    E. Create a Connected App for each external application.

  • Question 254:

    Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned to a contact record until verified. External Identity licenses have bee purchased for the project.

    After registered guests complete an onboarding process, a flow will create the appropriate account and contact records for the user.

    Which three steps should an identity architect follow to implement the outlined requirements? Choose 3 answers

    A. Enable "Allow customers and partners to self-register".
    B. Select the "Configurable Self-Reg Page" option under Login & Registration.
    C. Set jp an external login page and call Salesforce APIs for user creation.
    D. Customize the self-registration Apex handler to temporarily associate the user to a shared single contact record.
    E. Customize me self-registration Apex handler to create only the user record.

  • Question 255:

    Universal containers uses an Employee portal for their employees to collaborate. employees access the portal from their company's internal website via SSO. It is set up to work with Active Directory.

    What is the role of Active Directory in this scenario?

    A. Identity store
    B. Authentication store
    C. Identity provider
    D. Service provider

  • Question 256:

    Which two roles of the systems are involved in an environment where salesforce users are enabled to access Google Apps from within salesforce through App launcher and connected App set up? Choose 2 answers

    A. Google is the identity provider
    B. Salesforce is the identity provider
    C. Google is the service provider
    D. Salesforce is the service provider

  • Question 257:

    An architect has successfully configured SAML-BASED SSO for universal containers. SSO has been working for 3 months when Universal containers manually adds a batch of new users to salesforce. The new users receive an error from salesforce when trying to use SSO. Existing users are still able to successfully use SSO to access salesforce.

    What is the probable cause of this behaviour?

    A. The administrator forgot to reset the new user's salesforce password.
    B. The Federation ID field on the new user records is not correctly set
    C. The my domain capability is not enabled on the new user's profile.
    D. The new users do not have the SSO permission enabled on their profiles.

  • Question 258:

    A group of users try to access one of universal containers connected apps and receive the following error message : "Failed : Not approved for access".

    what is most likely to cause of the issue?

    A. The use of high assurance sections are required for the connected App.
    B. The users do not have the correct permission set assigned to them.
    C. The connected App setting "All users may self-authorize" is enabled.
    D. The salesforce administrators gave revoked the Oauth authorization.

  • Question 259:

    Universal Containers is designing an identity architecture that involves integrating Salesforce with an external directory service. The external directory service will act as the central repository for user authentication and authorization across multiple systems within the organization.

    Which approach should be evaluated to establish trust between Salesforce and the external directory service?

    A. Utilizing email-based verification for user authentication across the systems.
    B. Using a shared database table to synchronize user credentials between the two systems.
    C. Enforcing IP-based access restrictions for Salesforce and the external directory service.
    D. Implementing a federated identity solution based on SANL (Security Assertion Markup Language).

  • Question 260:

    Universal Containers (UC) has an e-commerce website where customers can buy products, make payments and manage their accounts. UC decides to build a Customer Community on Salesforce and wants to allow the customers to access the community from their accounts without logging in again. UC decides to implement an SP-initiated SSO using a SAML-compliant Idp.

    In this scenario where Salesforce is the Service Provider, which two activities must be performed in Salesforce to make SP-initiated SSO work? Choose 2 answers

    A. Configure SAML SSO settings.
    B. Create a Connected App.
    C. Configure Delegated Authentication.
    D. Set up My Domain.

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Salesforce exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your IDENTITY-AND-ACCESS-MANAGEMENT-ARCHITECT exam preparations and Salesforce certification application, do not hesitate to visit our Vcedump.com to find your solutions here.