Salesforce Certified Platform Identity and Access Management Architect Exam Guide

About the Salesforce Certified Platform Identity and Access Management Architect Exam
Audience Description: Salesforce Certified Platform Identity and Access Management Architect
Purpose of This Exam Guide
About the Exam
Exam Outline
Recommended Training and Resources
Salesforce Certification Candidate Code of Conduct
Maintaining Your Salesforce Certification

About the Salesforce Certified Platform Identity and Access Management Architect Exam

The Salesforce Certified Identity and Access Management Exam is designed for identity professionals who want to demonstrate their knowledge, skills, and capabilities at assessing identity architecture; designing secure, high-performance access management solutions on the Customer 360 platform; and communicating technical solutions effectively to business and technical stakeholders.

An Identity professional should be able to do the following in order to pass the exam.

Design an identity architecture that may span multiple platforms and include integration and authentication across systems.
Articulate system design considerations, benefits, and recommendations for identity architecture.
Apply general identity and access management best practices to Salesforce implementations.

Audience Description: Salesforce Certified Platform Identity and Access Management Architect

A Salesforce Certified Platform Identity and Access Management Architect assesses the environment and requirements to design secure and scalable identity management solutions on the Customer 360 platform. The architect has experience designing and implementing complex identity and access management strategies, as well as communicating the solution and design trade-offs to business and technical stakeholders alike.

The Salesforce Certified Platform Identity and Access Management Architect has the following background.

1+ years of experience designing and implementing Identity and Access Management solutions in the Salesforce Customer 360 platform
2+ years of identity and/or security technology experience

Typical job roles may include:

Enterprise Architect
Technical Architect
Security Architect
Integration Architect
Identity Architect
Solution Architect

The Salesforce Certified Platform Identity and Access Management Architect candidate has the experience, skills, knowledge, and ability to:

Understand the difference between federated and delegated single sign-on (SSO).
Gather requirements and configure delegated authentication in Salesforce.
Gather requirements and configure SAML in Salesforce.
Know the difference between Identity Provider (IdP) Initiated SAML and Service Provider (SP) Initiated SAML and when to use each.
Know how trust is established between an IdP and an SP.
Determine the general identity federation capabilities available for a given project.
Explain high-level concepts and flows of OAuth, SAML, and OpenID Connect.
Explain social sign-on in the context of Salesforce.
Explain authentication mechanisms for Communities.
Identify the cause and resolve common failure conditions for SSO in Salesforce.
Explain why a solid SSO strategy is important for enterprise security.
Know why two-factor authentication (2FA) is important and strategies for implementing it in Salesforce.
Explain the use of login flows.
Determine the applicable use cases for Identity Connect.
Determine appropriate user lifecycle management techniques (automated user provisioning, just-in-time provisioning, manual account creation, etc.) for a given project.

A candidate for this exam will likely need assistance in:

Writing Apex
Networking and domain management as it relates to Identity
Configuring Salesforce for automated user lifecycle management via user provisioning and Connected Apps (click path)
Configuring Salesforce to support social sign-on and registration (click path)

A candidate for this exam is not expected to know:

Specific IdP technology capabilities outside of Salesforce
How to obtain signed certificates

Purpose of This Exam Guide

This exam guide is designed to help you prepare for the Salesforce Certified Platform Identity and Access Management Architect Exam. This guide provides information about the target audience, the recommended training and documentation, and a complete list of exam objectives. Salesforce highly recommends a combination of on-the-job experience and self-study to maximize your chances of passing the exam.

About the Exam

Here are details about the Salesforce Certified Platform Identity and Access Management Architect Exam.

Content: 60 multiple-choice questions and up to five unscored questions
Time allotted to complete the exam: 120 minutes
Passing score: 67%
Version: Exam questions align to the Summer '23 release
Registration fee: US$400, JPY¥30,000, plus applicable taxes as required per local law
Retake fee: US$200, JPY¥30,000, plus applicable taxes as required per local law
Delivery options: Proctored exam delivered onsite at a testing center or in an online environment; find more information on scheduling an exam here.
References: No hard-copy or online materials may be referenced during the exam.
Prerequisite: None

This exam may contain up to five additional unscored questions to gather performance data. Unscored questions are randomly integrated and have no impact on your final exam result.

Exam Outline

The Salesforce Certified Platform Identity and Access Management Architect Exam measures a candidate’s knowledge and skills related to the following objectives.

Describe common authentication patterns and understand the differences between each one.
Describe the building blocks that are part of an identity solution (authentication, authorization, and accountability) and how you enable those building blocks using Salesforce features.
Describe how trust is established between two systems.
Given a scenario, recommend the appropriate method for provisioning users in Salesforce.
Given a scenario, troubleshoot common points of failure that may be encountered in a single sign-on (SSO) solution (SAML, OAuth, etc.).

Given a use case, describe when Salesforce is used as a Service Provider (SP).
Given a scenario, recommend the most appropriate way to provision users from identity stores in business-to-employer (B2E) and business-to-consumer (B2C) scenarios.
Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept third-party Identity (Enterprise Directory, Social, Community, etc.).
Given a scenario, identify the ways to provision users in Salesforce to enable SSO and apply access rights.
Given a scenario, identify the auditing and monitoring approaches available on the platform, and describe the tools available to diagnose Identity Provider (IdP) issues.

Given a scenario, identify the most appropriate OAuth flow (Web-based, JWT, User agent, Device auth flow).
Given a scenario, recommend appropriate Scope and Configuration of the Connected App for Authorization.
Describe the various implementation concepts of OAuth (scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).

Given a set of requirements, determine the most appropriate methods of multi-factor authentication (MFA) to use, and the right type of session they should yield.
Given a scenario, determine how to best assign roles, profiles, and permission sets to a user during the SSO process, how to keep these assignments up to date.
Given a scenario, describe which tools you can apply to audit and verify the activity/user during and after login.
Given a scenario, identify the configuration settings for a Connected App.

Describe the capabilities for customizing the user experience for Experience Cloud (Branding options, authentication options, identity verification self-registration, communications, password reset, etc.).
Given a set of requirements, determine the best way to support external IdPs in communities and leverage the right user/contact model to support community user experience.
Given a requirement, understand the advantages and limitations of External Identity solutions and associated licenses.
Given a scenario, determine when to use embedded login.

Recommended Training and Resources

As preparation for this exam, we recommend a combination of hands-on experience, training course completion, Trailhead Trails, and self-study in the areas listed in the Exam Outline section of this exam guide.

The self-study materials recommended for this exam include:

Trailmix: Architect Journey: Identity and Access Management

To review online documentation, tip sheets, and user guides, search for the topics listed in the Exam Outline section of this guide on Salesforce Help and study the information related to those topics.

Salesforce Certification Candidate Code of Conduct

At Salesforce, Trust is our #1 value. Protecting the security of Salesforce Certifications is up to all of us. As a participant in the Salesforce Certification Program, you’re required to review and accept the terms of the Salesforce Certification Program Agreement and Code of Conduct at the beginning of each exam.

Maintaining Your Salesforce Certification

One of the benefits of holding a Salesforce Certification is always being up to date on new product releases. You'll be required to complete the Salesforce Certified Platform Identity and Access Management Architect certification maintenance badge on Trailhead once a year.

Don’t let your hard-earned certification expire! If you don't complete all maintenance requirements by the due date, your certification will expire.

Bookmark these useful resources for maintaining your certifications.

Salesforce Certified Platform Identity and Access Management Architect Exam Guide

Contents