• Cert++
  • Exams
  • Results
  • Certle
  • Resources
    • Packs
    • Checklists
  • About
  • Upgrade
  • Settings
  • Community
  • Support
  • Changes
  • Legal

Cert++

Resource Pack

Platform Identity and Access Management Architect

The Salesforce Certified Identity and Access Management Architect exam is a protocol-level deep dive into everything identity on Salesforce. This is not the admin-level "turn on SSO" exam. You need to know why you choose JWT Bearer Flow over Web Server Flow for a server-to-server integration, when SAML is the right answer instead of OAuth, how JIT provisioning works versus Identity Connect, and exactly which Event Monitoring tool surfaces which kind of login data. If you have been deploying SSO and MFA for real customers, this exam rewards that experience. If you are starting from scratch, expect to spend serious time in the official trailmix and the Salesforce developer documentation on OAuth flows before you are ready.

3-Step Path to Passing

  1. 1

    Complete the IAM Architect Trailmix

    The official trailmix covers the six exam domains with the right modules and supplementary YouTube videos from Salesforce Developers. Complete it end to end before moving on.
  2. 2

    Attempt Practice Exams

    I recommend my own practice exams, but I have linked other options in the Study Resources section below. The scenario-based format of this exam means practice questions are especially useful for building the decision-making instincts the exam requires.
  3. 3

    Schedule Your Exam

    Schedule with short notice once you are scoring consistently above 75% on practice exams. Architect exams run at most testing windows.

Core Resources

Exam Overview

Questions

65

60 scored + 5 unscored

Duration

105 min

1 hour 45 minutes

To Pass

65%

Minimum Score

Question Format

The exam tests your ability to select the most architecturally appropriate identity solution across OAuth flow selection, SAML vs. OAuth trade-offs, SSO provisioning strategies, MFA enforcement, and Experience Cloud external identity configuration.

Scored

92%

60questions

Unscored

8%

5questions

Exam Details

Pricing

$400 registration · $200 retake

Delivery

Online proctored or at a testing center

Experience

5+ years Salesforce experience with 2-3 years focus on identity and access management recommended

Prerequisites

No prerequisites required

Exam Topics

Each topic section shows the topic weight, learning objectives, and links to study resources.

Identity Management Concepts17%

Authentication patterns (username/password, certificate-based, federated), SAML vs. OAuth protocol differences, trust establishment between systems, user provisioning methods, and SSO troubleshooting.

  • Describe common authentication patterns and understand the differences between each one.
  • Describe the building blocks that are part of an identity solution (authentication, authorization, and accountability) and how you enable those building blocks using Salesforce features.
  • Describe how trust is established between two systems.
  • Given a scenario, recommend the appropriate method for provisioning users in Salesforce.
  • Given a scenario, troubleshoot common points of failure that may be encountered in a single sign-on (SSO) solution (SAML, OAuth, etc.).

Resources

Accepting Third-Party Identity in Salesforce21%

Salesforce as a Service Provider, B2E vs. B2C user provisioning, SAML and Auth. Provider configuration, JIT provisioning, SCIM provisioning, delegated authentication, and auditing tools for diagnosing IdP issues.

  • Given a use case, describe when Salesforce is used as a Service Provider (SP).
  • Given a scenario, recommend the most appropriate way to provision users from identity stores in business-to-employer (B2E) and business-to-consumer (B2C) scenarios.
  • Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept third-party Identity (Enterprise Directory, Social, Community, etc.).
  • Given a scenario, identify the ways to provision users in Salesforce to enable SSO and apply access rights.
  • Given a scenario, identify the auditing and monitoring approaches available on the platform, and describe the tools available to diagnose Identity Provider (IdP) issues.

Resources

Salesforce as an Identity Provider17%

OAuth flow selection (Web Server, User-Agent, JWT Bearer, Device, Hybrid), Connected App scope and OAuth policy configuration, token lifecycle (access, refresh, expiration, revocation), and outbound identity via Canvas and App Launcher.

  • Given a scenario, identify the most appropriate OAuth flow (Web-based, JWT, User agent, Device auth flow).
  • Given a scenario, recommend appropriate Scope and Configuration of the Connected App for Authorization.
  • Describe the various implementation concepts of OAuth (scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
  • Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).

Resources

Access Management Best Practices15%

MFA enforcement mechanisms (profile vs. org-wide), session security levels and high-assurance requirements, role and permission set assignment during SSO, Connected App configuration, and auditing tools for login activity.

  • Given a set of requirements, determine the most appropriate methods of multi-factor authentication (MFA) to use, and the right type of session they should yield.
  • Given a scenario, determine how to best assign roles, profiles, and permission sets to a user during the SSO process, how to keep these assignments up to date.
  • Given a scenario, describe which tools you can apply to audit and verify the activity/user during and after login.
  • Given a scenario, identify the configuration settings for a Connected App.

Resources

Salesforce Identity12%

Identity Connect for Active Directory sync, Customer 360 Identity, External Identity license types vs. Customer Community licenses, and JIT provisioning as an Identity Connect alternative.

  • Given a set of requirements, identify the role Identity Connect plays in a Salesforce Identity implementation.
  • Given a scenario, identify if Salesforce Customer 360 Identity fits into a fully-developed Customer 360 solution.
  • Give a set of requirements, recommend the most appropriate Salesforce license type(s).

Resources

Community (Partner and Customer)18%

Experience Cloud site branding and authentication options, Auth. Providers for social sign-on, self-registration and contact matching, external user and contact models, External Identity license trade-offs, and embedded login.

  • Describe the capabilities for customizing the user experience for Experience Cloud (Branding options, authentication options, identity verification self-registration, communications, password reset, etc.).
  • Given a set of requirements, determine the best way to support external IdPs in communities and leverage the right user/contact model to support community user experience.
  • Given a requirement, understand the advantages and limitations of External Identity solutions and associated licenses.
  • Given a scenario, determine when to use embedded login.

Resources

Have suggestions for this resource pack?

To help make this the ultimate resource compilation for the exam, please give your thoughts in the free Cert++ Discord.

Suggest a resource