• Cert++
  • Practice
  • Certle
  • Review
  • Resources
    • Packs
    • Checklists
    • Guides
  • Upgrade
  • About
  • Community
  • Support
  • Changes
  • Legal
  • Light mode

Cert++

  1. Home
  2. Study Resources
  3. Platform Identity and Access Management Architect
Resource Pack
·Study Checklist

Platform Identity and Access Management Architect

4-Step Path to Passing

  1. 1
    Complete the
    IAM Architect Trailmix
  2. 2
    Look at the
    Study Checklist
    Every concept you need to know for your exam, available for free to check off as you learn.
  3. 3
    Attempt
    Practice Exams
  4. 4
    Schedule Your Exam

Core Resources

  • Cert++ Practice Exam (1 free exam per cert, then paid)

    Free practice questions with detailed explanations. $10/mo for access to all questions, features, and certifications.

    certplusplus.com

  • Daily Certle Game (3 free questions per day)

    Practice your Salesforce certification knowledge daily with a challenge inspired by Wordle. Topics might not perfectly align with your preferred exam, but there's a lot of overlap between the certs.

    certplusplus.com

  • Focus on Force: Identity and Access Management Study Guide (Paid)

    Paid study guide and practice questions for the IAM Architect exam from Focus on Force.

    focusonforce.com

  • Official Trailmix: Architect Journey: Identity and Access Management

    Salesforce's curated Trailmix for the IAM Architect credential, covering all six exam domains with modules and supplementary videos.

    trailhead.salesforce.com

  • Official Exam Guide

    Salesforce Help page with the official exam outline, objectives, format, and current exam details.

    help.salesforce.com

  • OAuth with Salesforce Demystified (YouTube)

    42-minute deep dive into OAuth flows from Salesforce Developers. Required watching before the exam.

    youtube.com

  • Identity and Access Management for Beginners (YouTube)

    27-minute Salesforce Developers video introducing IAM fundamentals and Salesforce identity features.

    youtube.com

  • Deploying Single Sign-On and Identity for Employees, Customers, and Partners (YouTube)

    40-minute Salesforce Developers session on end-to-end SSO deployment patterns for multiple audience types.

    youtube.com

  • Identity 101: Design Patterns for Access Management (YouTube)

    40-minute walkthrough of common IAM design patterns and how to map requirements to the right Salesforce feature.

    youtube.com

  • Social Single Sign-On with OpenID Connect (YouTube)

    20-minute Salesforce Developer video on configuring social login via OpenID Connect Auth. Providers.

    youtube.com

  • Cert++ Discord

    The Cert++ community discord for Salesforce professionals. Exam prep, resource sharing, study groups, and more. Free and open to all.

    discord.gg

  • Trailblazer Community

    Connect with other Salesforce learners for peer support, mentoring, and study groups.

    trailhead.salesforce.com

  • r/salesforce

    Salesforce subreddit for discussions, career questions, certification tips, and community support.

    reddit.com

  • SFXD Discord

    Large Salesforce community discord server with channels for admin topics, career advice, and technical help.

    discord.gg

  • Salesforce Certification Score Calculator

    Check your exam score based on section results. Estimates your total score from category percentages (community-maintained third-party tool).

    scuvanov.github.io

Exam Overview

From the official exam guide

Questions

65

60 scored5 unscored

Duration

105 min

1h 45m

To Pass

65%

Min. score

Pricing

$400 registration · $200 retake

Delivery

Online proctored or at a testing center

Experience

5+ years Salesforce experience with 2-3 years focus on identity and access management recommended

Prerequisites

No prerequisites required

Exam Topics

Each topic section shows the topic weight, learning objectives, and links to study resources.

Identity Management Concepts17%

Authentication patterns (username/password, certificate-based, federated), SAML vs. OAuth protocol differences, trust establishment between systems, user provisioning methods, and SSO troubleshooting.

  • Describe common authentication patterns and understand the differences between each one.
  • Describe the building blocks that are part of an identity solution (authentication, authorization, and accountability) and how you enable those building blocks using Salesforce features.
  • Describe how trust is established between two systems.
  • Given a scenario, recommend the appropriate method for provisioning users in Salesforce.
  • Given a scenario, troubleshoot common points of failure that may be encountered in a single sign-on (SSO) solution (SAML, OAuth, etc.).

Resources

  • Superbadge: Multi-Factor Authentication and Single Sign-On Settings

    Hands-on challenge configuring MFA and SSO settings from a set of requirements.

    trailhead.salesforce.com

  • Superbadge: User Authentication Settings

    Scenario-based challenge bringing user authentication settings up to a defined security standard.

    trailhead.salesforce.com

  • Identity Basics

    Salesforce Identity features overview, user types, SAML and OAuth protocols, and trust model fundamentals.

    trailhead.salesforce.com

  • Get to Know Salesforce Identity

    What Salesforce Identity does, product features, and when to use each capability.

    trailhead.salesforce.com

  • Get To Know Your Salesforce Identity Users

    Employee, customer, and partner user types and how Salesforce Identity serves each audience.

    trailhead.salesforce.com

  • Learn the Language of Identity

    SAML assertions, XML structure, OAuth 2.0 grant types, OpenID Connect, and protocol-level differences between SAML and OAuth.

    trailhead.salesforce.com

  • User Authentication

    MFA setup, My Domain configuration, and inbound SAML SSO for internal users.

    trailhead.salesforce.com

  • Secure Your Users' Identity

    Multi-factor authentication methods, Salesforce Authenticator, TOTP, high-assurance sessions, and session security levels.

    trailhead.salesforce.com

  • Customize Your Login Process with My Domain

    My Domain setup, login page branding, authentication policies, and login flow assignments.

    trailhead.salesforce.com

  • Set Up Single Sign-On for Your Internal Users

    Inbound SAML SSO configuration, federation ID, SP-initiated vs. IdP-initiated flows, and certificate management.

    trailhead.salesforce.com

  • Manage Identity and Access

    End-to-end trail covering Identity Basics, User Authentication, Identity for Customers, and mobile identity.

    trailhead.salesforce.com

  • Discover What's New with Identity Management for Winter '26

    Headless user discovery, SAML AES encryption migration away from Triple DES, LoginAnomalyEvent, flow-based registration handlers, and JWT token timeout enhancements.

    trailhead.salesforce.com

Accepting Third-Party Identity in Salesforce21%

Salesforce as a Service Provider, B2E vs. B2C user provisioning, SAML and Auth. Provider configuration, JIT provisioning, SCIM provisioning, delegated authentication, and auditing tools for diagnosing IdP issues.

  • Given a use case, describe when Salesforce is used as a Service Provider (SP).
  • Given a scenario, recommend the most appropriate way to provision users from identity stores in business-to-employer (B2E) and business-to-consumer (B2C) scenarios.
  • Given a scenario, recommend the appropriate authentication mechanism when Salesforce needs to accept third-party Identity (Enterprise Directory, Social, Community, etc.).
  • Given a scenario, identify the ways to provision users in Salesforce to enable SSO and apply access rights.
  • Given a scenario, identify the auditing and monitoring approaches available on the platform, and describe the tools available to diagnose Identity Provider (IdP) issues.

Resources

  • Superbadge: Authentication Governance

    Scenario challenge configuring org-wide authentication monitoring and proactive security policy enforcement.

    trailhead.salesforce.com

  • Event Monitoring

    Event log file types, SOQL queries for login events, API access logs, and visualizing usage data.

    trailhead.salesforce.com

  • Real-Time Event Monitoring

    Real-time event types, Transaction Security policies, streaming subscriptions, and audit use cases.

    trailhead.salesforce.com

  • Enhanced Transaction Security

    Creating transaction security policies, blocking or notifying on events, and using Apex in policy conditions.

    trailhead.salesforce.com

  • Headless Identity Basics

    Headless OAuth flows, authorization code with PKCE, headless login and registration patterns for off-platform apps.

    trailhead.salesforce.com

  • Understand the Headless Approach to Identity

    What headless identity means, when to use it, and how it differs from standard Experience Cloud login.

    trailhead.salesforce.com

  • Learn Key Concepts in Headless Identity

    Authorization code with PKCE, headless login flows, and the role of the connected app in headless identity.

    trailhead.salesforce.com

  • Understand Guest User Identity

    Guest user access model, how guest users interact with headless and Experience Cloud sites, and security considerations.

    trailhead.salesforce.com

Salesforce as an Identity Provider17%

OAuth flow selection (Web Server, User-Agent, JWT Bearer, Device, Hybrid), Connected App scope and OAuth policy configuration, token lifecycle (access, refresh, expiration, revocation), and outbound identity via Canvas and App Launcher.

  • Given a scenario, identify the most appropriate OAuth flow (Web-based, JWT, User agent, Device auth flow).
  • Given a scenario, recommend appropriate Scope and Configuration of the Connected App for Authorization.
  • Describe the various implementation concepts of OAuth (scopes, secrets, tokens, refresh tokens, token expiration, token revocation, etc.).
  • Given a scenario, recommend the Salesforce technologies that should be used to provide identity to the third-party system (Canvas, Connected Apps, App Launcher, etc.).

Resources

  • Build Integrations with External Client Apps

    Hands-on project creating an external client app and implementing the OAuth 2.0 Web Server flow end to end.

    trailhead.salesforce.com

  • Implement the OAuth 2.0 Web Server Flow

    Step-by-step implementation of the Authorization Code flow: requesting auth codes, exchanging tokens, and handling callbacks.

    trailhead.salesforce.com

  • Secure Secrets Storage

    Protecting OAuth client secrets, named credentials, custom metadata, and protected custom settings.

    trailhead.salesforce.com

  • Secure Salesforce Configuration

    Health Check, Connected App OAuth policies, IP relaxation settings, and Shield feature overview.

    trailhead.salesforce.com

  • External Client App Basics

    Differences between external client apps and connected apps, developer/admin separation, and packaging.

    trailhead.salesforce.com

  • Use External Client Apps to Build Integrations

    External client app framework, when to use it over connected apps, OAuth plugin configuration, and Metadata API deployment.

    trailhead.salesforce.com

  • Shield Platform Encryption

    At-rest encryption, key management, field-level encryption, and encryption for files and event bus.

    trailhead.salesforce.com

  • Salesforce Architect Certification Maintenance (Winter '26)

    Identity management, access control, integration, and data updates for Winter '26 architect certification maintenance.

    trailhead.salesforce.com

Access Management Best Practices15%

MFA enforcement mechanisms (profile vs. org-wide), session security levels and high-assurance requirements, role and permission set assignment during SSO, Connected App configuration, and auditing tools for login activity.

  • Given a set of requirements, determine the most appropriate methods of multi-factor authentication (MFA) to use, and the right type of session they should yield.
  • Given a scenario, determine how to best assign roles, profiles, and permission sets to a user during the SSO process, how to keep these assignments up to date.
  • Given a scenario, describe which tools you can apply to audit and verify the activity/user during and after login.
  • Given a scenario, identify the configuration settings for a Connected App.

Resources

  • Superbadge: Access Governance

    Monitoring org access patterns, identifying security vulnerabilities, and implementing access governance controls.

    trailhead.salesforce.com

  • Superbadge: User Authentication Troubleshooting

    Troubleshooting user authentication failures across SSO, MFA, and login flow configurations.

    trailhead.salesforce.com

  • Security Basics

    Security risk overview, org security settings, Health Check, MFA recommendations, and security culture.

    trailhead.salesforce.com

  • Choose the Right Salesforce Security Settings

    MFA enforcement layers, session settings, login hours, trusted IP ranges, and org-wide security configuration.

    trailhead.salesforce.com

  • Session-Based Permission Sets and Security

    Session-based permission sets, activation via flows, high-assurance session enforcement, and access elevation patterns.

    trailhead.salesforce.com

  • Permission Set Groups

    Bundling permission sets for job functions, muting individual permissions, and applying groups to users.

    trailhead.salesforce.com

  • Data Security

    Org-wide defaults, object-level and record-level access controls, role hierarchy, and sharing rules.

    trailhead.salesforce.com

  • Event Monitoring Analytics App

    Pre-built dashboards for event log data, login analytics, and user activity visualization.

    trailhead.salesforce.com

Salesforce Identity12%

Identity Connect for Active Directory sync, Customer 360 Identity, External Identity license types vs. Customer Community licenses, and JIT provisioning as an Identity Connect alternative.

  • Given a set of requirements, identify the role Identity Connect plays in a Salesforce Identity implementation.
  • Given a scenario, identify if Salesforce Customer 360 Identity fits into a fully-developed Customer 360 solution.
  • Give a set of requirements, recommend the most appropriate Salesforce license type(s).

Resources

  • Superbadge: User Access Fundamentals

    Scenario-based challenge locking down record access using the full Salesforce access model.

    trailhead.salesforce.com

  • Superbadge: User Access Troubleshooting

    Troubleshooting user access issues including license mismatches, profile settings, and permission conflicts.

    trailhead.salesforce.com

  • Identity for Customers

    External Identity license setup, customer self-registration, social sign-on, and the customer identity lifecycle.

    trailhead.salesforce.com

  • Use Salesforce Identity Beyond Your Internal Org

    When to use External Identity licenses, Customer 360 Identity, and Salesforce as an identity hub for external audiences.

    trailhead.salesforce.com

  • Prepare Your Org for Salesforce Customer Identity

    Org setup for external identity, enabling communities, and configuring the identity provider settings.

    trailhead.salesforce.com

  • Identity for Mobile-Centric Customers

    Mobile-first login and sign-up, embedded login configuration, and mobile identity reporting.

    trailhead.salesforce.com

  • Explore Mobile-First Identity

    Mobile-first identity concepts, when to use embedded login vs. standard community login, and use case mapping.

    trailhead.salesforce.com

  • Salesforce Licensing

    License type catalog, External Identity vs. Customer Community license distinctions, and permission add-ons.

    trailhead.salesforce.com

  • Get to Know Headless Identity Features

    Headless registration, password reset, and login API endpoints for off-platform identity implementations.

    trailhead.salesforce.com

Community (Partner and Customer)18%

Experience Cloud site branding and authentication options, Auth. Providers for social sign-on, self-registration and contact matching, external user and contact models, External Identity license trade-offs, and embedded login.

  • Describe the capabilities for customizing the user experience for Experience Cloud (Branding options, authentication options, identity verification self-registration, communications, password reset, etc.).
  • Given a set of requirements, determine the best way to support external IdPs in communities and leverage the right user/contact model to support community user experience.
  • Given a requirement, understand the advantages and limitations of External Identity solutions and associated licenses.
  • Given a scenario, determine when to use embedded login.

Resources

  • Create a Self-Registration Flow for an Experience Cloud Site

    Flow Builder project: record variables, user information gathering, communication preferences, and registration completion.

    trailhead.salesforce.com

  • Superbadge: Extended User Access and Restriction

    Building sharing solutions and field-level restrictions for external and partner community users.

    trailhead.salesforce.com

  • Superbadge: Security and Performance

    Data model and access design challenge based on security and performance requirements for an Experience Cloud context.

    trailhead.salesforce.com

  • Set Up an Experience Cloud Site for Salesforce Customer Identity

    Enabling and configuring an Experience Cloud site for external identity, login page settings, and user matching.

    trailhead.salesforce.com

  • Create a Self-Registration Page

    Building a self-registration page, registration handler Apex class role, and contact/person account matching rules.

    trailhead.salesforce.com

  • Set Up Social Sign-On

    Auth. Provider configuration for Google, Facebook, and other IdPs, and linking social identities to Salesforce users.

    trailhead.salesforce.com

  • Self-Registration in a Portal

    End-to-end portal self-registration: enabling digital experiences, org prep, and login flow assignment.

    trailhead.salesforce.com

  • Set Up Mobile-First Login and Sign-Up

    Configuring embedded login, customizing the sign-up experience, and assigning login flows to mobile sites.

    trailhead.salesforce.com

  • Security Awareness and Training

    Building a security-conscious org culture, training users, and understanding social engineering threats.

    trailhead.salesforce.com

Have suggestions for this resource pack?

To help make this the ultimate resource compilation for the exam, please give your thoughts in the free Cert++ Discord.

Suggest a resource