Platform Identity and Access Management Architect Advanced Practice Exam: Hard Questions 2025

A global enterprise uses Salesforce as a service provider (SP) for multiple external applications via SAML. The IdP team rotates the signing certificate. Immediately after rotation, only some users can log in; others get intermittent "Invalid Assertion" errors that disappear after retrying. The IdP insists the metadata was updated. What is the most likely root cause and best fix in Salesforce?

An organization uses Experience Cloud for B2B customers. They want to enforce step-up authentication only when a user initiates a high-risk action (changing bank account details) but not for normal browsing. The identity provider supports MFA and can prompt conditionally. What is the best architecture to meet this requirement with minimal custom code?

A company has 25 Salesforce orgs and wants centralized identity, consistent MFA, and seamless user switching between orgs. Users must have one corporate identity and be able to access multiple orgs without separate credentials. The security team also requires that deprovisioning immediately removes access to all orgs. Which approach best meets these requirements?

A Salesforce org uses an external IdP for SAML SSO. The business wants to prevent account takeover if an attacker learns a username because usernames are publicly guessable (email format). They also want to avoid revealing whether a username exists during login. Which design best addresses this while keeping SSO user experience intact?

A financial services company must meet the requirement: "Users may only access Salesforce from managed devices." The IdP can assert device compliance. The company also needs API access for integrations using OAuth. Which architecture best enforces device compliance for both UI and API access with the strongest control plane?

A company has strict separation-of-duties: users who approve invoices must never have permission to create vendors. They also need temporary emergency access (break-glass) with full auditability and automatic expiration. Which solution best satisfies these constraints in Salesforce?

A multi-tenant Salesforce org serves internal employees and external partners. The company must ensure that a user’s access can be revoked within minutes when their corporate account is disabled, including existing sessions across desktop and mobile. What is the best approach?

A customer implements OAuth for a mobile app using Authorization Code with PKCE against Salesforce. They notice that when a user is terminated, the app continues to access APIs for hours without re-login. They want immediate API access revocation without breaking legitimate sessions unnecessarily. What is the best remediation strategy?

A company is designing identity governance for Salesforce across multiple business units. Requirements: centralized audit of who has access to what, periodic access reviews, least privilege by default, and rapid onboarding/offboarding integrated with the corporate IAM tool. What is the best strategy?

A regulated customer uses both Salesforce and several downstream apps. They want Salesforce to act as an authorization source for app access decisions (e.g., only users with a specific Salesforce permission set can access a downstream analytics app), but they also need to avoid embedding Salesforce-specific logic in the downstream app. Which approach is best?