SALESFORCE CERTIFICATION
Certified Platform Identity and Access Management Architect Practice Exam
Exam Number: 3707 | Last updated 14-Apr-26 | 2309+ questions across 6 vendor-aligned objectives
This architect-level credential focuses on designing and implementing identity management solutions across Salesforce and connected systems. It covers single sign-on configuration, OAuth 2.0 flows, SAML-based federation, and multi-factor authentication strategies for enterprise environments that span multiple clouds and on-premise systems.
Expect about 25% of exam content to cover accepting third-party identity, covering SAML, Open ID Connect, social sign-on, and identity provider configuration. Identity Management Concepts commands 20% of the blueprint, covering SSO, federation, identity provisioning, and identity lifecycle. Nearly one-fifth of questions test salesforce as identity provider, covering connected apps, OAuth flows, and external client authorization. These high-weight domains should anchor your study plan and receive the deepest attention.
Additional sections test your breadth across the platform. Roughly 20% of the questions address Access Management, which spans session management, MFA, login flows, and conditional access. Salesforce Identity carries the heaviest weight at 15%, which spans identity product features, user provisioning, and license management. Do not overlook these sections — the exam regularly weaves them into multi-concept scenarios.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Salesforce documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
322
practice exam users
92.2%
satisfied users
90.7%
passed the exam
4.3/5
quality rating
Test your Certified Identity Access Architect knowledge
10 of 2309+ questions
Question #1 - Lock down and govern SSO, federation, and identity provisioning to safeguard sensitive data and enforce least-privilege access across the organization
A multinational company uses Microsoft Entra ID as their corporate identity provider. They want employees to log into Salesforce using their corporate credentials.
Which SSO configuration should the identity architect implement?
A) Use OAuth 2.0 Client Credentials flow between the two systems
B) Configure Salesforce as a SAML Service Provider with Entra ID as the Identity Provider
C) Enable Salesforce Delegated Authentication to validate against Entra ID
D) Set up Salesforce as an Identity Provider and Entra ID as the Service Provider
Show solution
Correct answers: B – Explanation:
When an external system holds user identities, Salesforce should be the SAML Service Provider and Entra ID the Identity Provider. Users authenticate with Entra ID, which sends a SAML assertion to Salesforce. Reversing roles would require Salesforce to hold identities. Client Credentials is for machine-to-machine. Delegated authentication is an older pattern. Source: Trailhead: Identity Login Flows
Question #2 - Lock down and govern SSO, federation, and identity provisioning to safeguard sensitive data and enforce least-privilege access across the organization
A B2C company wants to allow customers to log into their Experience Cloud portal using Google or Facebook accounts alongside email/password.
Which feature should the identity architect configure?
A) SAML SSO with Google and Facebook as identity providers
B) Social Sign-On using authentication providers for Google and Facebook
C) Custom Visualforce login pages that call Google and Facebook APIs directly
D) OAuth 2.0 JWT Bearer flow for each social platform
Show solution
Correct answers: B – Explanation:
Salesforce supports Social Sign-On through built-in authentication providers. SAML is for enterprise federation, not social login. JWT Bearer flow is for server-to-server authentication. Custom Visualforce login pages add unnecessary security risk. Source: Trailhead: Identity & Access
Question #3 - Implement and monitor connected apps, OAuth flows, and external client authorization to safeguard sensitive data and enforce least-privilege access across the organization
A financial services company needs to expose a Salesforce REST API to an external portfolio management application running as a background service with no interactive user.
Which OAuth flow should the identity architect recommend?
A) OAuth 2.0 Username-Password flow with stored credentials
B) OAuth 2.0 JWT Bearer Token flow using a digital certificate
C) OAuth 2.0 Device Code flow for headless authentication
D) OAuth 2.0 Web Server flow with a redirect URI
Show solution
Correct answers: B – Explanation:
The JWT Bearer Token flow is designed for server-to-server authentication where no user interaction is possible. Web Server flow requires user interaction. Username-Password flow stores credentials in plain text. Device Code flow is for devices with limited input. Source: Salesforce Help: Remoteaccess Oauth Jwt Flow
Question #4 - Lock down and govern session management, MFA, and login flows to safeguard sensitive data and enforce least-privilege access across the organization
An organization has enabled MFA for all users. Field technicians using the mobile app in areas with poor connectivity report frequent MFA challenges.
How should the identity architect address this while maintaining security?
A) Disable MFA for the field technician profile
B) Configure Salesforce Authenticator with trusted location-based auto-verification for field sites
C) Issue hardware security keys to all field technicians
D) Extend the session timeout to 24 hours
Show solution
Correct answers: B – Explanation:
Salesforce Authenticator supports location-based trusted verification, auto-approving MFA at pre-approved locations. Disabling MFA violates security practices. Hardware keys require USB connectivity. Extending timeout does not solve connectivity issues during authentication. Source: Salesforce Help: Salesforce Authenticator Overview
Question #5 - Lock down and govern SSO, federation, and identity provisioning to safeguard sensitive data and enforce least-privilege access across the organization
A company uses Salesforce as an Identity Provider for three external apps. One app requires department and employee ID in the SAML assertion beyond the standard NameID.
How should the identity architect deliver these additional attributes?
A) Send attributes in a separate REST API call after authentication
B) Create a custom Apex class that appends attributes to the SAML response
C) Prompt users to enter department and employee ID on each login
D) Configure custom SAML attributes in the Connected App settings
Show solution
Correct answers: D – Explanation:
Connected App settings allow configuration of custom SAML attributes mapping User record fields to the assertion. Prompting users defeats SSO purpose. Custom Apex is unnecessary. Separate API calls break the SSO flow. Source: Salesforce Help: Connected App Create Saml Sso
Question #6 - Enforce and audit identity product features, user provisioning, and license management to safeguard sensitive data and enforce least-privilege access across the organization
A healthcare company needs to provision and deprovision Salesforce user accounts automatically when employees join or leave, based on their HR system (Workday).
Which standard should the identity architect implement?
A) SCIM provisioning between Workday and Salesforce
B) Custom Apex triggers that listen for platform events from Workday
C) A nightly batch CSV import of user changes
D) Manual user creation and deactivation by the admin team
Show solution
Correct answers: A – Explanation:
SCIM is the industry standard for automated user provisioning and deprovisioning. Salesforce supports SCIM 2.0. Custom triggers require development. CSV imports introduce delays. Manual processes do not scale. Source: Salesforce Help: Identity Scim Overview
Question #7 - Implement and monitor connected apps, OAuth flows, and external client authorization to safeguard sensitive data and enforce least-privilege access across the organization
An identity architect discovers that several Connected Apps have overly broad OAuth scopes granting full access to all data.
What remediation steps should the identity architect take?
A) Restrict each Connected App’s OAuth scopes to minimum required permissions and enable admin pre-authorization
B) Block all API access and require UI-only login
C) Delete all Connected Apps and recreate them
D) Rotate all OAuth tokens and increase the refresh interval
Show solution
Correct answers: A – Explanation:
The principle of least privilege requires each Connected App to have only necessary OAuth scopes. Admin pre-authorization ensures only approved users access the app. Deleting apps disrupts integrations. Blocking API access breaks automation. Token rotation addresses credential compromise, not permissions. Source: Salesforce Help: Connected App Overview
Question #8 - Lock down and govern session management, MFA, and login flows to safeguard sensitive data and enforce least-privilege access across the organization
A company wants a custom login experience where users verify their email, then choose between SMS OTP and authenticator app for second-factor verification.
Which Salesforce feature should the identity architect use?
A) A custom login flow built with Flow Builder
B) A Visualforce login page that replaces the standard login
C) Standard login with My Domain branding customization
D) An Experience Cloud custom theme with embedded JavaScript
Show solution
Correct answers: A – Explanation:
Login flows allow inserting custom Flow Builder screens into the authentication process. Visualforce login pages are limited. JavaScript in themes creates security risks. My Domain branding only changes visual appearance. Source: Salesforce Help: Login Flow
Question #9 - Enforce and audit SAML, OpenID Connect, and social sign-on to safeguard sensitive data and enforce least-privilege access across the organization
An organization is configuring Salesforce to act as an OpenID Connect provider so external applications can verify user identities.
What must the identity architect configure?
A) A Named Credential that maps users to OIDC tokens
B) A SAML Identity Provider with OpenID Connect wrapper
C) An Apex REST web service that returns JWT format data
D) A Connected App with the OpenID Connect scope enabled
Show solution
Correct answers: D – Explanation:
Salesforce supports OpenID Connect natively through Connected Apps. Enabling the openid scope allows external apps to use the UserInfo endpoint. SAML and OIDC are separate protocols. Custom Apex bypasses standard OIDC. Named Credentials are for outbound authentication. Source: Salesforce Help: Sso Provider Openid Connect
Question #10 - Lock down and govern SSO, federation, and identity provisioning to safeguard sensitive data and enforce least-privilege access across the organization
A retail company allows store managers to log into Salesforce from shared kiosk computers. The security team is concerned about session hijacking.
What session security measures should the identity architect implement?
A) Enable ‘Lock sessions to the IP address from which they originated’ and set aggressive session timeout values
B) Require managers to use incognito browser mode
C) Configure kiosk computers to restart every hour
D) Disable ‘Remember Me’ and implement a custom logout flow
Show solution
Correct answers: A – Explanation:
Locking sessions to originating IP prevents token reuse on different networks. Short session timeouts minimize vulnerability on shared devices. Incognito clears local data but does not protect active sessions. Disabling Remember Me helps but does not address active sessions. Restarting computers is disruptive. Source: Salesforce Help: Sessions
Get 2309+ more questions with source-linked explanations
Every answer traces to the exact Salesforce documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 14-Apr-26
Learn more...
What the Certified Identity Access Architect exam measures
- Lock down and govern SSO, federation, and identity provisioning to safeguard sensitive data and enforce least-privilege access across the organization
- Enforce and audit SAML, OpenID Connect, and social sign-on to safeguard sensitive data and enforce least-privilege access across the organization
- Implement and monitor connected apps, OAuth flows, and external client authorization to safeguard sensitive data and enforce least-privilege access across the organization
- Lock down and govern session management, MFA, and login flows to safeguard sensitive data and enforce least-privilege access across the organization
- Enforce and audit identity product features, user provisioning, and license management to safeguard sensitive data and enforce least-privilege access across the organization
How to prepare for this exam
- Review the official exam guide for comprehensive preparation
- Complete the Identity and Access Management Architect trail on Trailhead — focus on SSO, OAuth, and SAML modules
- Configure SSO between a Developer Org and a free identity provider like Okta or Auth0 to gain hands-on experience with SAML assertions and connected apps
- Join a project that involves identity federation or SSO implementation — even configuring MFA rollout counts as valuable practical experience
- Focus on the two highest-weighted objectives first — Accepting Third-Party Identity and Salesforce as Identity Provider
- Use PowerKram’s learn mode to study OAuth flow scenarios with source-linked references
- Run full practice exams in PowerKram’s exam mode to test your ability to solve real-world identity challenges under time pressure
Career paths and salary outlook
Identity and access management specialists are in high demand as security requirements grow across industries:
- Salesforce Identity Architect — $150,000–$195,000 per year, designing SSO and federation solutions (Glassdoor salary data)
- IAM Architect — $145,000–$200,000 per year, managing enterprise identity across cloud and on-premise systems (Indeed salary data)
- Security Architect — $155,000–$210,000 per year, leading security strategy including identity, encryption, and compliance (Glassdoor salary data)
Official resources
Follow the Identity and Access Management Architect Learning Path on Trailhead. The official exam guide covers every tested objective.