The Salesforce architect exams are some of the most rewarding and interesting exams to get. I really enjoy them because they offer a rare chance to dive very deep into a specific area of the platform. These can expand your capabilities within Salesforce, and provide you valuable understanding as you progress your career towards Technical Architect. This is the study guide for the Identity and Access Management Designer certification exam.
Each of these exams has a study guide (like all other certifications), as well as a resource guide which has linked articles, Trailhead modules, documentation and more. To get the most out of those guides, I have written down some important areas to study and understand. If you understand the concepts below, you’ll do well on your exam.
Identity and Access Management Designer
The Salesforce Identity and Access Management Designer exam focuses on your understanding of how access is controlled using external authentication providers, as well as using Salesforce as the authentication provider. You need to know how the systems talk to each other, the different ways authentication can be passed, and how to manage the security of your org(s).
For me, this was the hardest of all of the architect exams. This test deals with a lot of non-Salesforce principles and practices. If you have spent time working with authentication and security in your current or previous roles, it may not be as difficult. I had to take this test a few times, as well as spend a good amount of time learning about concepts outside of my normal job responsibilities.
Salesforce uses the OAuth protocol to safely access information without passing login credentials. This article speaks about configuring SSO, and this one speaks about best practices. It is important to review those best practice considerations.
Active Directory – Salesforce Identity Connect
It is important to understand Identity Connect and the relationship Active Directory has in the modern enterprise landscape. Mapping requirements is a key part of this process.
Identity Provider vs. Service Provider
Given an authentication scenario, you will be asked to determine which system is the identity provider, and which system is the service provider. The key to these questions is determining the platform that ultimately authenticates the users credentials.
Two Factor Authentication
Know what options are available for 2FA natively from Salesforce, as well as the AppExchange. Also understand when you would recommend a 2FA step to an organization.
Know what just in time provisioning is, and for what use case(s) it may be appropriate.
Canvas Apps and SAML SSO
Understanding how SAML SSO can authenticate into your canvas apps.
When working with multiple orgs, understand the SSO capabilities and limitations.
What tokens exist within different authentications scenarios? How is security handled in these scenarios?
An architect has configured a SAML-based SSO integration between Salesforce and an external identity provider. During testing, the architect attempts to log in to Salesforce using SSO, but receives a SAML error. Which two actions should the Architect take to troubleshoot the issue?
A. Ensure the Callback URL is correctly set in the Connected Apps settings.
B. Use a browser that has an add-on/extension that can inspect SAML.
C. Paste the SAML Assertion Validator in Salesforce.
D. Use the browser’s Development tools to view the Salesforce page’s markup.
Why? Salesforce’s SAML Assertion Validator will help to diagnose the potential issue. As well, some browser extensions exist that assist in SAML inspection. https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_saml_validation.htm
Universal Containers wants users to access Salesforce, and other SSO-enabled applications, from a custom web page that UC maintains. UC wants its users to use the same set of credentials to access each of the applications. What SAML SSO flow should an Architect recommend for UC?
A. Service Provider Initiated with Deep Linking.
B. Service Provider Initiated.
C. Identity Provider Initiated.
Why? In this scenario, the authentication is handled within the custom web portal of Universal Containers. The connected systems (including Salesforce) are the service providers, and the custom portal is the identity provider.
Universal Containers uses middleware to integrate multiple systems with Salesforce. UC has a strict, new requirement that usernames and passwords cannot be stored in any UC system. How can UC’s middleware authenticate to Salesforce while adhering to this requirement?
A. Create a Connected App that supports the JWT Bearer Token OAuth Flow.
B. Create a Connected App that supports the Refresh Token OAuth Flow.
C. Create a Connected App that supports the Web Server OAuth Flow.
D. Create a Connected App that supports the User-Agent OAuth Flow.
Why? JWT Bearer Token OAuth Flow is the scenario that best supports this requirement – https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5. Understanding each of these flows, as well as their intended use case is important to passing this exam.