Salesforce-Platform-Identity-and-Access-Management-Architect Practice Test
Updated On 18-Sep-2025
255 Questions
A global company has built an external application that uses data from its Salesforce org via an OAuth 2.0 authorization flow. Upon logout, the existing Salesforce OAuth token must be invalidated.
Which action will accomplish this?
A. Use a HTTP POST to request the refresh token for the current user.
B. Use a HTTP POST to the System for Cross-domain Identity Management (SCIM) endpoint, including the current OAuth token.
C. Use a HTTP POST to make a call to the revoke token endpoint.
D. Use a HTTP POST to make a call to the revoke token endpoint.
Explanation:
To invalidate an existing Salesforce OAuth token, the external application needs to make a HTTP POST request to the revoke token endpoint, passing the token as a parameter. This will revoke the access token and the refresh token if available. The other options are not relevant for this scenario.
Reference:
Revoke OAuth Tokens, OAuth 2.0 Token Revocation
A farming enterprise offers smart farming technology to its farmer customers, which includes a variety of sensors for livestock tracking, pest monitoring, climate monitoring etc. They plan to store all the data in Salesforce. They would also like to ensure timely maintenance of the Installed sensors. They have engaged a salesforce Architect to propose an appropriate way to generate sensor Information In Salesforce.
Which OAuth flow should the architect recommend?
A. OAuth 2.0 Asset Token Flow
B. OAuth 2.0 Device Authentication Row
C. OAuth 2.0 JWT Bearer Token Flow
D. OAuth 2.0 SAML Bearer Assertion Flow
Explanation:
To generate sensor information in Salesforce, the architect should recommend OAuth 2.0 Asset Token Flow. OAuth 2.0 Asset Token Flow is a protocol that allows devices, such as sensors, to obtain an access token from Salesforce by using a certificate instead of an authorization code. The access token can be used to access Salesforce APIs and send data to Salesforce. OAuth 2.0 Asset Token Flow is designed for devices that do not have a user interface or a web browser.
Reference:
OAuth 2.0 Asset Token Flow, Authorize Apps with OAuth
The executive sponsor for an organization has asked if Salesforce supports the ability to embed a login widget into its service providers in order to create a more seamless user experience. What should be used and considered before recommending it as a solution on the Salesforce Platform?
A. OpenID Connect Web Server Flow. Determine if the service provider is secure enough to store the client secret on.
B. Embedded Login. Identify what level of UI customization will be required to make it match the service providers look and feel.
C. Salesforce REST apis. Ensure that Secure Sockets Layer (SSL) connection for the integration is used.
D. Embedded Login. Consider whether or not it relies on third party cookies which can cause browser compatibility issues.
Explanation:
Embedded Login is a feature that allows Salesforce to embed a login widget into any web page, such as a service provider’s site, to enable users to log in with their Salesforce credentials. However, Embedded Login relies on third-party cookies, which can cause browser compatibility issues and require users to adjust their browser settings.
Therefore, this should be considered before recommending it as a solution on the Salesforce Platform.
Reference:
Embedded Login, Embedded Login Implementation Guide
Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?Universal Containers (UC) has a mobile application for its employees that uses data from Salesforce as well as uses Salesforce for Authentication purposes. UC wants its mobile users to only enter their credentials the first time they run the app. The application has been live for a little over 6 months, and all of the users who were part of the initial launch are complaining that they have to re-authenticate. UC has also recently changed the URI Scheme associated with the mobile app. What should the Architect at UC first investigate?
A. Check the Refresh Token policy defined in the Salesforce Connected App.
B. Validate that the users are checking the box to remember their passwords.
C. Verify that the Callback URL is correctly pointing to the new URI Scheme.
D. Confirm that the access Token's Time-To-Live policy has been set appropriately.
Explanation:
The first thing that the architect at UC should investigate is the refresh token policy defined in the Salesforce connected app. A refresh token is a credential that allows an application to obtain new access tokens without requiring the user to re-authenticate. The refresh token policy determines how long a refresh token is valid and under what conditions it can be revoked. If the refresh token policy is set to expire after a certain period of time or after a change in IP address or device ID, then the users may have to re- authenticate after using the app for a while or from a different location or device.
Option B is not a good choice because validating that the users are checking the box to remember their passwords may not be relevant, as the app uses SSO with a third-party identity provider and does not rely on Salesforce credentials.
Option C is not a good choice because verifying that the callback URL is correctly pointing to the new URI scheme may not be necessary, as the callback URL is used for redirecting the user back to the app after authentication, but it does not affect how long the user can stay authenticated.
Option D is not a good choice because confirming that the access token’s time-to-live policy has been set appropriately may not be effective, as the access token’s time-to-live policy determines how long an access token is valid before it needs to be refreshed by a refresh token, but it does not affect how long a refresh token is valid or when it can be revoked.
A financial services company uses Salesforce and has a compliance requirement to track information about devices from which users log in. Also, a Salesforce Security Administrator needs to have the ability to revoke the device from which users log in.
What should be used to fulfill this requirement?
A. Use multi-factor authentication (MFA) to meet the compliance requirement to track device information.
B. Use the Activations feature to meet the compliance requirement to track device information.
C. Use the Login History object to track information about devices from which users log in.
D. Use Login Flows to capture device from which users log in and store device and user information in a custom object.
Explanation:
To meet compliance requirements for tracking device information and enabling the ability to revoke access to specific devices, the most appropriate Salesforce-native feature is the Activations feature (✅ Option B). This feature tracks browser and device activation events, allowing Salesforce to maintain a history of devices from which users log in, including details such as IP address, browser type, and device identifier. When a user logs in from a new or unrecognized device, Salesforce triggers a verification challenge, and once the user confirms the device, it is recorded in the Activation records.
Importantly, administrators have the ability to revoke trusted devices through the user’s login history and device activations, effectively forcing re-verification or denying access, which directly addresses the second part of the requirement.
Other options are less suitable:
Option A (MFA) enhances login security but does not provide full device tracking or revocation capabilities.
Option C (Login History) captures login details like IP address and time but does not specifically track devices or allow device revocation.
Option D (Login Flows with custom objects) could theoretically be configured to track device info, but it would require significant custom development and would still lack native revocation capabilities.
| Salesforce-Platform-Identity-and-Access-Management-Architect Exam Questions - Home |
| Page 2 out of 51 Pages |