Explanation:

When configuring an authentication provider in Salesforce for an Experience Cloud site, two critical and fully supported features are: the ability to specify a custom registration handler and a default login user. The custom registration handler is an Apex class that executes when a user logs in using the external identity provider (IdP) and does not already exist in Salesforce. This handler is responsible for creating or updating the user, assigning roles, profiles, and other attributes, and is essential for supporting Just-in-Time (JIT) provisioning in customer and partner communities.

The default login user, on the other hand, is a user that Salesforce uses to log in when a registration handler is not used or when the IdP does not provide sufficient identifying information. This user typically has restricted permissions and is used for guest or fallback access, making it a necessary part of the Experience Cloud site login flow when external authentication is involved.

Options B (custom error URL) and D (default authentication provider certificate) are not valid settings in the authentication provider configuration. While you can configure a custom error message or page using community settings or custom flows, "custom error URL" is not a configurable field in the authentication provider setup. Similarly, Salesforce allows uploading certificates for SAML or JWT validation, but there is no concept of a “default authentication provider certificate” in the way Option D describes.