100+ Free Salesforce IAM Architect Practice Questions

Pass your Salesforce Certified Identity and Access Management Architect exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Salesforce does not publish a public pass rate Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which identity standard is an XML-based protocol primarily designed for browser-based Single Sign-On between an Identity Provider and a Service Provider?

OAuth 2.0

SCIM 2.0

SAML 2.0

OpenID Connect 1.0

to track

2026 Statistics

Key Facts: Salesforce IAM Architect Exam

Scored Questions

Salesforce exam guide

105 min

Time Limit

Salesforce exam guide

67%

Passing Score

Salesforce exam guide

$400

Exam Fee (USD)

Salesforce ($200 retake)

29%

Largest Domain

Salesforce as Identity Provider

Domain Areas

Identity, Third-Party, IdP, Access, Identity License, Community

The IAM Architect exam has 60 scored questions plus 5 unscored, a 105-minute time limit, a US$400 fee, and a 67% passing score. Six weighted domains: Identity Management Concepts (16%), Accepting Third-Party Identity (15%), Salesforce as Identity Provider (29%), Access Management Best Practices (15%), Salesforce Identity (10%), and Community/Experience Cloud (15%). It is part of the Application Architect / System Architect path and earns the Identity and Access Management Architect credential.

Sample Salesforce IAM Architect Practice Questions

Try these sample questions to test your Salesforce IAM Architect exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which identity standard is an XML-based protocol primarily designed for browser-based Single Sign-On between an Identity Provider and a Service Provider?

A.OAuth 2.0

B.SCIM 2.0

C.SAML 2.0

D.OpenID Connect 1.0

Explanation: SAML 2.0 (Security Assertion Markup Language) is an XML-based standard built specifically for browser SSO. It defines authentication assertions exchanged between an IdP and an SP, typically delivered through HTTP-Redirect or HTTP-POST bindings.

2Which OAuth 2.0 flow is recommended for a server-side web application that can securely store the consumer secret?

A.Implicit Grant

B.Authorization Code Grant

C.Username-Password Flow

D.Device Code Flow

Explanation: The Authorization Code Grant is the standard recommended flow for confidential clients (server-side web apps). The user authenticates at Salesforce, an authorization code is returned to the redirect URI, and the server exchanges that code plus its client secret for tokens.

3An architect must enable SSO from an external IdP into Salesforce so that users land in Salesforce after authenticating at the IdP portal. Which SSO initiation pattern is this?

A.SP-initiated SSO

B.IdP-initiated SSO

C.Just-in-Time provisioning

D.Delegated Authentication

Explanation: When the user starts at the IdP portal and is sent to Salesforce with a SAML response, this is IdP-initiated SSO. SP-initiated would begin at Salesforce (e.g., a My Domain login URL) and redirect out for authentication.

4Which Salesforce setting must be enabled before configuring Salesforce as a SAML Identity Provider?

A.Login Flows

B.My Domain

C.Person Accounts

D.Translation Workbench

Explanation: My Domain is the prerequisite for Salesforce acting as an Identity Provider. The 'Identity Provider' setup page requires My Domain to be deployed because the IdP issuer URL is built from the My Domain hostname.

5A Connected App is configured with the OAuth scope 'refresh_token, full'. What does the 'refresh_token' scope grant the client?

A.Permission to invoke any REST API

B.Ability to obtain a refresh token to mint new access tokens

C.The right to revoke tokens for other users

D.Access to the user's password hash

Explanation: The refresh_token scope (also written as 'offline_access' in OIDC) tells Salesforce to issue a refresh token alongside the access token. The client can then exchange that refresh token for new access tokens without prompting the user again.

6Which protocol is the JSON-based REST standard for cross-domain user lifecycle provisioning supported by Salesforce?

A.LDAP

B.SCIM 2.0

C.SAML JIT

D.WS-Federation

Explanation: SCIM 2.0 (System for Cross-domain Identity Management) is the REST/JSON standard for creating, updating, deactivating, and synchronizing user accounts across systems. Salesforce exposes SCIM endpoints under /services/scim/.

7What is the purpose of Just-in-Time (JIT) provisioning during SAML SSO into Salesforce?

A.To revoke OAuth refresh tokens at logout

B.To create or update the Salesforce user record from SAML attributes at login time

C.To convert username-password sessions into High Assurance sessions

D.To synchronize Active Directory groups overnight

Explanation: JIT provisioning lets Salesforce create or update a user on the fly from attributes in the inbound SAML assertion (Profile, Role, email, etc.). This avoids pre-creating users and keeps user records in sync with the IdP at each login.

8Which Salesforce-licensed product synchronizes users and groups from on-premises Microsoft Active Directory to Salesforce in near real time?

A.MuleSoft Anypoint

B.Identity Connect

C.External Identity License

D.Marketing Cloud Connector

Explanation: Identity Connect is the Salesforce-supported tool that runs on a Windows server, polls Active Directory, and provisions/deprovisions users into Salesforce. It also supports Integrated Windows Authentication and AD-driven SSO.

9A native mobile application cannot safely store a consumer secret. Which OAuth flow should the architect choose?

A.Authorization Code Grant with PKCE

B.Username-Password Flow

C.Client Credentials Flow

D.JWT Bearer Flow

Explanation: Public clients such as native mobile apps must use Authorization Code with PKCE (Proof Key for Code Exchange). PKCE binds the authorization code to a code_verifier so an intercepted code cannot be redeemed by an attacker.

10Which OAuth flow lets a backend integration authenticate as a specific Salesforce user without that user being present, using a signed JWT?

A.Implicit Grant

B.JWT Bearer Token Flow

C.Refresh Token Flow

D.Device Authorization Flow

Explanation: The OAuth 2.0 JWT Bearer Token Flow lets a server sign a JWT (with a certificate uploaded to the Connected App) asserting a Salesforce username. Salesforce returns an access token without user interaction. It is ideal for ETL/integration jobs.

About the Salesforce IAM Architect Exam

The Salesforce Certified Identity and Access Management Architect exam validates expertise in designing and implementing identity solutions on the Salesforce platform. It covers SAML 2.0, OAuth 2.0 flows, OpenID Connect, SCIM provisioning, JIT, Connected Apps, Salesforce as IdP and SP, MFA, session security, Experience Cloud authentication, and Identity Connect integration with Active Directory.

Assessment

60 scored multiple-choice / multiple-select questions plus 5 unscored items (65 total)

Time Limit

105 minutes

Passing Score

67%

Exam Fee

US$400 (retake US$200) (Salesforce)

Salesforce IAM Architect Exam Content Outline

16%

Identity Management Concepts

SAML 2.0, OAuth 2.0, OpenID Connect 1.0, SCIM, JIT, federated identity vocabulary, IdP vs SP roles, IdP-initiated vs SP-initiated SSO, NameID, Federation ID, and authentication context.

15%

Accepting Third-Party Identity in Salesforce

Salesforce as Service Provider with SAML SSO, Auth Providers for OAuth/OIDC and social sign-on, RegistrationHandler Apex, Just-in-Time provisioning, and inbound assertion troubleshooting.

29%

Salesforce as an Identity Provider

My Domain, Connected Apps with SAML and OIDC, SAML signing/encryption, Single Logout (SLO), App Launcher, IdP-initiated login URLs, and outbound provisioning to downstream SaaS.

15%

Access Management Best Practices

OAuth flows in depth (Authorization Code, PKCE, JWT Bearer, Client Credentials, Device, Refresh Token), MFA mandate, session settings, High Assurance sessions, IP ranges, login hours, and integration-user patterns.

10%

Salesforce Identity

Identity license, External Identity license, Identity Connect for Active Directory, SCIM endpoints, deactivation patterns, and License selection guidance.

15%

Community (Experience Cloud) Identity

Experience Cloud login pages, custom registration, social sign-on, passwordless flows, External Identity portals, customer identity (CIAM) patterns, and Experience Cloud session/MFA design.

How to Pass the Salesforce IAM Architect Exam

What You Need to Know

Passing score: 67%
Assessment: 60 scored multiple-choice / multiple-select questions plus 5 unscored items (65 total)
Time limit: 105 minutes
Exam fee: US$400 (retake US$200)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Salesforce IAM Architect Study Tips from Top Performers

1Memorize each OAuth flow's purpose, required parameters, and security tradeoffs - especially Authorization Code with PKCE, JWT Bearer, Client Credentials, Device Flow, and Refresh Token policies.

2Practice configuring a Connected App end to end: callback URLs, scopes, Permitted Users, IP relaxation, refresh token policy, and SAML section. The exam asks scenario questions that hinge on these settings.

3Build a clear mental model of when Salesforce is the IdP (Connected App + SAML/OIDC) versus the SP (Single Sign-On Settings + Auth Provider). Most exam confusion comes from mixing these up.

4Drill MFA mandate scope: which users are in scope, which methods are accepted, when an upstream IdP MFA satisfies the mandate, and how to roll out MFA enrollment via Login Flows.

5Know the differences between Identity license, External Identity license, Customer Community Plus, and Salesforce Platform - the exam tests license selection for given scenarios.

6Master Experience Cloud identity: branded login pages, RegistrationHandler Apex, social Auth Providers, self-registration, and passwordless customer flows.

7Practice troubleshooting SAML failures using the SAML Assertion Validator, Login History, and the Identity Verification History.

Frequently Asked Questions

How many questions are on the Salesforce IAM Architect exam?

Salesforce's official exam guide lists 60 scored multiple-choice / multiple-select questions plus up to 5 unscored items, for 65 total. The time limit is 105 minutes.

What is the passing score for the IAM Architect exam?

67%. Because Salesforce does not show a per-domain pass requirement, you can miss questions in some domains and still pass overall, but most candidates target 75% or higher in practice tests for safety.

How much does the IAM Architect exam cost?

Salesforce charges US$400 for the first attempt and US$200 for each retake (plus applicable taxes). The exam is delivered online proctored or at a Kryterion test center.

Are there prerequisites for the IAM Architect credential?

Salesforce no longer requires hard prerequisites, but the credential is part of the Application Architect path. Recommended preparation includes Sharing and Visibility Architect, Platform App Builder, and substantial real-world Salesforce experience.

Which OAuth flows are most heavily tested?

Authorization Code (with and without PKCE), JWT Bearer, Client Credentials, Refresh Token, Device Flow, and SAML Bearer. Username-Password is tested as a 'when not to use' scenario, and Implicit Grant appears as deprecated.

Does the exam cover Identity Connect?

Yes. Identity Connect synchronizes Active Directory users and groups to Salesforce in near real time and supports Integrated Windows Authentication. Expect questions distinguishing Identity Connect from SAML SSO and SCIM.

How is MFA tested on this exam?

You should know the Salesforce MFA mandate scope, the accepted verification methods (Salesforce Authenticator, TOTP apps, WebAuthn/U2F), excluded methods (SMS, email codes), and how MFA at an upstream IdP satisfies the mandate.