The Identity and Access Management Architect Certification targets identity experts aiming to showcase their proficiency in evaluating identity infrastructure, crafting secure access management solutions on the Customer 360 platform, and adeptly communicating technical strategies to both business and technical audiences.

There are 6 areas of knowledge that are covered by the Salesforce Identity and Access Management Architect certification.

Identity and Access Management Architect Topic Weighting Chart

The following are the core topic areas of the Identity and Access Management Architect

certification and what you’re expected to know:

This topic includes the following objectives:

           Salesforce supports various authentication patterns to authenticate users and integrate with external systems securely. These patterns can be implemented for a wide range of users, from internal employees to external customers and partners.
Basic Authentication is a pattern that uses username and password and is often used for basic user login through standard Salesforce login forms or API access. Multi-Factor Authentication (MFA) adds an additional security layer, requiring users to provide two or more factors when they log in.  Single Sign-On (SSO) allows users to access multiple applications using a single login and one set of credentials. OAuth 2.0 authorization flows can be utilized to access protected resources. Certificate-based authentication can be configured to authenticate Salesforce users with unique digital certificates.

     The core building blocks of an identity solution are authentication, authorization, and accountability. These provide a comprehensive framework for verifying user identities and controlling access to resources within Salesforce. Understanding these elements is essential for implementing effective identity and access management measures in a Salesforce instance.
Authentication verifies user identities, authorization determines their access rights, and accountability involves tracking user actions for auditing purposes. Salesforce offers a range of features to enable these building blocks, including various authentication methods, connected apps, login history, and event monitoring.

            When configuring a Salesforce Identity solution, it is important to establish trust between Salesforce and the external system that needs to be integrated. Salesforce uses certificates and exchange of metadata to establish trust with external systems for Single Sign-On (SSO). Metadata typically includes information like entity IDs, SSO endpoints, and certificates.  A SAML SSO flow can be based on login initiated by the identity provider or a service provider. If Salesforce acts as a SAML service provider, Identity Provider Certificate and Request Signing Certificate can be specified in the Single Sign-On setting. If Salesforce is a SAML identity provider, a self-signed or CA-signed certificate can be used as the Identity Provider Certificate, which can be shared with the service provider. If a system does not support standard SSO protocols, delegated authentication can be utilized for user authentication and the Delegated Authentication WSDL can be downloaded and used for the web service implementation. 

        Salesforce provides various methods for provisioning users in identity solutions. When Salesforce acts as a service provider, Just-In-Time (JIT) Provisioning can be configured for SAML Single Sign-On (SSO) to automatically create a user account in the Salesforce org the first time a user logs in with a SAML identity provider. A standard or custom SAML JIT handler can be utilized. 

When Salesforce acts as the identity provider for an external service provider, user provisioning can be enabled for the service provider’s connected app in Salesforce. User provisioning requests can be managed, and an approval process can be defined for the UserProvisioningRequest object. Other user provisioning methods include setting up Identity Connect to push updates to Salesforce user records when user accounts are created or updated in Microsoft Active Directory (AD). Salesforce user identities can also be provisioned and managed across systems using the open standard System for Cross-Domain Identity Management (SCIM).

           In Single Sign-On (SSO) solutions that involve Salesforce as an identity or service provider, issues such as inconsistent access or authentication failures may be encountered.  In a SAML SSO solution, a user fails to log in if the SAML assertion is invalid or there’s an issue with the SAML configuration. The Login History can be accessed to see why the login failed. OAuth authorization flows can also be affected by errors, such as the invalid_grant error that is returned when the refresh or access token expires.

There are various common points of failure that may be encountered in SSO solutions. Examples include absence of My Domain, expired or revoked access token, and missing configuration such as Start URL in a service provider’s connected app.

This topic includes the following objectives:

        In a Single Sign-On (SSO) solution, a service provider provides services to users who log in using their credentials authenticated by an identity provider (IdP). Salesforce can be configured as a service provider in a SSO solution to allow Salesforce users to log in using their third-party credentials. SAML can be used to set up an external identity provider and configure Salesforce as a service provider. It is also possible to set up an authentication provider to allow Salesforce users to authenticate using their credentials from a third-party service such as Facebook or Google. A predefined or custom authentication provider can be configured. Salesforce can be used as a service provider for various use cases. For example, employees can log in to Salesforce using corporate credentials managed by an LDAP (Lightweight Directory Access Protocol) directory.

       For organizations leveraging Salesforce, understanding various user provisioning methods for both Business-to-Employee (B2E) and Business-to-Consumer (B2C) scenarios is crucial. These methods include Just-In-Time (JIT) provisioning, which utilizes SAML for on-the-fly user creation and updates, and Identity Connect for integrating Microsoft Active Directory (AD) with Salesforce. The SCIM standard offers a robust solution for cross-domain identity management, enabling seamless user provisioning and deprovisioning across systems. Additionally, businesses can automate the creation of contacts and users for customers through self-registration on Experience Cloud sites, or facilitate access via Social Sign-On and registration handlers. Understanding these approaches allows organizations to streamline operations, enhance security, and improve user experience.

        Salesforce can be integrated with a third-party identity provider to streamline the authentication process and enhance security. A Salesforce org can act as a service provider or relying party and allow seamless integration with a variety of identity solutions. Single Sign-On (SSO) integration supports SAML identity providers like Active Directory and LDAP directory, enabling Salesforce users to log in using their corporate credentials. Additionally, Salesforce provides predefined authentication providers for popular social sign-on services, such as Facebook, Google, and Microsoft. Moreover, for a third-party identity provider that supports OAuth but not the OpenID Connect protocol, Salesforce supports the creation of a custom authentication provider. A registration handler can be associated with an authentication provider to customize the login process. An Experience Cloud site can also be configured as a service provider using a SAML-based identity provider or authentication provider.

         User provisioning for Single Sign-On (SSO) solutions is a crucial aspect of identity and access management. It ensures seamless and secure access for Salesforce users who try to log in using their third-party credentials. Salesforce supports Just-In-Time (JIT) Provisioning for SAML SSO, which automatically creates or updates a user account based on the SAML assertion during the login process. For an Authentication Provider, Salesforce utilizes a Registration Handler, which can dynamically create or update user accounts based on user information obtained from the third party identity provider. Users can be automatically assigned to a profile. In addition, these handlers support custom logic and attributes, which can be used to specify the permission sets that should be assigned to users at the time of login. When using Delegated Authentication, although user information is stored in Salesforce, password resets are disabled since Salesforce does not manage user passwords or policies.

         In a Single Sign-On (SSO) solution that utilizes an external identity provider, ensuring seamless and secure user access is crucial. When there is an identity provider (IdP) issue, certain auditing and monitoring approaches as well as diagnostic tools can be used to resolve the issue. The Login History can be accessed to identify login failures from an external SAML identity provider. For detailed error analysis, the SAML Assertion Validator can be used by admins to check SAML assertions for specific errors. Moreover, the Authentication Method Reference (AMR) field in the login history provides insights into the authentication methods used by OpenID Connect providers, aiding in the monitoring of login processes. 

This topic includes the following objectives:

      OAuth 2.0 is an open authorization protocol that allows a website or application to access protected resources hosted by another web app on behalf of a user. It uses access tokens for authorization, where an access token is a piece of data representing the authorization to access resources on behalf of an end user. The essential roles in OAuth 2.0 include the resource owner, client, authorization server, and resource server. Various OAuth authorization flows are available to grant a client application restricted access to protected resources in Salesforce, depending on the use case. These flows include Web Server Flow, Asset Token Flow, SAML Assertion Flow, and others, enabling secure integration and interaction between applications and services.

       To effectively integrate external applications with Salesforce, connected apps play a crucial role. A connected app is created in Salesforce to enable seamless integration with external applications using APIs and standard protocols such as SAML, OAuth, and OpenID Connect. Configuring a connected app involves defining OAuth Scopes, which determine the types of protected resources the app can access. Examples of these scopes include api, offline_access, openid, and web.

Moreover, various policies can be configured for a connected app, such as OAuth Policies, Session Policies, and Mobile Policies. Additional settings, like Start URL, User Provisioning, SAML, App Handler, and Digital Signatures, can be adjusted to meet specific requirements. Understanding the available scopes and configurations is essential to ensure that a connected app is configured according to the company’s business requirements.

     OAuth 2.0 is a open-standard authorization protocol that enables external websites or applications to access resources on behalf of a user. Implementing OAuth 2.0 involves several key concepts to ensure secure and efficient access to protected resources. Access tokens and refresh tokens are essential for granting and renewing access to resources. The client ID and client secret are used to authenticate the client application. OAuth scopes define the permissions for accessing protected resources. 

Additional concepts include token expiration, token revocation, authorization codes, OAuth endpoints, ID tokens, and token introspection. By understanding these components, organizations can implement OAuth 2.0 flows for seamless integration with external applications and systems.

       Salesforce provides various technologies to integrate and manage identity for third-party systems. Connected Apps, Canvas Apps, and App Launcher are key technologies that can be utilized to provide identity. Connected Apps allow external service providers to integrate with Salesforce using SAML 2.0, OpenID Connect, or OAuth 2.0. They can also be used to authorize external API gateways. Canvas Apps enable embedding of third-party applications within the Salesforce user interface. These apps leverage tools and JavaScript APIs to create a seamless integration experience, making external applications available within Salesforce. App Launcher provides a central place for users to access all the Salesforce apps and external connected apps. A connected app can be made visible in the App Launcher by specifying its Start URL. These technologies facilitate a unified, secure, and efficient identity management solution for integrating Salesforce with third-party systems and applications.

This topic includes the following objectives:

       Multi-Factor Authentication (MFA) is a secure method that requires users to verify their identity by providing two or more pieces of evidence (factors). Salesforce mandates the use of MFA for all users to enhance security and mitigate risks like phishing attacks, credential stuffing, and compromised devices. MFA involves using something the user knows, such as username and password, and something the user possesses, such as the Salesforce Authenticator app or a security key.  Enabling MFA can be done for all users by enabling org-wide setting or specific users in Salesforce. When Single Sign-On (SSO) is used, the SSO provider's MFA service can be leveraged. The verification methods that satisfy Salesforce’s MFA requirement include Salesforce Authenticator, third-party authentication apps, security keys, built-in authenticators, and Lightning Login. Implementing MFA adds an extra layer of security, ensuring that even if a password is compromised, unauthorized access is prevented by requiring an additional verification step.

      Assigning roles, profiles, and permission sets during the Single Sign-On (SSO) process is crucial for ensuring that users are assigned to the right permissions and have access to the right data in Salesforce. An Apex Just-In-Time (JIT) handler class can be used to assign roles, profiles, and permission sets automatically during SAML Single Sign-On (SSO) based on user information in SAML assertions. For Authentication Provider SSO, a registration handler that implements the Auth.RegistrationHandler interface can be utilized for the same during user authentication. The createUser() and updateUser() methods can be used to update assignments. A custom login flow can also be created and executed in system context to assign roles, profiles, and permission sets to users logging in via SSO, offering flexibility and control over the login process.

       Salesforce offers various features and tools to audit and verify user activities during and after login. The Login History page helps identify unauthorized access attempts and suspicious behavior by showing all login attempts to Salesforce and Experience Cloud sites. Login Forensics can be used to identify suspicious login activity by providing key user access data. Event Monitoring tracks granular details of various user activities, such as logins, logouts, and API calls. The Activations page provides information about devices from which users have verified their identity, including login IP addresses and client browsers used. Setup Audit Trail tracks recent setup changes, such as administration and profile changes, typically made by administrators. Field Audit Trail tracks changes to critical data fields. These tools collectively ensure robust auditing and verification of user activities, helping organizations meet compliance requirements and prevent fraudulent activities.

           Connected apps are defined for integrating external applications with Salesforce. A connected app can be set up using various configuration settings for a service provider or an external application that requires secure access to Salesforce resources. These settings include the Refresh Token Policy, which controls the validity period of a refresh token, and IP Relaxation, which determines if access is restricted by IP ranges. The Permitted Users setting defines who can authorize the app, while Session Timeout is used to manage the duration of a user’s session. Additionally, Profiles and Permission sets can be assigned to control user access. The Start URL directs users to a specific page when launching the app. User Provisioning links Salesforce users with third-party apps, and exposing a connected app as a Canvas App allows embedding an external app in Salesforce. These configurations ensure seamless and secure integrations, enhancing functionality and user experience.

This topic includes the following objectives:

           Identity Connect is a Salesforce Identity product that streamlines user management by integrating Microsoft Active Directory (AD) with Salesforce. It enables automatic provisioning and deprovisioning of users by syncing user data from AD to Salesforce, ensuring that user accounts are created, updated, and deactivated in near real-time. With Identity Connect, administrators can map users, attributes, and permissions. AD groups can be mapped to corresponding roles, profiles, permission sets, and public groups in Salesforce. It also supports Single Sign-On (SSO), allowing users to log in to Salesforce using their AD credentials. Additionally, Identity Connect supports the use of multiple orgs. It can also be used with multiple AD domains through a global catalog. Moreover, it can be used with the Password Sync Plugin to allow users to log in to Salesforce using their AD credentials outside the corporate network or when the company doesn’t support the use of mobile VPN.

        Salesforce Customer Identity (formerly called Customer 360 Identity) is an Identity and Access Management (IAM) service that is designed to unify customer data across multiple systems and services, providing a seamless login experience for users. It offers features such as user registration customization, brand control, single sign-on, and a comprehensive view of the user. Single Sign-On (SSO) can be set up to allow an Experience Cloud site to function as either a service provider or an identity provider. Cross-cloud identity capabilities enable the unification of customer data across Commerce Cloud and Experience Cloud sites, making it easier to manage and track customer data and interactions. Additionally, Salesforce Customer Identity enhances the customer experience by providing centralized identity services, supporting multiple brands, and enabling detailed tracking of user login activity. These features contribute significantly to a fully-developed Customer 360 solution.

         Salesforce offers multiple license types for Salesforce Identity. In Enterprise, Unlimited, Performance, and Developer editions, every paid license includes all identity services. The Identity Only and External Identity licenses can be purchased to provide access to only identity services. The Identity Only license is typically used for internal users and provides access to only identity services, such as Single Sign-On (SSO). The External Identity license allows customers and partners to self-register, log in, update their profile, and securely access web and mobile apps with a single identity. In addition, the Identity Verification Credits Add-On license can be purchased for Experience Cloud site users to offer identity verification via SMS messaging.

This topic includes the following objectives:

        Experience Cloud offers various capabilities to customize the user experience of customers and partners. Branding options allow companies to customize the look and feel of their sites, including login and registration pages, dynamic branding URLs, and page variations. Authentication options include Single Sign-On (SSO), Passwordless Login, Embedded Login, and Headless Identity APIs. Self-registration can be configured for new users to register themselves as person accounts or contacts under a business account, with four self-registration page types available. Customization options for communications include email templates and custom login flows for personalized alerts. Site users can use identity verification methods such as email and SMS. Password management features allow users to set, change, and reset their passwords. Welcome emails can be enabled to assist new users in setting up their access.

      Experience Cloud allows seamless integration with external identity providers for user authentication. By configuring SAML Single Sign-On (SSO), an Experience Cloud site can act as a service provider that relies on a SAML-based identity provider for user authentication. Additionally, Just-In-Time (JIT) Provisioning can be enabled to automatically create and update user accounts during the SSO process. Experience Cloud sites can also integrate with third-party authentication providers, such as Facebook, Google, and Amazon, to allow users to log in using their social media credentials. A registration handler can be established to create and update user records through the authentication provider. A custom registration handler can be utilized to meet specific business logic needs. These capabilities ensure secure, efficient, and seamless identity and access management for Experience Cloud sites.

          Understanding the advantages and limitations of External Identity solutions and associated licenses is crucial for implementing secure and efficient identity solutions for Experience Cloud. The External Identity license enables access to Salesforce Customer Identity, which offers several benefits, including self-registration, Single Sign-On (SSO), robust access management, and customization options for branding. These solutions help organizations provide a seamless and unified login experience for customers and partners. However, there are limitations to consider. For instance, the External Identity license provides access to a limited set of standard objects and object permissions. Additionally, Identity Verification Credits are consumed with each SMS sent, which can impact cost efficiency. Contactless users can be maintained without contact information for identity and authentication purposes, which is beneficial for certain use cases. 

           Embedded Login is a feature that is used for integrating Salesforce login functionality directly into an external website, serving as a Single Sign-On (SSO) alternative. It allows users to access an Experience Cloud site using social media credentials, Login Discovery, or other custom login page type. It supports various login page implementations, including modal, pop-up, and inline login form, providing a seamless and integrated user experience.

However, it's important to note that Embedded Login relies on third-party cookies, which are blocked or restricted in many modern browsers. This can affect the visibility and functionality of the login button if users block third-party cookies from being stored. To implement Embedded Login, it needs to be enabled for an Experience Cloud site and specific steps need to be followed to configure the login form on an external web page.