Identity and Access Management Designer Identity-and-Access-Management-Architect Dumps PDF

For a mobile app using the user-agent flow, two connected-app controls work together when the business wants a long-lived session without repeated approval prompts. First, the app should be set to Admin Approved Users Are Pre-Authorized so users are not asked to approve API access inside the mobile experience. Second, the refresh-token policy should be configured for the required lifetime, such as three months, so the app can keep renewing access without forcing the user to log in again. A session timeout controls the UI session but not the refresh-token lifecycle in the same way. The architectural point is that user consent suppression and durable reauthentication behavior are governed by separate connected-app policies. This is why options C, D work together as the correct solution.

For a website that doesn’t natively speak SAML or OAuth but still wants Salesforce-backed social sign-in, the architecture typically combines authentication providers with Embedded Login, and the integration is supported through the connected app framework around Salesforce Identity. Authentication providers establish trust with the social sources, while Embedded Login brings the Salesforce-controlled sign-in experience into the existing site. Delegated Authentication is for username/password validation against an external system and doesn’t provide social sign-in. Identity Connect is also unrelated because it is aimed at directory synchronization. The key architectural move is to let Salesforce handle the identity transaction and present that capability inside the existing website, rather than trying to make the legacy site implement standards it doesn’t already support. This is why options A, B, D work together as the correct solution.

If an organization has multiple regional ADFS systems and wants one Salesforce org without buying an additional federation broker, Salesforce can be configured with multiple SAML SSO settings so users choose the appropriate identity provider at sign-in. That satisfies the “no additional application investment” constraint more directly than introducing a new central identity broker. Identity Connect is not the solution here because it focuses on AD user synchronization, not on federating multiple ADFS realms into Salesforce login. The architectural compromise is user choice at the login screen, but it keeps the design standards-based and avoids extra infrastructure. For a single-org deployment with multiple existing enterprise IdPs, exposing multiple SSO configurations is the practical native approach. This is why option B is the best answer in Salesforce terms.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.