Salesforce Identity-and-Access-Management-Architect Exam With Confidence Using Practice Dumps

Trust between Salesforce and an identity provider is established by exchanging the metadata and certificates that define each side of the federation relationship. In Salesforce SAML setups, this commonly means importing or exchanging metadata XML so each side knows the issuer, endpoints, and signing certificate of the other. A VPN tunnel or custom login page does not create protocol-level trust for SSO. Embedding authentication code into Salesforce is not how federation is configured. The key concept from Salesforce documentation is that SAML trust is declarative and certificate-based: the two parties agree on metadata, endpoints, and certificates, and then assertions are validated against that trust configuration. That exchange is the foundation of a working Salesforce-IdP federation. This is why option C is the best answer in Salesforce terms.

Salesforce Experience Cloud includes out-of-the-box branding options for login and registration experiences, and those can be extended through Experience Builder for related pages such as forgot-password and reset-password journeys. The standard site administration and branding controls can cover logos, colors, and certain visual treatments of the login page. Where the business wants branded password-management pages as well, Experience Builder is the supported way to build those experiences consistently. That is better than creating fully custom pages for everything unless the requirement truly goes beyond what the platform supports. The architecture point is to use the built-in branding framework first and extend through Experience Builder where branded identity pages are needed. This is why options A, D work together as the correct solution.

The Identity Only license is designed for users who need Salesforce Identity services without broad CRM object access. Salesforce documentation positions it for scenarios where employees or other internal users need to authenticate with Salesforce credentials and access connected applications, but they do not require the full set of standard Salesforce business objects. That makes it a good fit for benefits portals, employee hubs, or third-party workforce apps that rely on Salesforce for identity rather than for CRM usage. External Identity is aimed at external audiences such as customers or partners, while Identity Connect is synchronization software rather than an end-user license. The licensing decision follows the user population and the scope of application access more than the authentication protocol itself. This is why option C is the best answer in Salesforce terms.