Salesforce Identity-and-Access-Management-Architect Exam With Confidence Using Practice Dumps

For an Experience Cloud site that uses Salesforce as the identity provider, the supported login experiences are the standard page types intended for authentication. Salesforce supports a Login Discovery page, which helps identify the user and route them appropriately, and an Embedded Login page, which allows the login experience to be embedded into a branded front-end. These are purpose-built for sign-in scenarios. By contrast, a generic Experience Builder content page or a Lightning Experience page is not the same thing as a supported login page type for the site’s authentication flow. The important distinction in Salesforce documentation is between pages designed for site content and pages designed to participate directly in the authentication journey. This is why options A, C work together as the correct solution.

The OAuth 2.0 Device Flow is intended for devices that have limited input or display capabilities and therefore cannot easily support a standard browser-based login interaction. Instead of collecting full credentials on the device, the user completes authorization on a secondary device using a verification code and URL. That is why Salesforce recommends device flow for TVs, appliances, kiosks, and similarly constrained hardware. Asset Token Flow solves a different problem: it authorizes a registered asset or device to call Salesforce as a connected thing. Here the requirement is about registration and user authorization from a constrained device, so the device flow is the correct match. The design distinction is between human sign-in on limited hardware and secure machine identity for an asset. This is why option D is the best answer in Salesforce terms.

The requirements call for two distinct capabilities: federation for sign-in and standards-based lifecycle management for provisioning. In Salesforce terms, that means Salesforce should act as a SAML service provider for authentication while SCIM handles create, update, and deactivate operations from the central IAM system. Just-in-Time provisioning alone is not enough here because the requirement includes provisioning and deprovisioning triggered by user status changes in the central identity service, not just first-login user creation. Identity Connect is aimed at Active Directory synchronization and is not the general answer for cloud IAM-to-Salesforce lifecycle management. Pairing SAML for SSO with SCIM for provisioning is the clean standards-based architecture when identity governance happens outside Salesforce. This is why option C is the best answer in Salesforce terms.