Salesforce Certified Identity and Access Management Architect – Complete Winter '26 Guide

Identity Fundamentals: Authentication vs Authorisation

Authentication verifies who you are (login). Authorisation determines what you can access (permissions). An Identity Provider (IdP) authenticates users and issues assertions. A Service Provider (SP) relies on the IdP's assertion to grant access. Salesforce can act as both — as an IdP for connected apps and external systems, and as an SP when receiving SSO from corporate identity systems like Okta or Azure AD. Understanding this distinction is the foundation for all IAM exam questions.

SAML 2.0 SSO: SP-Initiated vs IdP-Initiated

SAML 2.0 is the standard for web SSO. SP-Initiated SSO: the user accesses Salesforce, gets redirected to the IdP for login, the IdP sends a SAML assertion back to Salesforce. IdP-Initiated SSO: the user logs in at the IdP portal first, then accesses Salesforce from there — no redirect needed. My Domain is required for SSO — it provides the Salesforce login URL that the IdP redirects to. The exam tests the SSO flow direction, how to configure the SAML settings, and certificate management.

OAuth 2.0 Flows: Server, JWT, and Client Credentials

Web Server Flow (Authorization Code): user-facing, browser redirect, best for interactive login. JWT Bearer Flow: server-to-server, no user interaction — client signs a JWT with a private key registered as a certificate on the Connected App. Client Credentials Flow: machine-to-machine authentication using client ID & secret. Device Flow: for devices without browsers (smart TV, IoT). PKCE (Proof Key for Code Exchange): protects mobile apps against authorization code interception. The exam presents an integration scenario and asks which OAuth flow is appropriate.

Connected Apps: Scopes, Policies, and Sessions

Connected Apps define the OAuth configuration — scopes (which Salesforce data the app can access), IP ranges, session duration, and refresh token policy. OAuth scopes include api, full, refresh_token, web, chatter_api, and others. The Manage Connected Apps permission is required to modify policies. IP allowlists on Connected Apps can restrict which IPs can obtain tokens. Certificate-based authentication (mutual TLS) eliminates shared secrets by using client certificates for authentication.

MFA, My Domain, and Identity Connect

Multi-Factor Authentication (MFA) is now required for all Salesforce users — admins cannot disable it org-wide. MFA methods: Salesforce Authenticator (push notification), TOTP apps (Google Authenticator), security keys (WebAuthn). My Domain customises the Salesforce login URL and is required for SSO, custom components, and some lightning features. Identity Connect (Salesforce Identity for AD) syncs Active Directory users to Salesforce — supports LDAP directory integration for provisioning and deprovisioning.

OAuth 2.0 Flows

Know all OAuth flows: Web Server (authorization code), User-Agent (implicit), Username-Password, JWT Bearer, Device, and Refresh Token flows. Match each flow to its use case and security characteristics.

SAML & SSO Configuration

Understand how SAML 2.0 enables SSO: SP-Initiated vs. IdP-Initiated flows, assertion attributes, Federation IDs, and how to configure Salesforce as a SP or IdP. Know common troubleshooting steps.

Connected Apps & Scopes

Know how Connected Apps control external system access to Salesforce APIs. Understand OAuth scopes, IP restrictions, user provisioning (SCIM), and how policies control access.

Multi-Factor Authentication

Know MFA enforcement methods: Salesforce Authenticator, TOTP apps, security keys. Understand how MFA interacts with SSO (IdP-provided MFA vs. Salesforce MFA), and the MFA enforcement timeline implications.

Salesforce Identity Features

Know User Provisioning for Connected Apps, Identity Connect (AD sync), Login Flows for custom authentication logic, and how External Identity licenses differ from internal user licenses.