What is the Salesforce IAM Architect certification?

The Identity & Access Management Architect certification validates expertise in designing identity solutions for Salesforce — including SSO (SAML, OAuth, OIDC), connected apps, external identity for Experience Cloud, MFA enforcement, and session security. The exam has 60 questions, ~110-minute time limit, ~68% passing score, and a $400 fee. It is part of the System Architect credential path.

What is the difference between SAML and OAuth?

SAML (Security Assertion Markup Language) is an XML-based protocol designed for SSO — it passes authentication assertions between an Identity Provider and a Service Provider, allowing users to sign in once and access multiple applications. OAuth 2.0 is an authorisation framework — it grants applications access to resources on behalf of a user without sharing credentials. OpenID Connect (OIDC) adds an identity layer on top of OAuth, returning a signed ID token with user identity claims. For Salesforce SSO, SAML is traditional enterprise IdP integration; OAuth/OIDC is used for API access and modern apps.

What is JIT provisioning in Salesforce?

Just-in-Time (JIT) provisioning automatically creates or updates a Salesforce user account when they first log in via SSO, using attributes passed in the SAML assertion. Without JIT, you must pre-create user accounts before SSO works. With JIT, the IdP passes user attributes (name, email, profile, role) in the SAML assertion, and Salesforce creates the account on first login. JIT can also be used to update user attributes on every login.

Which OAuth flow should I use for server-to-server integration?

For server-to-server integrations where no user is present (background jobs, integration middleware), use the OAuth 2.0 JWT Bearer Token Flow. The server signs a JWT with a private key (the corresponding certificate is uploaded to the Connected App), and exchanges it for an access token — no user interaction required. This is more secure than Username-Password flow (which passes credentials in the request) and is the recommended pattern for Salesforce APIs in automated processes.

How long should I study for the IAM Architect exam?

Plan for 10–12 weeks with 10–15 hours per week. The exam requires deep understanding of identity protocols that many Salesforce developers have not worked with extensively. Set up SSO in a Salesforce dev org using a free IdP (like Okta Developer, Auth0, or PingOne free tier) to gain hands-on experience. Configuring both SP-initiated and IdP-initiated SSO, connected apps, and JIT provisioning in a real environment significantly improves exam performance.

Study Guide

Salesforce Identity & Access Management Architect Study Guide (Spring '26)

Your complete guide to passing the IAM Architect exam — SAML, OAuth 2.0, OIDC, SSO design, connected apps, JIT provisioning, and MFA.

Written and reviewed by Krishna Mohan — ADM-201, PD1, PD2, App Builder & Consultant certified. Updated for Spring '26. Methodology · Contact

Ready to sharpen your exam strategy? Prepare with our Identity & Access Management Architect Exam Tips & Strategy Guide — high-weight topics, scenario tactics, and mock-test targets for first-attempt success.

Honest Cert Breakdown

Difficulty: Hard

4/5

One of the four CTA domain exams. OAuth flows, SAML, SSO, connected apps, and certificate management. Security expertise is not optional here.

Salary Range

$125,000–$165,000 / year

US average for certified professionals • Updated Spring '26 • Source: Salesforce Talent Ecosystem

Is it worth it?

Required on the CTA path. Highly valuable in enterprises with complex identity requirements — financial services, healthcare, government.

Exam Fees

Architect

Exam fee

$400

USD

Retake fee

$200

USD

Start Identity & Access Management Architect Practice Questions

Questions

110 min

Time Limit

~68%

Passing Score

$400

Exam Fee

Exam Sections & Weightings

Identity Protocols & Concepts30%

SSO Design & Implementation25%

OAuth & Connected Apps25%

Community & External Identity15%

MFA & Security Policies5%

What Each Section Tests

30%

Identity Protocols & Concepts

SAML 2.0: assertions (authentication, attribute, authorisation), SP-initiated vs IdP-initiated SSO flows. OAuth 2.0: authorisation code, implicit, client credentials, device, JWT bearer token flows. OpenID Connect: ID token, UserInfo endpoint, OIDC as identity layer on top of OAuth. When to use SAML vs OAuth vs OIDC.

25%

SSO Design & Implementation

Configuring Salesforce as an Identity Provider (IdP) and as a Service Provider (SP). My Domain: requirement for SSO, custom subdomain design. Federated authentication vs delegated authentication vs Salesforce-managed credentials. Just-in-time (JIT) provisioning for user creation via SSO. Single Logout (SLO) design.

25%

OAuth & Connected Apps

Connected Apps: creating, configuring scopes, IP relaxation, permitted users, session policies. Named credentials: per-user vs named principal OAuth. OAuth flows: which flow for which use case — web app (Web Server), mobile (PKCE), server-to-server (JWT Bearer), legacy (Username-Password). Token storage, refresh tokens, and expiry.

15%

Community & External Identity

Experience Cloud identity: self-registration, social login (Google, Facebook, LinkedIn), External Identity licences. Auth providers: configuring third-party social login via Auth Provider framework. Registration handlers: custom Apex to control user provisioning from external IdPs. Digital experiences and B2C identity patterns.

MFA & Security Policies

Salesforce MFA enforcement: Salesforce Authenticator, TOTP apps, security keys. MFA requirement timeline and enforcement for direct logins. Session security levels and policies. IP restrictions: trusted IP ranges at org level, profile level, connected app level. Login hours and session timeout configuration.

10-Week Study Plan

Week 1Identity fundamentals — understand authentication vs authorisation vs federation. Study SAML 2.0 assertions, IdP vs SP roles, and SP-initiated vs IdP-initiated flows at a conceptual level.

Week 2OAuth 2.0 flows — study all major flows: Authorisation Code (+ PKCE), Client Credentials, JWT Bearer, Device, Username-Password. Draw a sequence diagram for each. Understand which flows Salesforce supports.

Week 3Salesforce as SP — configure SSO in a dev org using a free IdP (Okta Developer or Auth0 free tier). Set up My Domain, create an Auth Provider, and test SP-initiated login.

Week 4Salesforce as IdP — configure Salesforce as an Identity Provider for a connected app. Test IdP-initiated SSO. Understand when Salesforce acts as each role.

Week 5JIT Provisioning — configure JIT provisioning in your dev org. Map SAML attributes to Salesforce user fields. Test automatic user creation on first SSO login.

Week 6Connected Apps — create and configure a connected app with OAuth 2.0. Test the Web Server flow using Postman. Configure scopes, IP relaxation, and permitted users.

Week 7Named credentials — configure per-user OAuth and named principal OAuth named credentials. Understand when each is appropriate for external integrations.

Week 8External Identity — configure social login (Google) in an Experience Cloud site using Auth Provider. Write a custom registration handler in Apex.

Week 9MFA and security policies — configure MFA in your org using Salesforce Authenticator. Review session security levels, IP restriction layers, and login hour policies.

Week 10Full mock exams. Identity Protocols (30%) + SSO Design (25%) = 55% of the exam. Master SAML vs OAuth decision scenarios. Aim for 75%+ before booking.

Scenario Strategy Tips

1.SAML = SSO for enterprise users; OAuth = API access: When a scenario says "employees need to log into Salesforce using their corporate credentials," the answer is SAML SSO. When a scenario says "an application needs to access Salesforce data on behalf of a user," the answer is OAuth 2.0.
2.JWT Bearer for server-to-server: Any scenario involving background jobs, integration middleware, or automated processes accessing Salesforce APIs — without a user present — should use JWT Bearer Token flow. Never Username-Password flow for production systems.
3.JIT for large user populations: If a scenario involves many external users who should be automatically provisioned, JIT is the correct answer over manual user creation or pre-provisioning scripts. JIT can create and update users with every login.
4.My Domain is required: SSO, connected apps with OAuth, and Lightning features all require My Domain. Any question about enabling SSO for an org assumes My Domain is configured first.

Mock Exam Benchmark

Aim for 75%+ on practice exams before scheduling. IAM Architect is protocol-heavy — many candidates who know Salesforce well struggle because they haven't worked with SAML and OAuth deeply. Hands-on SSO configuration is the best preparation. If you can configure SSO end-to-end from scratch, you are ready.

Top 10 Concepts to Review

SAML 2.0: IdP vs SP roles, assertion types, SP-initiated vs IdP-initiated flows
OAuth 2.0 flows: when to use each (Web Server, JWT Bearer, Client Credentials, Device)
OpenID Connect: ID token, UserInfo endpoint, OIDC vs OAuth scope
My Domain: why it is required, custom subdomain, login policy settings
JIT provisioning: attribute mapping, user creation and update on login
Connected Apps: scopes, IP relaxation, permitted users, session policies
Named credentials: per-user OAuth vs named principal — when each applies
Auth Providers: configuring social login, custom registration handlers
MFA: Salesforce Authenticator, TOTP, security keys — enforcement levels
Session security: trusted IP ranges, login hours, session timeout, security levels

Frequently Asked Questions

What is the Salesforce IAM Architect certification?: The Identity & Access Management Architect certification validates expertise in designing identity solutions for Salesforce — including SSO (SAML, OAuth, OIDC), connected apps, external identity for Experience Cloud, MFA enforcement, and session security. The exam has 60 questions, ~110-minute time limit, ~68% passing score, and a $400 fee. It is part of the System Architect credential path.
What is the difference between SAML and OAuth?: SAML (Security Assertion Markup Language) is an XML-based protocol designed for SSO — it passes authentication assertions between an Identity Provider and a Service Provider, allowing users to sign in once and access multiple applications. OAuth 2.0 is an authorisation framework — it grants applications access to resources on behalf of a user without sharing credentials. OpenID Connect (OIDC) adds an identity layer on top of OAuth, returning a signed ID token with user identity claims. For Salesforce SSO, SAML is traditional enterprise IdP integration; OAuth/OIDC is used for API access and modern apps.
What is JIT provisioning in Salesforce?: Just-in-Time (JIT) provisioning automatically creates or updates a Salesforce user account when they first log in via SSO, using attributes passed in the SAML assertion. Without JIT, you must pre-create user accounts before SSO works. With JIT, the IdP passes user attributes (name, email, profile, role) in the SAML assertion, and Salesforce creates the account on first login. JIT can also be used to update user attributes on every login.
Which OAuth flow should I use for server-to-server integration?: For server-to-server integrations where no user is present (background jobs, integration middleware), use the OAuth 2.0 JWT Bearer Token Flow. The server signs a JWT with a private key (the corresponding certificate is uploaded to the Connected App), and exchanges it for an access token — no user interaction required. This is more secure than Username-Password flow (which passes credentials in the request) and is the recommended pattern for Salesforce APIs in automated processes.
How long should I study for the IAM Architect exam?: Plan for 10–12 weeks with 10–15 hours per week. The exam requires deep understanding of identity protocols that many Salesforce developers have not worked with extensively. Set up SSO in a Salesforce dev org using a free IdP (like Okta Developer, Auth0, or PingOne free tier) to gain hands-on experience. Configuring both SP-initiated and IdP-initiated SSO, connected apps, and JIT provisioning in a real environment significantly improves exam performance.

What Comes After This Certification?

After this certification, consider: Application Architect, System Architect, or Technical Architect (CTA).

Exam Section Difficulty Heatmap

Which sections are a gimme vs which ones trap confident candidates. Use this to prioritise your final-week revision.

Exam Section	Difficulty	Study Tip
Identity and Single Sign-On	Hard	SAML, OAuth, and federation — flow and configuration are heavily tested.
Access Management	Trap ⚠	Permission sets, profiles, and session security — identity vs access confusion.
Security and Compliance	Moderate	Audit and compliance requirements — know the Salesforce security features.
Integration	Moderate	Identity for integrations and external IdP — common scenario topic.

Difficulty based on analysis of common candidate errors across each exam section.

Ready to Practice?

Free IAM Architect practice questions covering SAML, OAuth, SSO design, and connected apps.

Start Free Practice Questions