When some users sign in through Salesforce credentials and others through an external IdP that already performs MFA, the goal is to avoid prompting everyone twice while still requiring MFA-strength assurance. Salesforce handles that through session security levels. By requiring High Assurance at login and recognizing the corporate identity provider as satisfying High Assurance, the org can accept the IdP’s MFA result while still enforcing stronger authentication for direct Salesforce logins. Enabling the generic “MFA for UI Logins” control alone can force an extra challenge on top of the IdP’s MFA. The architecture lesson is that assurance level mapping is what prevents duplicate prompts across mixed authentication paths. This is why option D is the best answer in Salesforce terms.

For a mobile app using the user-agent flow, two connected-app controls work together when the business wants a long-lived session without repeated approval prompts. First, the app should be set to Admin Approved Users Are Pre-Authorized so users are not asked to approve API access inside the mobile experience. Second, the refresh-token policy should be configured for the required lifetime, such as three months, so the app can keep renewing access without forcing the user to log in again. A session timeout controls the UI session but not the refresh-token lifecycle in the same way. The architectural point is that user consent suppression and durable reauthentication behavior are governed by separate connected-app policies. This is why options C, D work together as the correct solution.

For a server-to-server integration that should avoid end-user interaction and maximize security, the JWT Bearer Flow is the strongest fit. Salesforce documents it for noninteractive scenarios where a trusted external service can sign an assertion with a certificate and exchange it for an access token. That means no browser- based approval screen, no password collection, and no dependence on a human being present to authorize the session. Web Server and User-Agent flows are designed for interactive delegated access, while username-password is a special-case pattern with weaker security characteristics. The architectural takeaway is simple: when the client is a trusted server and the goal is high assurance with minimal user involvement, certificate-based JWT exchange is the preferred Salesforce approach. This is why option A is the best answer in Salesforce terms.

If users must log in to the Salesforce mobile app with their Active Directory credentials and cannot rely on a mobile VPN, the architecture usually combines Salesforce Identity Connect with the appropriate Active Directory authentication plug-in or federation integration that allows Salesforce to honor those AD credentials without direct VPN dependency. Identity Connect helps bridge AD user management into Salesforce, while the directory-side authentication component handles password validation against Active Directory. Custom triggers or load balancers do not solve the identity problem. The important architecture idea is that workforce users should continue using their corporate directory password, and Salesforce should trust that directory-driven authentication path in a mobile-friendly way. This is why options A, B work together as the correct solution.

When customers can authenticate with multiple social identities but Salesforce must maintain only one user record per person, the logic belongs in the authentication provider and registration-handler pattern. Authentication providers handle the external trust with the social platforms, while a custom registration handler can locate an existing Salesforce identity, link the new social identity to it, and update profile details if the source data changes. Login flows are not the primary mechanism for social identity linking, and forcing the user through an extra selection page creates unnecessary friction. In Salesforce CIAM, the registration handler is the lifecycle control point: it decides whether to create, update, or link the user so the portal maintains a single consolidated identity per customer. This is why options B, C work together as the correct solution.

When partner onboarding must prevent duplicate accounts across Salesforce and an external identity store, the safest design is to control registration in one orchestrated flow rather than allowing each system to create identities independently. A custom self-registration experience can validate whether the partner already exists, create the Salesforce partner records in the right account structure, and coordinate identity creation only once. This avoids the common duplication problem where the identity provider and Salesforce both accept separate registrations for the same business user. The architecture goal is not simply sign-in; it is controlled provisioning with deduplication. For that reason, a custom registration page or process that checks existing partners and then creates records in the right order is the strongest fit. This is why option A is the best answer in Salesforce terms.

When users report SSO login errors, Login History is the first Salesforce-native place to look for the failure details. It records authentication attempts, statuses, timestamps, source information, and failure reasons that help narrow down whether the problem lies in the identity provider, the assertion, or the Salesforce configuration. Setup Audit Trail is for admin changes, not runtime authentication troubleshooting, and exception email is not the primary way to debug SSO. The practical reason architects start with Login History is that it tells you what Salesforce actually received and how Salesforce evaluated it. That makes it a reliable first checkpoint during alumni portal, workforce SSO, or community login investigations. This is why option B is the best answer in Salesforce terms.

When a third-party service wants Salesforce to provision users through a service endpoint before they access the app, the relevant feature is user provisioning on the connected app. Salesforce supports outbound provisioning patterns for connected apps so that a user can be created in the downstream application according to the app’s provisioning configuration. This is better than redirecting users into a separate registration experience because the requirement is to provision them as part of the Salesforce-controlled access path. Canvas and generic SAML alone do not provide the provisioning endpoint behavior described. The architectural value of connected-app provisioning is that it links app access and lifecycle management, allowing administrators to govern who gets created in the external service and when. This is why option A is the best answer in Salesforce terms.

Salesforce documents token introspection as the standards-based way to ask the authorization server about the current state of an OAuth token after it has been issued. That is exactly what this scenario requires: checking whether an OpenID Connect access token is still active, expired, or revoked. The discovery document only advertises endpoints and capabilities; it does not return runtime token status for a specific token. Likewise, enabling CORS on the token endpoint affects browser access patterns, not token validation, and creating a custom scope changes authorization boundaries rather than token-state lookup. In other words, when the requirement is “retrieve token status,” token introspection is the platform feature designed for that purpose. This is why option A is the best answer in Salesforce terms.

When users must be allowed to launch an external service provider from Salesforce only if the organization has explicitly authorized them, the connected app should use the Admin Pre-Approved access policy. That setting moves app access out of end-user consent and into administrator control. Profiles or permission sets then determine exactly which users can use the app. This is the standard Salesforce pattern for governed OAuth access in enterprise environments. Assigning authentication providers to profiles or simply exposing the app to a community does not replace the approval and entitlement model of the connected app itself. The architectural point is that app access and user authorization should be centrally controlled, auditable, and limited to approved users. This is why options C, D work together as the correct solution.