Salesforce Architect Certification Maintenance (Winter '26)

Discover What’s New with Data for Winter '26 

Keep Up with the Latest Salesforce CLI Enhancements

Salesforce CLI helps you work more efficiently with Salesforce DX projects. With the latest updates, you can streamline data operations, execute API requests directly from the command line, customize sandboxes, and monitor command execution with more visibility than ever before.

The CLI now supports a --query flag in the data export tree command, allowing you to export records from junction objects and their parent records while preserving many-to-many relationships. This is especially useful for objects like AccountContactRelation. It also makes importing those records with a data import tree call much smoother.

For large datasets, the CLI adds the following new bulk commands that complement existing operations like data delete and upsert bulk.

1. Data export bulk
2. Data export resume
3. Data import bulk
4. Data import resume
5. Data update bulk
6. Data update resume

Q1. Which of the following Salesforce CLI commands allows you to export records from junction objects while preserving many-to-many relationships?

Ans: sf data export tree --query

Q2. What is a key benefit of Salesforce Database Encryption compared to Shield Platform Encryption?

Ans: It secures data across the entire org without limiting queries.

Q3. Which of the following statements correctly describes Data Detect?

Ans: It identifies and categorizes sensitive data natively within Salesforce Shield.

Q4. How does the latest Salesforce Connect update improve integration with external systems?

Ans: It removes row limits on OData, GraphQL, and SQL adapters for large datasets.

Q5. What is a primary advantage of using Salesforce Archive?

Ans: It moves expired or unused records to a low-cost external store while keeping them accessible.

Discover What’s New with Development Lifecycles for Winter '26

• Configure DevOps Testing to manage test assets, define quality gates, and analyze results within one platform.
• Incorporate Agentforce Testing Center into DevOps Testing to validate AI agents before deployment.
• Apply ApexGuru insights to detect antipatterns and optimize Apex code performance.
• Monitor metadata changes with DX Inspector to detect drift and improve environment management.
• Execute and retrieve Flow test results.
• Use Agentforce DX commands and debugging tools to build, test, and optimize AI agents.

Flow Testing Improvements in Salesforce CLI

Salesforce CLI version 2.85.7 introduces powerful new ways to run and review flow tests directly from the command line. With the new logic run testCopy and logic get testCopy commands, you can execute both Apex and Flow tests in one go. The expanded --testsCopy flag lets you specify Flow tests using the format FlowTesting.<flow-test-name>Copy, and the new --test-categoryCopy flag helps you narrow the scope of tests. Run tests asynchronously for faster feedback or use the --synchronousCopy flag to view results immediately.

These updates create a unified testing framework across Apex and Flow, enabling you to include flow tests in DevOps Testing as part of your automated test suite or quality gate—making flow debugging and validation faster, clearer, and more efficient than ever.

For full details, check the  Salesforce CLI release notes. Salesforce publishes a new stable CLI version weekly on Wednesdays, so this page is your go-to source for the most recent updates, enhancements, and fixes.

Q1. What is the primary benefit of using DevOps Testing in Salesforce DevOps Center?

• It allows developers to write Apex triggers faster.
• It centralizes test assets, enables quality gates, and provides test result analysis in one platform.
• It replaces Salesforce CLI for metadata deployments.
• It automatically resolves all code conflicts during deployment.

Q2. How does integrating Agentforce Testing Center with DevOps Testing improve AI agent deployments?

• It automatically generates production users for agents.
• It eliminates the need for Salesforce DX projects.
• It replaces Apex testing in CI/CD pipelines.
• It validates AI agent performance and behavior before deployment.

Q3. What type of issues does ApexGuru help developers identify?

• Unused Lightning components in the org
• Antipatterns in Apex code, such as SOQL inside loops or inefficient queries
• Missing profile permissions
• Visualforce page rendering errors

Q4. What is the main purpose of the DX Inspector in Salesforce?

• To track metadata changes across sandboxes and scratch orgs
• To monitor Apex governor limits during execution
• To generate test data for large datasets
• To create automated flows for user onboarding

Q5. Which Salesforce CLI commands let you execute and retrieve Flow test results directly from the command line?

• flow run test and flow get test
• logic run test and logic get test
• apex run test and apex get test
• test run logic and test get logic

Q6. How does Agentforce DX support developers in testing and optimizing AI agents?

• It automatically writes agent code in Apex.
• It eliminates the need for version control.
• It restricts agent deployment to sandboxes only.
• It provides CLI commands, debugging tools, and test specifications to build, test, and optimize agents.

Discover What’s New with Identity Management for Winter '26

Triple DES Encryption Is No Longer Supported for SAML Single Sign-On

Salesforce has updated its SAML single sign-on (SSO) security to no longer support the Triple DES encryption algorithm for SAML responses. This change affects all configurations where Salesforce acts as either the identity provider (IdP) or the service provider (SP). While existing configurations using Triple DES remain functional, Salesforce strongly recommends migrating to more secure algorithms, such as AES 128 or AES 256, to prevent potential future service disruptions.

The reason for this update is that Triple DES uses a cryptographic key that is no longer considered secure. AES 128 and AES 256 use longer keys, which are significantly more resistant to attacks. For organizations using Salesforce as an identity provider, administrators should review the Block Encryption Algorithm setting in connected app configurations and update any Triple DES settings to AES. Similarly, if Salesforce is the service provider, coordinate with your identity provider to ensure SAML responses are encrypted with a supported algorithm and update the Assertion Decryption Certificate as needed.

This change applies to Lightning Experience and Salesforce Classic across all editions. It’s a mandatory security enhancement for all SAML integrations. It ensures compliance with data governance and security best practices, safeguarding sensitive user authentication data. By upgrading to AES encryption, architects can maintain secure SSO configurations, avoid disruptions, and align with current encryption standards.

Build Single Sign-On Registration Handlers Without Code

Administrators and declarative developers can now set up single sign-on (SSO) registration handlers entirely with clicks using Flow Builder, eliminating the need for Apex code in many use cases. When you configure an authentication provider for SSO into Salesforce or an Experience Cloud site, you can use the new authentication provider user registration flow template to quickly create a registration handler flow. The template demonstrates how to create or update users who log in via a third-party identity provider and includes two invocable actions to simplify user provisioning.

• Get User Data from JSON String: Retrieve specific attributes from complex, nested JSON structures, making it easy to parse ID tokens or user info responses sent by the identity provider.
• Generate User Data: Fill in placeholder values for any required fields not provided by the identity provider, ensuring complete user records in Salesforce.

With flow-based registration handlers, you can also manage user access declaratively by adding or removing permission sets at runtime in a single assignment, avoiding mixed DML errors that can occur in Apex. While Apex registration handlers remain ideal for high-scale or high-performance scenarios, flow registration handlers simplify SSO implementations for most orgs and reduce reliance on specialized developer resources.

To implement SSO, create a flow in Flow Builder that:

• Retrieves user information from the identity provider.
• Searches for a matching user in Salesforce.
• Creates or updates the user as needed.

As a last step, assign the flow as the registration handler on the Authentication Providers page in Setup and test the end-to-end SSO process with both new and existing users.

This feature applies to Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

Beyond session management, there are several usability and security improvements across identity and access features.

• Environment switcher favorites: Users can mark their most-used environments as favorites for faster access, reducing navigation time and improving productivity.
• External client app framework enhancements: Administrators can configure mobile-specific features, such as screen lock timeouts, and enable push notifications for Android and iOS devices.
• Staging and rotating external client app credentials: Keep external apps secure by staging, rotating, or deleting client credentials using API endpoints.
• Improved account setup flows: New users who encounter delayed password and security question setup can reinitiate the process within 7 days of receiving their welcome email, reducing support friction.
• OAuth and SAML improvements: Clearer error messages are provided for invalid scopes in client credentials flows and expired SAML InResponseTo attributes. Architects must ensure that they migrate from the single-configuration SAML framework to the multiple-configuration SAML framework, improving SSO scalability.
• Identity verification updates: New orgs display all available verification methods by default, making it easier for users to choose their preferred authentication method. Password reset usability is also improved with the new “Use Your Email Address” option. Security questions now require answers of at least five characters.
• Username validation: Usernames cannot include zero-width space characters, reducing confusion caused by invisible characters.

Q1. What is a key benefit of Salesforce’s headless user discovery feature?

• Users must always log in with a standard username.
• Users can log in with multiple identifiers, such as email, phone number, or order number.
• Users are restricted to logging in via SAML only.
• Users can bypass passwords entirely.

Q2. For organizations using Salesforce as an identity provider and updating Triple DES settings to AES, what steps should they take?

• Review the Block Encryption Algorithm setting in connected app configurations.
• Implement a new Apex class for encryption.
• Configure flow-based registration handlers.
• Analyze LoginAnomalyEvent data.

Q3. What type of activity can the Salesforce LoginAnomalyEvent help administrators detect?

• Changes to metadata in scratch orgs
• Suspicious login attempts
• Incorrect Apex code patterns
• External system data exceeding row limits

Q4. What is a key advantage of using flow-based registration handlers for SSO?

• Users must be provisioned manually for each login adhering to security guidelines.
• Registration handlers can only be built using Apex code.
• Administrators can provision or update users declaratively without writing Apex.
• Only one user can be registered at a time adhering to compliance guidelines.

Q5. Which enhancement allows Salesforce administrators to better balance security and usability for sessions?

• Configuring JWT-based access token timeouts at the app, profile, or org level
• Limiting SAML configurations to a single-configuration framework
• Disabling password resets for 30 days
• Requiring zero-width spaces in usernames

Discover What’s New with Integration for Winter '26

Learning Objectives

• Identify integration options with MuleSoft for Flow.
• Apply secure practices for access token transmission.
• Design integrations that exchange binary files with External Services.
• Configure OAuth 2.0 client credentials flow with external authentication.
• Implement credential rotation for external client apps.

Few key capabilities of connectors:

Capabilities	What You Do	Example
Trigger	Start a flow when data changes in another system.	You create a new Contact in NetSuite, and the flow creates a Lead in Salesforce.
Action	Send or retrieve data between Salesforce and another system.	You create an Order in Salesforce, and the flow creates a Sales Order in NetSuite.
Field Mapping	Align Salesforce fields with external fields.	You map fields directly in the flow to keep data accurate.

Keep Access Tokens Out of Query Strings

Passing sensitive information in a URL is risky. Starting this release, Salesforce blocks GET requests to the single access endpoint if the request includes an access token in the query string. This change closes a common security gap and helps you follow best practices for protecting data.

Send the access token in the Authorization header.

For example:

GET /services/oauth2/singleaccess HTTP/1.1

Host: mydomain.my.salesforce.com

Authorization: Bearer <access token>

Stage and Rotate External Client App Credentials

Long-lived credentials create security risks. To keep external client apps safe, you now stage and rotate credentials through the API instead of relying on static keys.

Here’s what you can do with the API.

• Retrieve the client app ID from the OAuth Usage endpoint.
• Stage new credentials with a POST request.
• Rotate credentials with a PATCH request.
• Delete credentials when they’re no longer needed.

This feature brings lifecycle management to your connected apps. By rotating secrets regularly, you reduce exposure and align with modern security practices. This also opens the door for automation, so you design integrations that stay secure without adding manual work.

Q1. What does MuleSoft for Flow: Integration let you do in a flow?

• Upload binary files with External Services.
• Rotate credentials with the OAuth endpoint.
• Pass access tokens in a query string.
• Use third-party connectors.

Q2

Where do you include an access token in a secure GET request to the single access endpoint?

• URL query string
• Authorization header
• Browser address bar
• Session cookie

Q3

What new External Services feature supports file-based integrations?

• Event streaming
• Credential rotation
• Binary file transfer
• Data capture

Q4

Which OAuth flow now supports custom request parameters with external auth identity providers?

• Refresh token
• Client credentials
• Password
• Implicit

Q5

What process strengthens security for external client app integrations?

• Rotating staged credentials
• Manually refreshing credentials once a year
• Extending credential expiration times
• Reusing API keys across connected apps

Discover What’s New with Access Control for Winter '26

Learning Objectives

• Assign the View All Fields object-level permission.
• Use the Manage External Users (Limited) permission.
• Apply predefined permission set groups in Public Sector.
• Update sharing group references for the Secure Roles Behavior release update.

Persona-Based Permission Set Groups in Public Sector

Access provisioning in public sector orgs can get complicated fast. To simplify it, Public Sector now includes predefined permission set groups tied to common user personas. Instead of assigning multiple permission sets one by one, you assign a single group that matches the user’s role.

This approach cuts down on errors, speeds up audits, and keeps access aligned with job responsibilities. When someone changes roles, you just update their group assignment—no need to rebuild access from scratch.

Here’s how user personas map to permission set groups.

User Persona	Permission Set Group
Recruiter or HR specialist	Talent_Recruitment_Management_Specialist
Hiring manager	Talent_Recruitment_Management_Hiring_Manager
Interviewer reviewing external applicants	Talent_Recruitment_Management_Employee
External job seeker applying for open positions	Talent_Recruitment_Management_Applicant
Compliance officer for licensing/permitting	Licensing_Permitting_Officer
Constituent applying for licenses/permits	Licensing_Permitting_Constituent
Grant maker managing funding opportunities	Grantmaking_Manager
Grant seeker applying and reporting on funding	Grantmaking_Applicant
Caseworker reviewing benefit applications	Benefit_Management_Caseworker
Constituent applying for benefits	Benefit_Management_Constituent
Complaint intake officer managing investigative cases	Investigative_Case_Management_Officer
Constituent filing complaints or submitting evidence	Investigative_Case_Management_Constituent
Caseworker managing programs, referrals, and care plans	Social_Program_Management_Caseworker
Constituent receiving social care benefits	Social_Program_Management_Constituent
Provider managing referrals and services	Social_Program_Management_Provider
Employee accessing features on an employee experience site	Employee_Experience_User
Admin configuring and managing Public Sector features	Public_Sector_Solutions_Admin

Secure Roles Behavior and Sharing Group Update

Protect records in orgs with digital experiences by using the default sharing group once called Roles and Subordinates that is now Roles and Internal Subordinates. This shift prevents external site users from getting unintended access to records through the role hierarchy.

During the transition, Salesforce converts old references automatically. Once enforcement is live, though, any code or automation that still points to Roles and Subordinates will fail. Update your org early to avoid errors.

This update applies to Lightning Experience and Salesforce Classic (not in all orgs) in Enterprise, Performance, Unlimited, and Developer editions. It was already pushed to sandboxes in Summer ’25 and will be enforced in production with Winter ’26.

To prepare:

1. Review custom code, Apex, flows, and automation that reference Roles and Subordinates.
2. Update those references to Roles and Internal Subordinates.
3. Test the changes in a sandbox.
4. Deploy the fixes before Winter ’26 enforcement.

Q1

What is the main benefit of assigning the new View All Fields permission at scale?

• Complete removal of field-level security settings
• Fewer updates needed when new fields are added
• Automatic upgrade to Modify All Data permission
• Elimination of object-level access settings

Q2

What’s a good reason to assign Manage External Users (Limited) instead of Manage External Users when delegating administration?

• Blocking creation of any external users in the org
• Removing the need for permission sets in the org
• Allowing management of all external users in the org
• Limiting management to users with read and write access

Q3

What problem do predefined permission set groups in Public Sector solve for architects?

• Reducing errors when granting access by job role
• Enforcing object-level security for every user in the org
• Removing the need for permission set licenses
• Replacing the need for custom sharing rules

Q4

Why is the Winter ’26 Secure Roles Behavior release update critical for architects to prepare for?

• Old references to Roles and Subordinates stop converting dynamically
• Role hierarchies are removed from Experience Cloud sites
• All external users lose access to role-based records
• Permission sets are required for all sharing models