Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Delegated Authentication

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Delegated Authentication

            Delegated authentication is similar to single sign-on (SSO), but it offers a slightly different experience to users. With delegated authentication, one system relies on another system to validate user credentials. For example, you can configure your Salesforce org to rely on a Lightweight Directory Access Protocol (LDAP) server to validate credentials. Both SSO and delegated authentication enable users to log in to multiple apps with one set of credentials. However, with delegated authentication, users must log in to each app separately.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Set up delegated authentication so users can log in to your Salesforce org with credentials managed by an external authentication method wrapped in a web service. When a user tries to log in to your org, Salesforce calls this web service to validate the user credentials. With delegated authentication, Salesforce has no control over the passwords used to log in to your org. Instead, the external authentication method controls user passwords and associated policies.

            You can use any authentication method as long as you wrap it in a web service that Salesforce can consume. For example, you can use a Lightweight Directory Access Protocol (LDAP) server as your authentication method and wrap it in a SOAP-based web service. After you integrate the authentication backend with Salesforce, you can use Salesforce permissions to control which users log in with delegated authentication rather than with Salesforce credentials.

            For example, your company uses an LDAP server for its employees. You want to use the LDAP server to authenticate users into Salesforce. You also want to use permissions on the user profile to determine whether users authenticate with LDAP or Salesforce. Specifically, you want users with standard profiles to log in with a password managed by the LDAP server, while system administrator profiles use a Salesforce password. So, you integrate your org with your LDAP server by wrapping the LDAP server in a SOAP-based web service. You create permissions so that only users with standard profiles use delegated authentication. Now, users with standard profiles enter a Salesforce username and the LDAP server handles their password. Users with system administrator profiles enter their Salesforce username and password.

            Enable the Is Single Sign-On Enabled user permission to hand control of user passwords to the external authentication method. Salesforce no longer manages the policies for user passwords, such as when passwords expire or the required minimum length. Instead, the delegated authentication endpoint’s service enforces password policies, if any.

            Here’s the process Salesforce uses to authenticate users with delegated authentication.

            Note
            Note With delegated authentication, a user can experience a slight delay when logging in while the user account becomes available in the org.
            1. When a user tries to log in—either online or using the API—Salesforce tries to validate the username and checks the user’s permissions and access settings.
            2. If the Is Single Sign-On Enabled user permission is enabled, Salesforce calls to the SOAP-based SSO web service to validate the username and password.
              Note
              Note Salesforce immediately disposes of the password without storing, logging, or viewing it.
            3. The web service call passes the username, password, and source IP to your SSO web service implementation, which Salesforce servers then access. The source IP is the address where the login request originated.
            4. Your SSO web service implementation validates the passed information and returns either true or false.
            5. When the response is true, the login process continues and the user is logged in to your org. When false, the user gets an error message that the username and password combination is invalid.

            More Help for Delegated Authentication

            • FAQs for Delegated Authentication
              Review these frequently asked questions (FAQs) to help you implement and troubleshoot delegated authentication.
            • Configure Salesforce for Delegated Authentication
              Set up delegated authentication for your Salesforce org so users can log in with credentials managed by an external authentication service. To configure Salesforce for delegated authentication, wrap your authentication method in a web service that Salesforce can consume. Then, use permissions to determine whether users log in with delegated authentication or with a Salesforce-managed password.
            • Troubleshoot Delegated Authentication Login Errors
              Troubleshoot login errors by viewing the delegated authentication error history.

            See Also

             
            Loading
            Salesforce Help | Article