Loading
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure Salesforce for Delegated Authentication

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure Salesforce for Delegated Authentication

            Set up delegated authentication for your Salesforce org so users can log in with credentials managed by an external authentication service. To configure Salesforce for delegated authentication, wrap your authentication method in a web service that Salesforce can consume. Then, use permissions to determine whether users log in with delegated authentication or with a Salesforce-managed password.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data

            Here’s the general process you use to set up delegated authentication:

            • Enable delegated authentication for your org.
            • Build your web service.
            • Specify your delegated authentication gateway URL.
            • Enable permissions.
            • (Optional) Record login attempts.

            See Also

            Enable Delegated Authentication for Your Org

            1. From Setup, in the Quick Find box, enter Single Sign-On Settings, then select Single Sign-On Settings.
            2. Select Disable login with Salesforce credentials.

            Build Your Web Service

            1. In Salesforce, download the Delegated Authentication Web Services Description Language (WSDL) file.
              1. From Setup, in the Quick Find box, enter API, then select API.
              2. Click Download Delegated Authentication WSDL.

              The WSDL file describes the delegated authentication web service. Use the WSDL file to generate a server-side stub to which to add your delegated authentication implementation. For example, in the WSDL2Java tool from Apache Axis, use the --server-side switch. With the .NET wsdl.exe tool, use the /server switch.

            2. Add a link to your corporate intranet or other internal site. This link takes the user’s credentials after they’re validated and passes them through an HTTP POST to the Salesforce login page.

              Salesforce only uses the password field to pass it back to your company. To avoid passing your corporate passwords to or from Salesforce, pass another authentication token instead, such as a Kerberos ticket.

              When the Salesforce server passes the credentials back to you in the Authenticate message, verify them. Then the user can access your org.

            Specify Your Delegated Authentication Gateway URL

            1. From Setup, in the Quick Find box, enter Single Sign-On, then select Single Sign-On Settings.
            2. Click Edit.
            3. Enter the URL for the Delegated Gateway URL.

            For security reasons, Salesforce restricts outbound posts to any of the following.

            • 80, which accepts only HTTP connections
            • 443, which accepts only HTTPS connections
            • 1024–66535, which accepts HTTP or HTTPS connections

            Enable Permissions

            Important
            Important If you enable delegated authentication, API and desktop client users can log in to Salesforce, unless they try to log in from outside a restricted IP range. Also, the SSO authority usually handles login lockout policies for users with the Is Single Sign-On Enabled permission. However, if the security token is enabled, your org’s login lockout settings determine how many times users can try to log in with an invalid security token.
            Enable the Is Single Sign-On Enabled permission for all the users you want to use delegated authentication. See User Permissions and Access.

            (Optional) Force Callouts to the Delegated Authentication Endpoint

            1. From Setup, in the Quick Find box, enter Single Sign-On, then select Single Sign-On Settings.
            2. Click Edit.
            3. Select Force Delegated Authentication Callout.

              This setting forces a callout to the delegated authentication endpoint with all login attempts, even attempts that fail within Salesforce due to restrictions.

             
            Loading
            Salesforce Help | Article