Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Single Sign-On Terminology

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Single Sign-On Terminology

            Do you want to configure single sign-on (SSO) for your org? Get acquainted with some key terminology first.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

            Federated Authentication and Security Assertion Markup Language (SAML)

            These terms apply to SSO enabled with SAML.

            Federated Authentication
            With federated authentication, users log in one time to access multiple apps. For example, you log in to your Salesforce org and from there can access your company’s benefits app, Workday.
            Security Assertion Markup Language (SAML)
            SAML is an open standard authentication protocol that you can use to implement SSO in your Salesforce org. SAML allows identity providers and service providers to securely exchange user information, enabling user authentication between services.
            Identity Provider
            An identity provider acts as a trusted service that authenticates a user’s identity.
            Service Provider
            A service provider is the application a user wants to access, such as a Salesforce org or a third-party app like Workday.
            SAML Request
            When a user attempts to access the service provider, the service provider sends a SAML request asking the identity provider to authenticate the user.
            SAML Response
            To authenticate the user, the identity provider sends a SAML response to the service provider. The response contains a signed SAML assertion with facts about the user.
            SAML Assertion
            A SAML assertion, which is part of a SAML response, describes a user by asserting facts, like username or email address. During authentication, the identity provider signs the SAML assertion and the service provider validates the signature.
            Just-in-Time (JIT) Provisioning
            Use JIT provisioning with SAML SSO to automatically register a user account with the service provider the first time a user logs in. For example, a new employee logs in to Salesforce for the first time with SAML SSO. JIT provisioning automatically registers a new user account in your Salesforce org for the employee.

            OpenID Connect and Custom Authentication Protocols

            These terms apply to SSO enabled with OpenID Connect. Some terms, where noted, apply to both OpenID Connect and similar, custom authentication protocols.

            OpenID Connect
            OpenID Connect is an open standard authentication protocol built on top of OAuth 2.0. With OpenID Connect, the relying party and OpenID provider can exchange information about who a user is and what they can do with a service.
            Custom Authentication Protocol
            This general term describes any custom authentication protocol that can be used with an authorization service, such as OAuth. Custom authentication protocols have the same core functions as OpenID Connect, but they don't conform to the OpenID Connect standard.
            OpenID Provider
            In OpenID Connect, an identity provider is called an OpenID provider. It authenticates users as requested by the relying party.
            Authentication Provider
            An authentication provider is a framework that allows you to connect Salesforce to a third party for authorized data access, authentication, or both, depending on the protocol. Authentication providers can implement OAuth 2.0 to authorize Salesforce to access third-party data. Or they can implement OpenID Connect or custom authentication protocols to support both third-party data access and authentication.
            When you're using authentication providers, Salesforce is always the relying party. If the authentication provider implements OpenID Connect, we refer to the third party as the OpenID provider. If it implements a custom authentication protocol, we call the third party the identity provider.
            Relying Party
            In OpenID Connect and custom authentication protocols, a service provider is called a relying party, though some use the terms interchangeably. It relies on the OpenID provider or identity provider for authentication.
             
            Loading
            Salesforce Help | Article