Print this page

Can Delegate Authentication AND Federated be enabled in the same Org at the same time, with some users assigned to one auth mechanism and others another?

Knowledge Article Number 000231172
Description Can Delegate Authentication AND Federated be enabled in the same Org at the same time, with some users assigned to one auth mechanism and others another?
Resolution Yes, Delegate Authentication AND Federated be enabled in the same Org at the same time. You'd have to make sure that the Salesforce Login Page was also selected as a Login method under My Domain, in addition to SAML. (else the request would be redirected to the IdP automatically). Since the Is Single Sign On Enabled is a Profile Perm, Salesforce would validate their identity with the DA provider, where this is set on the Users Profile. (Also setting up DA with an invalid URL is the recommended way to prevent Password Resets even for SAML Based Auth, so they can certainly work together)

User Specific Settings:
1) For Users needing to use DA:
'Is Single Sign-On Enabled' = true 
assigned via permission set or on profile
2) For Users needing to use Federated:
'Is Single Sign-On Enabled' = false (i.e. DA not applied)
3) For Users needing to manually log-in via standard SF login page (i.e. ADMINS):
'Is Single Sign-On Enabled' = false (i.e. DA not applied)

General Settings:
* Leave DA setup as-is in Org
* Enable Federated SSO (perform the necessary sub steps to enable SSO)
* Enable MyDomain in SF
* Ensure available authentication methods selected includes both the Federated SSO service AND Login Page (these are what are available to select on the SF login page) Setup>Domain Management>MyDomain
* Ensure 'Prevent login from https://login.salesforce.com' setting is not checked

What the behavior will be for users:
* All Users will have the ability to access the SF Login page if they navigate to the SF URL
* All users will have the ability to click the Federated SSO button on the login page - but it would not work for any users who do not have a matching federation id between SF and the IDP. So DA users should be trained that they should not use that button as it is not relevant to them.
* All users would have the ability to enter username and password manually but....:
* For DA users they would immediately enter the existing DA flow
* For other users they would be able to login only if their SF username and password is correct in SALESFORCE (no Federated SSO flow is performed)
 




promote demote