Use Cases

  • Integrate Salesforce with the authentication method of your choice like LDAP.
  • Authentication can be done with Token instead of password.
  • Delegated authentication is managed at permission level and not at org level.
  • Contact Salesforce for enabling Delegated authentication.
  • There may be a slight delay in the login process.


  • Uses a stronger form of user authentication, such as integration with a secure identity provider
  • Makes your login page private and accessible only behind a corporate firewall
  • Differentiates your org from all other companies that use Salesforce to reduce phishing attacks

Best Practices and Risks

  • Orgs implementation of Web service must be accessible from Salesforce servers.Deploy the web service on a server in DMZ.
  • If Salesforce and your system can’t connect, or if the request takes longer than 10 seconds to process, the login attempt fails. The user gets an error message indicating that the corporate authentication service is down.
  • Namespaces, element names, and capitalization must be exact in SOAP requests. Wherever possible, generate your server stub from the WSDL file to ensure accuracy.
  • Make web service available by TLS. A certificate from a trusted provider, such as Verisign or Thawte, is required
  • The IP address that originated the login request is sourceIp. Use this information to restrict access based on the user’s location.
  • Ensure that Salesforce IP Addresses are whitelisted on the corporate firewall.
  • Map org’s internal usernames to your Salesforce usernames.
  • Do not enable SSO for admins to ensure that they are not locked out when the web service is down.


  • When a user tries to log in—either online or using the API—Salesforce validates the username and checks the user’s permissions and access settings.
  • If the user has the Is Single Sign-On Enabled user permission, Salesforce doesn’t validate the username and password. Instead, a web service call is made to the users org to validate username and password and password policies are managed by delegated authentication endpoint. Salesforce doesn’t store, log, or view the password. It’s disposed of immediately after the process completes.
  • Web Service call passes username, password and sourceIp to the web service.
  • Web Service implementation validates username and password and returns a boolean value.
  • If response is true, login process continues. If false, user gets an error message that the username and password combination is invalid.

Components of Delegated Authentication

  • Build SSO Web Service
    • Download Delegated Authentication WSDL from Setup → API and generate Server stub using respective options available in the programming languages
    • Add a link to your corporate intranet or other internal site that takes the authenticated user’s credentials and passes them through an HTTP POST to the Salesforce login page. Don’t pass in a password. Instead, pass another authentication token, such as a Kerberos Ticket.
  • In Salesforce specify org’s SSO gateway URL in Delegated Gateway URL field under Single Sign-On Settings
  • For recording login attempt select Force Delegated Authentication Callout
  • Enable Is Single Sign-On Enabled permission

MOCK Questions

  • Universal Containers (UC) is setting up Delegated Authentication to allow employees to log in using their corporate credentials. UC’s security team is concerned about the risk of exposing the corporate login service on the Internet and has asked that a reliable trust mechanism be put in place between the login service and salesforce. What mechanism should an architect put in place to enable a trusted connection between the login services and salesforce?
    • Set up a proxy server for the login service in the DMZ.
    • Require the use of Salesforce security Tokens on password
    • Include client ID and client secret in the login header callout
    • Enforce mutual Authentication between systems using SSL.
  • What item should an architect consider when designing a Delegated Authentication implementation?
    • The web service should implement a custom password decryption method.
    • The web service should be secured with TLS using Salesforce trusted certificates
    • The web service should use the salesforce Federation ID to identify the user.
    • The web service should be able to accept one to four input method parameters.
  • Universal Containers is considering using Delegated Authentication as the sole means of Authenticating of Salesforce users. A Salesforce Architect has been brought in to assist with the implementation. What two risks should the Architect point out? Choose 2 answers
    • Delegated Authentication is enabled or disabled for the entire Salesforce org
    • The web service must reside on a public cloud service, such as Heroku.
    • Salesforce users will be locked out of Salesforce if the web service goes down
    • UC will be required to develop and support a custom SOAP web service
  • Universal Containers (UC) wants to implement Delegated Authentication for a certain subset of Salesforce users. Which three items should UC take into consideration while building the Web service to handle the Delegated Authentication request? Choose 3 answers
    • Delegated Authentication is enabled for the system administrator profile.
    • The web service can be written using either the soap or rest protocol.
    • The web service needs to include Source IP as a method parameter.
    • The return type of the Web service method should be a Boolean value
    • UC should whitelist all salesforce ip ranges on their corporate firewall.
  • Sales users at Universal containers use salesforce for Opportunity management. Marketing uses a third-party application called Nest for Lead nurturing that is accessed using username/password. The VP of sales wants to open up access to nest for all sales users to provide them access to lead history and would like SSO for better adoption. Salesforce is already setup for SSO and uses Delegated Authentication. Nest can accept username/Password or SAML-based Authentication. IT teams have received multiple password-related issues for nest and have decided to set up SSO access for Nest for marketing users as well. The CIO does not want to invest in a new IDP solution and is considering using Salesforce for this purpose. Which are appropriate license type choices for sales and marketing users, giving salesforce is using Delegated Authentication? Choose 2 answers
    • Salesforce license for sales users and External Identity license for Marketing users
    • Salesforce license for sales users and Identity license for Marketing users
    • Salesforce license for sales users and platform license for marketing users.
    • Identity license for sales users and Identity connect license for Marketing users
  • Universal containers (UC) wants users to authenticate into their salesforce org using credentials stored in a custom identity store. UC does not want to purchase or use a third-party Identity provider. Additionally, UC is extremely wary of social media and does not consider it to be trust worthy. Which two options should an architect recommend to UC? Choose 2 answers
    • Implement the Openid protocol and configure an Authentication provider
    • Build a custom Web service that is supported by Delegated Authentication
    • Build a custom web page that uses the identity store and calls frontdoor.jsp
    • Use a professional social media such as LinkedIn as an Authentication provider
  • What are three capabilities of Delegated Authentication? Choose 3 answers
    • It can be assigned by Profiles system permission
    • It can be assigned by Custom Permissions
    • It can connect to SOAP services.
    • It can be assigned by Permission Sets
    • It can connect to REST services wsdl
  • Universal Containers (UC) is successfully using Delegated Authentication for their salesforce users. The service supporting Delegated Authentication is written in Java. UC has a new CIO that is requiring all company Web services be REST-ful and written in . NET. Which two considerations should the UC Architect provide to the new CIO? Choose 2 answers
    • Delegated Authentication will not work with rest services.
    • Delegated Authentication will continue to work with rest services
    • Delegated Authentication will continue to work with service.
    • Delegated Authentication will not work with service.


Leave a Reply

Your email address will not be published. Required fields are marked *