- Integrate Salesforce with the authentication method of your choice like LDAP.
- Authentication can be done with Token instead of password.
- Delegated authentication is managed at permission level and not at org level.
- Contact Salesforce for enabling Delegated authentication.
- There may be a slight delay in the login process.
- Uses a stronger form of user authentication, such as integration with a secure identity provider
- Makes your login page private and accessible only behind a corporate firewall
- Differentiates your org from all other companies that use Salesforce to reduce phishing attacks
Best Practices and Risks
- Orgs implementation of Web service must be accessible from Salesforce servers.Deploy the web service on a server in DMZ.
- If Salesforce and your system can’t connect, or if the request takes longer than 10 seconds to process, the login attempt fails. The user gets an error message indicating that the corporate authentication service is down.
- Namespaces, element names, and capitalization must be exact in SOAP requests. Wherever possible, generate your server stub from the WSDL file to ensure accuracy.
- Make web service available by TLS. A certificate from a trusted provider, such as Verisign or Thawte, is required
- The IP address that originated the login request is sourceIp. Use this information to restrict access based on the user’s location.
- Ensure that Salesforce IP Addresses are whitelisted on the corporate firewall.
- Map org’s internal usernames to your Salesforce usernames.
- Do not enable SSO for admins to ensure that they are not locked out when the web service is down.
- When a user tries to log in—either online or using the API—Salesforce validates the username and checks the user’s permissions and access settings.
- If the user has the Is Single Sign-On Enabled user permission, Salesforce doesn’t validate the username and password. Instead, a web service call is made to the users org to validate username and password and password policies are managed by delegated authentication endpoint. Salesforce doesn’t store, log, or view the password. It’s disposed of immediately after the process completes.
- Web Service call passes username, password and sourceIp to the web service.
- Web Service implementation validates username and password and returns a boolean value.
- If response is true, login process continues. If false, user gets an error message that the username and password combination is invalid.
Components of Delegated Authentication
- Build SSO Web Service
- Download Delegated Authentication WSDL from Setup → API and generate Server stub using respective options available in the programming languages
- Add a link to your corporate intranet or other internal site that takes the authenticated user’s credentials and passes them through an HTTP POST to the Salesforce login page. Don’t pass in a password. Instead, pass another authentication token, such as a Kerberos Ticket.
- In Salesforce specify org’s SSO gateway URL in Delegated Gateway URL field under Single Sign-On Settings
- For recording login attempt select Force Delegated Authentication Callout
- Enable Is Single Sign-On Enabled permission