Federated authentication using Security Assertion Markup Language (SAML) lets us send authentication and authorization data between affiliated but unrelated web services.
We can log in to Salesforce from a client app. Salesforce enables federated authentication for the org automatically.
Delegated authentication SSO integrates Salesforce with an authentication method that we choose. We can integrate authentication with your LDAP (Lightweight Directory Access Protocol) server or use a token instead of a password for authentication.
Delegated authentication is managed at the permission level, not at the org level, giving us more flexibility. With permissions, we can require some to use delegated authentication while others use their Salesforce-managed password.
Delegated authentication offers the following benefits.
Uses a stronger form of user authentication, such as integration with a secure identity provider
Makes login page private and accessible only behind a corporate firewall
Differentiates org from all other companies that use Salesforce to reduce phishing attacks
We must contact Salesforce to enable delegated authentication before we can configure it on our org.
Authentication providers let users log in to Salesforce org using their login credentials from an external service provider.
Salesforce supports the OpenID Connect protocol, which lets users log in from any OpenID Connect provider, such as Google, PayPal, and LinkedIn.
When an authentication provider is enabled, Salesforce doesn’t validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establish authentication credentials.