Newer Version Available
Single Sign-On
Salesforce has its own system of user authentication, but some companies prefer
to use an existing single sign-on capability to simplify and standardize their user authentication.
You have two options to implement single sign-on—federated authentication using Security Assertion Markup Language (SAML) or delegated authentication.
- Federated authentication using Security Assertion Markup Language (SAML) allows you to send authentication and authorization data between affiliated but unrelated Web services. This enables you to sign on to Salesforce from a client application. Federated authentication using SAML is enabled by default for your organization.
-
Delegated authentication single sign-on enables you to integrate Salesforce with an authentication method that you choose. This enables
you to integrate authentication with your LDAP (Lightweight Directory Access Protocol) server, or perform single
sign-on by authenticating using a token instead of a password. You manage delegated authentication at the permission
level, allowing some users to use delegated authentication, while other users continue to use their Salesforce-managed password. Delegated authentication is set by
permissions, not by organization.
The primary reasons for using delegated authentication include:You must request that this feature be enabled by Salesforce. Contact Salesforce to enable delegated authentication single sign-on for your organization.
- Using a stronger type of user authentication, such as integration with a secure identity provider
- Making your login page private and accessible only behind a corporate firewall
- Differentiating your organization from all other companies that use Salesforce in order to reduce phishing attacks
- Authentication providers let your users log in to your Salesforce organization using their login credentials from an external service provider. Salesforce supports the OpenId Connect protocol that allows users to log in from any OpenID provider such as Google, PayPal, LinkedIn and other services supporting OpenID Connect. When authentication providers are enabled, Salesforce does not validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establish authentication credentials.
Identity Providers
An identity provider is a trusted provider that lets
you use single sign-on to access other websites. A service provider is a website
that hosts applications. You can enable Salesforce
as an identity provider and define one or more service providers. Your users can then access
other applications directly from Salesforce using
single sign-on. Single sign-on can be a great help to your users: instead of having to
remember many passwords, they only have to remember one. Plus, the applications can be added
as tabs to your Salesforce organization, which
means users don’t have to switch between programs.
For more information, see “Identity Providers and Service Providers” in the Salesforce online help.