Newer Version Available
Single Sign-On
Salesforce has its own system of user authentication, but some companies prefer
to use an existing single sign-on capability to simplify and standardize their user authentication.
You have two options to implement single sign-on—federated authentication using Security Assertion Markup Language (SAML) or delegated authentication.
- Federated authentication using Security Assertion Markup Language (SAML) lets you send authentication and authorization data between affiliated but unrelated web services. You can log in to Salesforce from a client app. Salesforce enables federated authentication for your org automatically.
-
Delegated authentication SSO integrates Salesforce with an
authentication method that you choose. You can integrate authentication with
your LDAP (Lightweight Directory Access Protocol) server or use a token
instead of a password for authentication. You manage delegated
authentication at the permission level, not at the org level, giving you
more flexibility. With permissions, you can require some to use delegated
authentication while others use their Salesforce-managed
password.
Delegated authentication offers the following benefits.You must contact Salesforce to enable delegated authentication before you can configure it on your org.
- Uses a stronger form of user authentication, such as integration with a secure identity provider
- Makes your login page private and accessible only behind a corporate firewall
- Differentiates your org from all other companies that use Salesforce to reduce phishing attacks
- Authentication providers let your users log in to your Salesforce org using their login credentials from an external service provider. Salesforce supports the OpenID Connect protocol, which lets users log in from any OpenID Connect provider, such as Google, PayPal, and LinkedIn. When an authentication provider is enabled, Salesforce doesn’t validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establish authentication credentials.
Identity Providers
An identity provider is a trusted provider that lets
you use single sign-on (SSO) to access other websites. A service provider is a
website that hosts apps. You can enable Salesforce as an identity provider and define one or
more service providers. Your users can then access other apps directly from Salesforce using
SSO. SSO is a great help to your users—instead of having to remember many passwords,
they only have to remember one.
For more information, see “Identity Providers and Service Providers” in the Salesforce online help.