Difference between Federated authentication and Delegated authentication in Salesforce

Difference between Federated authentication and Delegated authentication in Salesforce

Federated authentication uses SAML, an industry standard for secure integrations.

Federated authentication using Security Assertion Markup Language (SAML) lets you send authentication and authorization data between affiliated but unrelated web services. You can log in to Salesforce from a client app. Salesforce enables federated authentication for your org automatically.

Use delegated authentication if you have mobile users in your organization, or if you want to enable single-sign on for partner portals or Customer Portals. You must request that this feature be enabled by salesforce.com.

You can manage delegated authentication at the permission level, not at the org level, giving you more flexibility. With permissions, you can require some users to use delegated authentication and others to use their Salesforce-managed password.

Delegated authentication still sends the username and password (possibly even your network password) over the internet to Force.com.

1. When a user tries to log in—either online or using the API—Salesforce validates the username and checks the user’s permissions and access settings.

2. If the user has the Is Single Sign-On Enabled user permission, Salesforce doesn’t validate the username and password. Instead, a web service call is made to the user’s org to validate the username and password. When this user permission is enabled, Salesforce no longer manages the policies for user passwords, such as when passwords expire or the required minimum length. Instead, the delegated authentication endpoint’s service enforces password policies.

Salesforce doesn’t store, log, or view the password. It’s disposed of immediately after the process completes.

3. The web service call passes the username, password, and source IP to your web service. The source IP is the address where the login request originated. You must create and deploy an implementation of the web service that Salesforce servers can access.

4. Your web service implementation validates the passed information and returns either true or false.

5. When the response is true, the login process continues, a new session is generated, and the user proceeds to the app. When false, the user gets an error message that the username and password combination is invalid.

With delegated authentication, a user can experience a slight delay when logging in while the user account becomes available in the org.

Leave a Reply