Salesforce has
its own system of user authentication, but some companies prefer to
use an existing single sign-on capability to simplify and standardize
their user authentication. You have two options to implement single
sign-on—federated authentication using Security Assertion Markup
Language (SAML) or delegated authentication.
- Federated authentication using Security Assertion Markup Language
(SAML) allows you to send authentication and authorization data between
affiliated but unrelated Web services. This enables you to sign-on
to Salesforce from
a client application. Federated authentication using SAML is enabled
by default for your organization.
- Delegated authentication single sign-on enables you to integrate Salesforce with an authentication
method that you choose. This enables you to integrate authentication
with your LDAP (Lightweight Directory Access Protocol) server, or
perform single sign-on by authenticating using a token instead of
a password. You manage delegated authentication at the permission
level, allowing some users to use delegated authentication, while
other users continue to use their Salesforce-managed password.
Delegated authentication is set by permissions, not by organization. You must request that
this feature be enabled by salesforce.com. Contact salesforce.com to enable
delegated authentication single sign-on for your organization.
The primary
reasons for using delegated authentication include:
- Using a stronger type of user authentication, such as integration
with a secure identity provider
- Making your login page private and not part of the general Internet,
but rather, part of your corporate network, behind your corporate
firewall
- Differentiating your organization from all other companies
that use Salesforce in order to reduce phishing attacks