|Available in: both Salesforce Classic and Lightning Experience
|Federated Authentication is available in: All Editions
Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions
Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
|To view the settings:
||“View Setup and Configuration”
|To edit the settings:
Single sign-on is a process that allows network
users to access all authorized network resources without having to
log in separately to each resource. Single sign-on allows you to validate
usernames and passwords against your corporate user database or other
client application rather than having separate user passwords managed
Salesforce offers the
following ways to use single sign-on:
- Federated authentication using Security
Assertion Markup Language (SAML) allows you to send authentication
and authorization data between affiliated but unrelated Web services.
This enables you to sign on to Salesforce from a client
application. Federated authentication using SAML is enabled by default
for your organization.
Delegated authentication single sign-on
enables you to integrate Salesforce with an authentication
method that you choose. This enables you to integrate authentication
with your LDAP (Lightweight Directory Access Protocol) server, or
perform single sign-on by authenticating using a token instead of
a password. You manage delegated authentication at the permission
level, allowing some users to use delegated authentication, while
other users continue to use their Salesforce-managed password.
Delegated authentication is set by permissions, not by organization.
You must request that this feature
be enabled by Salesforce. Contact Salesforce to enable
delegated authentication single sign-on for your organization.
The primary reasons for using delegated authentication include:
- Using a stronger type of user authentication, such as integration
with a secure identity provider
- Making your login page private and accessible only behind a corporate
- Differentiating your organization from all other companies that
use Salesforce in
order to reduce phishing attacks
- Authentication providers let your users
log in to your Salesforce organization using their login credentials from an external
service provider. Salesforce supports the OpenId Connect protocol that allows users to log
in from any OpenID provider such as Google, Paypal, LinkedIn and other
services supporting OpenID Connect. When authentication providers
are enabled, Salesforce does not validate a user’s password. Instead, Salesforce uses the user’s
login credentials from the external service provider to establish
When you have an external identity provider, and configure single
sign-on for your Salesforce organization, Salesforce is then acting
as a service provider. You can also enable Salesforce as an identity provider, and use single sign-on to connect to a different service provider.
Only the service provider needs to configure single sign-on.
The Single Sign-On Settings page displays which version of single
sign-on is available for your organization. To learn more about the
single sign-on settings, see Configuring SAML Settings for Single Sign-On. For more information about SAML and Salesforce security, see
the Security Implementation Guide.
Benefits of Single Sign-On
Implementing single sign-on can offer the following advantages
to your organization:
Reduced Administrative Costs: With single sign-on, users
only need to memorize a single password to access both network resources
or external applications and Salesforce. When accessing Salesforce from inside
the corporate network, users are logged in seamlessly, without being
prompted to enter a username or password. When accessing Salesforce from outside
the corporate network, the users’ corporate network login works
to log them in. With fewer passwords to manage, system administrators
receive fewer requests to reset forgotten passwords.
Leverage Existing Investment: Many companies use a central
LDAP database to manage user identities. By delegating Salesforce authentication
to this system, when a user is removed from the LDAP system, they
can no longer access Salesforce. Consequently,
users who leave the company automatically lose access to company data
after their departure.
Time Savings: On average, a user takes five to 20 seconds
to log in to an online application; longer if they mistype their username
or password and are prompted to reenter them. With single sign-on
in place, the need to manually log in to Salesforce is avoided.
These saved seconds add up to increased productivity.
Increased User Adoption: Due to the convenience of not
having to log in, users are more likely to use Salesforce on a regular
basis. For example, users can send email messages that contain links
to information in Salesforce such as records and reports. When the recipients of the email
message click the links, the corresponding Salesforce page opens
Increased Security: Any password policies that you have
established for your corporate network will also be in effect for Salesforce. In addition,
sending an authentication credential that is only valid for a single
use can increase security for users who have access to sensitive data.