As the name suggests, in delegated authentication, authentication is delegated to an external party. With delegated authentication, Salesforce has no control over the passwords used to log in to your org. Instead, the external authentication method controls user passwords and associated policies.
With Delegated Authentication, the user logs in through the normal Salesforce login page, but Salesforce checks with a third-party server for the password. In this case, the user literally has no Salesforce password and cannot log in without the authentication server's permission.
Example-For example, your company uses an LDAP server for its employees. You want to use the LDAP server to authenticate users into Salesforce. You also want to use permissions on the user profile to determine whether users authenticate with LDAP or Salesforce. Specifically, you want users with standard profiles to log in with a password managed by the LDAP server, while system administrator profiles use a Salesforce password. So, you integrate your org with your LDAP server by wrapping the LDAP server in a SOAP-based web service. You create permissions so that only users with standard profiles use delegated authentication. Now, users with standard profiles enter a Salesforce username and the LDAP server handles their password. Users with system administrator profiles enter their Salesforce username and password.
Delegated Authentication’s Flow
When a user tries to log in (either online or using the API), Salesforce tries to validate the username and checks the user’s permissions and access settings.
If the “Is Single Sign-On Enabled” user permission is enabled, Salesforce calls the SOAP-based SSO web service to validate the username and password.
The web service call passes the username, password, and source IP to your SSO web service implementation, which Salesforce servers then access. The source IP is the address where the login request originated.
Your SSO web service implementation validates the passed information and returns either true or false.
When the response is true, the login process continues and the user is logged in to your org. When false, the user gets an error message that the username and password combination is invalid.
How to configure Delegated Authentication?
To configure Salesforce for delegated authentication: Follow the instructions in the Salesforce documentation to enable delegated authentication single sign-on for your organization.
After delegated authentication has been enabled at Salesforce, complete the following configuration steps:
Enable delegated authentication for your org-
From Setup, in the Quick Find box, enter Single Sign-On Settings, then select Single Sign-On Settings.
Select Disable login with Salesforce credentials
Build your web service.
Specify your delegated authentication gateway URL:
Click Your Name > Setup > Security Controls > Single Sign-On Settings > Edit.
Enter the URL for the Delegated Gateway URL
Enable permissions-Enable the Is Single Sign-On Enabled permission for all the users you want to use delegated authentication
Some Use Case
Restricting certain users to log in only using federated SSO and not by regular salesforce users and passwords using login.salesforce.com or my domain url. This can be achieved by using delegated authentication. You can refer to below article https://www.youtube.com/watch?v=ivYsRZUYlXw
Consideration
Orgs implementation of Web service must be accessible from Salesforce servers. Deploy the web service on a server in DMZ.
If Salesforce and your system can’t connect, or if the request takes longer than 10 seconds to process, the login attempt fails. The user gets an error message indicating that the corporate authentication service is down.
Namespaces, element names, and capitalization must be exact in SOAP requests.
Wherever possible, generate your server stub from the WSDL file to ensure accuracy.
Make web service available by TLS. A certificate from a trusted provider, such as Verisign or Thawte, is required
The IP address that originated the login request is sourceIp. Use this information to restrict access based on the user’s location.
Ensure that Salesforce IP Addresses are whitelisted on the corporate firewall.
Map org’s internal usernames to your Salesforce usernames.
Do not enable SSO for admins to ensure that they are not locked out when the web service is down.
Delegated authentication is managed at the permission level and not at the org level
Password reset is disabled for delegated authentication because Salesforce no longer manages user passwords. Users who try to reset their passwords in Salesforce are directed to their Salesforce admin
Troubleshoot Delegated Authentication Login Errors
Admins with the Modify All Data permission can view the 21 most recent login errors for your Salesforce org. From Setup, in the Quick Find box, enter Delegated Authentication Error History, then select Delegated Authentication Error History. For each failed login, you can view the user's username, login time, and the error.
No comments:
Post a Comment