Similar to single sign-on (SSO), delegated authentication provides users with a somewhat different experience. With delegated authentication, the validation of user credentials is assigned to another system. For instance, you may set up your Salesforce org to check credentials using a Lightweight Directory Access Protocol (LDAP) server. SSO and delegated authentication let users access various applications with single credentials. With delegated authentication, however, users must authenticate to each app individually.
Configure delegated authentication so that users may log in to your Salesforce org using credentials handled by an external authentication mechanism encapsulated in a web service. When a user attempts to log in to your organization, Salesforce invokes this web service to verify the user’s credentials. With delegated authentication, Salesforce does not have access to the credentials used to access your organization. Instead, the external authentication technique governs user passwords and rules linked with them.
You may use any authentication technique so long as you encapsulate it in a web service that Salesforce can consume. One approach is using an LDAP server as your authentication technique and wrapping it in a SOAP-based web service. After integrating the authentication backend with Salesforce, you can restrict which users log in using delegated authentication rather than Salesforce credentials using Salesforce permissions.
For instance, your company’s workers utilize an LDAP server. You want to authenticate Salesforce users using the LDAP server. Additionally, you want to leverage user profile permissions to decide whether people log in using LDAP or Salesforce. Specifically, you want users with normal profiles to log in using a password-controlled by the LDAP server, whereas users with system administrator profiles will use a Salesforce password. Consequently, you interface your organization with your LDAP server by encapsulating the LDAP server behind a SOAP-based web service. You establish permissions to restrict delegated authentication to users with ordinary profiles. Now, users with normal profiles input their Salesforce username while the LDAP server manages their password. Users with system administrator credentials are required to submit their Salesforce login and password.
Enable the Is Single Sign-On Enabled user permission to allow external authentication methods to manage user credentials. Salesforce no longer maintains user password regulations, such as expiration dates and minimum length requirements. Instead, the service of the delegated authentication endpoint enforces any password requirements.
Below is an infographic from LoginID entitled “How Delegated Authentication and Payment Authentication work with PSD2.”