Best Practices for Single Sign-On

Consider the following best practices when implementing delegated authentication and federated authentication for Single Sign-On for your organization.

Delegated Authentication

The following are the best practices while implementing delegated authentication SSO:

• Deploy your server in a DMZ as the Web Service must be accessible by Salesforce servers.
• Ensure that namespaces, element names, and capitalization must be exact in SOAP requests. Wherever possible, generate your server stub from the Web Service Definition Language (WSDL) to ensure accuracy.
• Make sure your web server is configured to only use Secure Socket Layers (SSL) using TLS encryption.

Do not enable Single Sign-On for Salesforce System Administrator accounts. System Administrators should always be able to login, even in case of a Single Sign-On server outage or when configuring SSO settings in Salesforce during implementation, or subsequent maintenance or changes.

Federated Authentication

The following are the best practices while implementing federated authentication SSO:

• Ensure that the IDP clock is up-to-date, as Salesforce allows a maximum three minutes clock skew.
• Use the SAML Assertion Validator on SSO Settings configuration page to troubleshoot the log in related issues.
• Enable the SAML organization preference with all the necessary configurations, before allowing users to log in with SAML assertions.

Use the My Domain feature to prevent users from logging in to Salesforce directly, and give administrators more control over login policies.