Frequently Asked Questions
This topic contains a list of the most frequently asked questions.
The following are the types of SSO:
- Federated authentication using SAML
- Delegated authentication by integrating Salesforce with an authentication method
For more information, see Types of Single Sign-On.
The password reset option is disabled for the SSO users that implement delegated authentication. In delegated authentication, Salesforce does not manage the user passwords. Users who want to reset the passwords in Salesforce are directed to the Salesforce administrator.
For delegated authentication, if you are enabled with View All Data permission:
- Navigate to Delegated Authentication Error history and view the logs
- Navigate to Login history for a user
If you do not have View All Data permission, contact your Administrator.
For federated authentication, to view logs for SSO errors:
1. Navigate to the Single Sign-On Settings section.
2. Click SAML Validation.
Navigate to Setup > Manage Users > Users > Select username > Login history.
Yes, you can configure the login, logout, and error pages as required. You can do so, using SAML 1.1 or SAML 2.0 in SSO Configuration.
To enable the Single Sign-On permission:
1. In the System Permissions section, navigate to Setup > Manage Users > Profile > User profile.
2. Edit the required profile and select Is Single Sign on Enabled.
3. Save the profile.
When you click on a Salesforce link that points to a specific Salesforce record, you are prompted for credentials in case you are not already logged in to Salesforce. If you are already logged in to Salesforce then it will redirect you to the appropriate record page.
If you are not redirected to your Salesforce org’s instead of intended Salesforce record page then you might need to configure Relay State for ADFS which serves as your Identity Provider. You may see ADFS 2.0 Relay State section in this document for Relay State configuration.
If you are already authenticated by Identity Provider and logged into to your Salesforce org then you will be redirected to intended page on clicking the link. (For example, an account page or a specific page in your org).
These questions are categorized into two types.
Based on Service Provider
You need to contact Salesforce to enable delegated authentication.
To contact Salesforce:
- Navigate to Help > Contact Support > Open a case.
Enter appropriate information in the fields given in the table below:
From the drop-down list, select Feature Activation.
From the drop-down list, select Login and Feature Activation.
Enter Enable Delegated Authentication.
Enter an appropriate description.
From the drop-down list, select Medium.
1. Navigate to Setup > Administration Setup > Security Controls > Single Sign-On Settings.
2. Click Edit and enter the Delegated Gateway URL.
3. Navigate to Setup > Administration Setup > Manage Users > Profile.
4. Edit the required profile and select Is Single Sign-On Enabled to enable user permission for your user’s profile.
Yes, delegated authentication supports SAML tokens as well as passwords.
If the Is Single Sign-On Enabled permission is enabled for a user, then the user credentials are authenticated through delegated authentication.
Salesforce does not store any password. Credentials are disposed of once the authentication process is complete.
If Force Delegated Authentication Callout is selected, then Salesforce forces a callout to the gateway URL, even after a failure due to restrictions set in the profile such as IP range restrictions.
Navigate to Setup > Administration Setup > Manage Users > Delegated Authentication Error History. You will see error logs related to delegated authentication.
Request gets timed out after 10 seconds. Please see https://developer.salesforce.com/docs/atlas.en-us.sso.meta/sso/sso_tips.htm for more information.
No. Portals only support Federated Authentication. Please see below links for information.
Based On Identity Provider
Once the user credentials are verified, the Identity Provider sends any one of the following authentication status:
- TRUE: If the user credentials are valid
- FALSE: If the user credentials are invalid