Delegated Single Sign-On using ADFS 2.0

Delegated SSO configuration using ADFS 2.0 requires performing the following:

1. Configuring the Service Provider
2. Configuring the Identity Provider

Configuring the Service Provider

Configuring a service provider for Delegated Authentication requires performing the following:

1. Activating Delegated Authentication
2. Configuring Delegated Authentication

Activating Delegated Authentication

To activate Delegated Authentication:

1. Login to Salesforce using the admin account credentials. The Salesforce home page appears.
   Salesforce home page
   (Click the image to expand it.)
   
    
2. On the Salesforce home page, click Help and Training. The Salesforce Help Page appears.
   The Salesforce Help and Support page
   (Click the image to expand it.)
   
    
3. Click Contact Support. The Contact Support page appears.
   The Salesforce Contact Support page
   (Click the image to expand it.)
   
    
4. Click Open a case. The Contact Support Login page displaying two login options: Salesforce Login and Marketing Cloud Login appears.
   The Contact Support Login page
   (Click the image to expand it.)
   
    
5. In Salesforce Users, click Salesforce Log In.
   The Salesforce login page appears.
6. Enter your Salesforce login credentials. The system validates your credentials and redirects to the Salesforce Support Case page.
   The Salesforce Support Case page
   (Click the image to expand it.)
   
    

7. Enter appropriate information in the fields given in the table below:

   Field	Description
   Email	Enter your email Id.
   Phone	Enter your phone number.
   Problem Type	From the Problem Type drop-down list, select Feature Activation Request.
   Problem Area	From the Problem Area drop-down list, select Login and Feature Activation.
   Subject	Enter an appropriate subject name. For example: Enable Delegated Authentication.
   Description	Enter an appropriate description.
   Security Level	From the Security Level drop-down list, select an appropriate security level.

   Note

   Fields marked with  are mandatory.

8. Click Next.
   A confirmation window appears which submits the case to Salesforce support.

Overview of Delegated Authentication

Once the delegated authentication is activated for your Salesforce organization, see Configuring Service Provider for Delegated Authentication. 

You also need to download the Delegated Authentication Web Service Descriptor Language (WSDL).

To download the Delegated Authentication WSDL:

1. Navigate to Setup.
2. In App Setup, navigate to Develop and click API.
   The WSDL page appears.
3. Click Download Delegated Authentication WSDL.
   This WSDL describes the Salesforce’s Single Sign-on web service and is used to generate server side stub to which you can add your implementation.

In case of Delegated Authentication, when a user tries to login and is single Sign-on enabled, a web service call is made to ADFS. The web service call contains username, password and sourceIP to ADFS’s web service. To this request ADFS must respond with either true or false. 

Overview Identity Provider Configuration

Once the IDP is provided with the Delegated Authentication WSDL from Salesforce, it generates a server side stub. Using this stub it creates a Web Service that accepts a SOAP request from Salesforce with username, password, and sourceIP. The Web Service responds with a SOAP response message. This message contains Authenticated attribute as true or false depending upon whether the user credentials are valid or not.