salesforce_tab_3_content-1

Identity & Single Sign-On Documentation

Comprehensive guide to Salesforce identity management and SSO flows. Implement secure authentication for your organization.

Enterprise SSO

SAML, OpenID Connect, and delegated authentication flows

Security Best Practices

Implementation guidelines and security considerations

Integration patterns

Ready-to-use configuration examples and code samples

Identity Flow Documentation

SAML SSO

Security Assertion Markup Language

Security level : very high (5/5)

Enterprise-grade single sign-on using SAML 2.0 assertions for federated authentication

Requirements

  • SAML identity provider 

  • configurationDigital certificates for signing

  • Proper attribute mapping

Implementation Steps:
SP-Initiated SSO

User accesses Salesforce, redirected to IdP for authentication

IdP Authentication

User authenticates with identity provider

SAML Response

IdP sends signed SAML assertion to Salesforce

User Access

Salesforce validates assertion and grants access

End Points

meta data

https://mycompany.my.salesforce.com/services/auth/idp/metadata

SAML SSO Example

"syntax-keyword">class="syntax-comment">

  
    
      "urn:oasis:names:tc:SAML:1.1:nameid-">format:unspec">ified">
        user@company.com
      
    
    
      "User.FirstName">
        John
      
      "User.LastName">
        Doe

OpenID Connect

OAuth 2.0 Extension

Security level : very high (5/5)

Modern identity layer on top of OAuth 2.0 providing user authentication and profile information

Requirements
  • OpenID Connect compatible provider
  • Proper scope configuration (openid required)
  • JWT validation capability
Implementation Steps:
Authorization Request

Client redirects user to OpenID Provider

User Authentication

User authenticates with OpenID Provider

Authorization Code

Exchange code for ID token and access token

Token Exchange

Salesforce validates assertion and grants access

SAML SSO Example

// OpenID Connect Flow
const authUrl = `https://login.salesforce.com/services/oauth2/authorize?` +
  `response_type=code&` +
  `client_id=${clientId}&` +
  `redirect_uri=${encodeURIComponent(redirectUri)}&` +
  `scope=openid profile email&` +
  `nonce=${nonce}`;

// Token exchange
const response = await fetch('https://login.salesforce.com/services/oauth2/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authorizationCode,
    client_id: clientId,
    client_secret: clientSecret,
    redirect_uri: redirectUri
  })
});

// Decode JWT ID token
const tokenData = await response.json();
const idTokenPayload = JSON.parse(atob(tokenData.id_token.split('.')[1]));

Delegated Authentication

Custom Authentication Handler

Security level : Medium (3/5)

Custom authentication against external systems while maintaining Salesforce session management

Important Note:
  • Requires custom Apex development
  • Consider migrating to SAML or OIDC
  • Consider migrating to SAML or OIDC
Implementation Steps:
Login Attempt

User attempts to log into Salesforce

Delegation Handler

Salesforce calls custom authentication handler

External Validation

Handler validates credentials against external system

Response Processing

Salesforce processes handler response and grants access

SAML SSO Example

// Delegated Authentication Handler (Apex)
global class CustomAuthHandler implements Auth.AuthProviderPlugin {
    
    global String getCustomMetadataType() {
        return 'CustomAuth__mdt';
    }
    
    global PageReference initiate(Map authProviderConfiguration, 
                                 String stateToPropagate) {
        // Redirect to external auth system
        String authUrl = authProviderConfiguration.get('Auth_Url__c');
        PageReference pageRef = new PageReference(authUrl);
        return pageRef;
    }
    
    global Auth.AuthProviderTokenResponse handleCallback(
        Map authProviderConfiguration, 
        Auth.AuthProviderCallbackState state) {
        
        // Process callback from external system
        String accessToken = state.queryParameters.get('access_token');
        
        return new Auth.AuthProviderTokenResponse(
            'CustomAuth', accessToken, null, state.stateToPropagate);
    }
}

Identity Flow Comparison

Choose the right SSO flow based on your organization requirements

Flow Comparison Table

Decision Tree

Do you have an existing SAML identity provider?

Yes: SAML SSO (most common enterprise choice)

No: Consider OpenID Connect for modern applications

Do you need modern web/mobile application support?

Yes: Do you need modern web/mobile application support?

No: SAML SSO for traditional enterprise applications

Security Considerations

SAML Considerations

  •  Certificate Management: Regular rotation required
  •  Attribute Mapping: Proper field mapping essential
  •  Session Timeout: Configure appropriate timeouts

Best Practices

  • Always use HTTPS for all SSO flows
  •  Implement proper session management
  • Regular security audits and reviews
  • Monitor authentication logs
  •  Use least-privilege access principles
Scroll to Top