Single Sign-On

Auth. (Authentication) Provider

Federated Authentication with SAML

Delegated Authentication

Salesforce Identity Provider (SAML)

My Domain required

Internal users only

Hub and Spoke with multiple orgs/communities

Access other apps directly from Salesforce using SSO

IdP-initiated login

SP-initiated login

Requires certificate

The user tries to access a service provider already defined in Salesforce.
Salesforce sends a SAML response to the service provider.
The service provider identifies the user and authenticates the certificate.
If the user is identified, the user’s logged in to the service provider.

service provider sends a valid SAML request. The SP-Initiated POST endpoint is generated when the service provider is defined.
Salesforce identifies the user specified in the SAML request.
If the user is not logged in to Salesforce, the user is prompted to do so.
Salesforce sends a SAML response to the service provider.
The service provider authenticates the SAML response sent by Salesforce. If the user is authenticated, the user is logged in to the service provider and logged in to Salesforce.

Type of provider (Salesforce, Facebook, Google, (other) Open ID Connect)

Registration handler using Apex.

Define the authentication provider in your org.

Alternative, Auth.AuthProviderPluginClass abstract class to create a custom authentication provider

The user tries to log in to Salesforce using a third-party (external) identity.
The login request is redirected to the external authentication provider.
The user follows the third-party login process and approves access.
The external authentication provider redirects the user to Salesforce with credentials.
The user is signed in to Salesforce.

Mostly community Use Case. You can send the user to a specific community after authentication (Parameter)

Auth.RegistrationHandler must perform the logic of creating and updating user data

SAML assertion in an HTTP POST request

JIT provisioning to create and update internal and external users on the fly.

Standard create/update based on attributes from the assertion

Custom SAML JIT Handler

Identity Provider Certificate required

Request Signing Certificate

You must contact Salesforce to enable

Integrate Salesforce with the authentication method of your choice

Permission based authentication. Is Single Sign-On Enabled user: the delegated authentication endpoint’s service enforces password policies.

An internal webservice authenticates users. It receives an username, password and sourceIP and returns true or false.

Delegated Authentication WSDL

SSO for Mobile and Desktop Apps Using SAML and OAuth

By layering the SAML and OAuth protocols, mobile and desktop clients perform SSO. It's pretty much like bookmark or deep link

The authentication function is separated from the authorization function.

The OAuth client makes an authorization request to the hostname you specify. Using an embedded browser, the client asks the service provider for authorization. It does so using a custom URL that is your My Domain subdomain.
The authorization server detects that the client must authenticate and redirects the user to the SAML identity provider (IdP). The URL for the authorization server is passed via the RelayState parameter.
The user accesses the IdP, and the IdP performs authentication.
After the user is authenticated, the IdP sends back a SAML response. The browser transmits a response with a RelayState parameter. The response indicates that the client app is returning to the OAuth authorization server.
Salesforce processes the SAML assertion and logs the user in. The digital signature applied to the SAML response verifies that the message is from your system. At this point, Salesforce authenticates the user and redirects them to the authorization server.
After authentication, the client prompts the user to allow the client to connect to their account. The prompt is a simple web page that shows the user information about the client and what it’s requesting.
If the user approves the application, it is issued a high-entropy token that the application uses to establish a session. Subsequent application use does not require the user to reenter credentials.

Another option to authenticate users on mobile and desktop devices. Credentials are sent back to a customized endpoint over HTTPS.

SP–initiated SSO

SAML SSO for Canvas app

Lets users easily access a new or existing application as a part of their Salesforce experience. A canvas app in one Salesforce org functions as an identity provider, authenticating another Salesforce org that’s the service provider. The canvas app, hosted in the identity provider org, uses a signed request to reference a Visualforce page in the second org.

Common Use Case: Active Directory

We need an Identity Provider (Mostly ADFS or Identity Connect)

Identity Connect

Enables you to upload user data from your enterprise data store to one or more Salesforce organizations, and automatically to synchronize this data when user entries are added, changed, or removed. In addition, Identity Connect enables SAML SSO to Salesforce

Active Directory Federation Services

Delegated authentication: Include Servlet filter that allows requests from salesforce.com to make AJAX requests to Identity Connect. No specific configuration is required to use this filter. The main purpose of the filter is to provide delegated authentication, which enables you to present a standard login form for a specific customer domain (such as example.salesforce.com). Instead of submitting login credentials to the Salesforce authentication provider, the filter captures these details and makes a request back to Identity Connect, to obtain the SAML assertion.

Use if you want to map some fields from AD to Salesforce or you wanted delegated SSO (allowing selected set of users for authentication)

Identity Connect enables you to specify how attributes and other data are
mapped from the Active Directory data source to the Salesforce data store

SAML SSO Identity Provider for AD

Layered flow: OAuth + Open Id connect