Identity

SAML

Security Assertion Markup Language

Best for:
  • Enterprise environments with Active Directory
  • Organizations using existing SAML identity providers
  • Centralized authentication management
Security level : very high (5/5)

Enterprise-grade single sign-on using SAML 2.0 assertions for federated authentication

Requirements
  • SAML identity provider configuration
  • Digital certificates for signing
  • Proper attribute mapping
Implementation Steps:
SP-Initiated SSO

User accesses Salesforce, redirected to IdP for authentication

IdP Authentication

User authenticates with identity provider

SAML Response

IdP sends signed SAML assertion to Salesforce

User Access

Salesforce validates assertion and grants access

Endpoints

metadata

https://mycompany.my.alesforce.com/services/auth/idp/metadata

SAML Example

<!-- SAML Response Example -->

<Response>
  <Assertion>

    <Attribute Name="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
      user@company.com
    </Attribute>

    <Attribute Name="User.FirstName">
      John
    </Attribute>

    <Attribute Name="User.LastName">
      Doe
    </Attribute>

  </Assertion>
</Response>

OpenID

OAuth 2.0 Extension

Best for:
  • Modern web and mobile applications
  • Applications requiring user profile information
  • Microservices architecture with centralized identity
Security level : very high (5/5)

Modern identity layer on top of OAuth 2.0 providing user authentication and profile information

Requirements
  • OpenID Connect compatible provider
  • Proper scope configuration (openid required)
  • JWT validation capability
Implementation Steps:
Authorization Request

Client redirects user to OpenID Provider

User Authentication

User authenticates with OpenID Provider

Authorization Code

Exchange code for ID token and access token

Token Exchange

Salesforce validates assertion and grants access

Open ID Example

// OpenID Connect Flow
const authUrl = `https://login.salesforce.com/services/oauth2/authorize?` +
  `response_type=code&` +
  `client_id=${clientId}&` +
  `redirect_uri=${encodeURIComponent(redirectUri)}&` +
  `scope=openid profile email&` +
  `nonce=${nonce}`;


// Token exchange
const response = await fetch('https://login.salesforce.com/services/oauth2/token', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-www-form-urlencoded'
  },
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    code: authorizationCode,
    client_id: clientId,
    client_secret: clientSecret,
    redirect_uri: redirectUri
  })
});


// Decode JWT ID token
const tokenData = await response.json();
const idTokenPayload = JSON.parse(atob(tokenData.id_token.split('.')[1]));

Delegated Authentication

Custom Authentication Handler

Best for:
  • Integration with legacy authentication systems
  • Custom authentication logic requirements
  • Gradual migration to modern SSO
Security level : Medium (3/5)

Custom authentication against external systems while maintaining Salesforce session management

Important Note:
  • Requires custom Apex development
  • Consider migrating to SAML or OIDC
  • Consider migrating to SAML or OIDC
Implementation Steps:
Login Attempt

User attempts to log into Salesforce

Delegation Handler

Salesforce calls custom authentication handler

External Validation

Handler validates credentials against external system

Response Processing

Salesforce processes handler response and grants access

Delegated Example

// Delegated Authentication Handler (Apex)
global class CustomAuthHandler implements Auth.AuthProviderPlugin {

    global String getCustomMetadataType() {
        return 'CustomAuth__mdt';
    }

    global PageReference initiate(Map authProviderConfiguration, 
                                 String stateToPropagate) {
        // Redirect to external auth system
        String authUrl = authProviderConfiguration.get('Auth_Url__c');
        PageReference pageRef = new PageReference(authUrl);
        return pageRef;
    }

    global Auth.AuthProviderTokenResponse handleCallback(
        Map authProviderConfiguration, 
        Auth.AuthProviderCallbackState state) {

        // Process callback from external system
        String accessToken = state.queryParameters.get('access_token');

        return new Auth.AuthProviderTokenResponse(
            'CustomAuth', accessToken, null, state.stateToPropagate);
    }
}

Identity Flow Comparison

Choose the right SSO flow based on your organization requirements

Flow Comparison Table

Decision Tree

Do you have an existing SAML identity provider?

Yes: SAML SSO (most common enterprise choice)

No: Consider OpenID Connect for modern applications

Do you need modern web/mobile application support?

Yes: Do you need modern web/mobile application support?

No: SAML SSO for traditional enterprise applications

Security Considerations

SAML Considerations

  •  Certificate Management: Regular rotation required
  •  Attribute Mapping: Proper field mapping essential
  •  Session Timeout: Configure appropriate timeouts

Best Practices

  • Always use HTTPS for all SSO flows
  •  Implement proper session management
  • Regular security audits and reviews
  • Monitor authentication logs
  •  Use least-privilege access principles