What is the difference between delegated authentication salesforce and single sign-on (SSO)?

On the exam guide for Salesforce Certified Identity and Access Management Designer, it says that you should be able to

Describe the configuration requirements of delegated authentication in Salesforce.

As I've been researching, SSO has been brought up quite a bit. There is obviously an overlap between delegated authentication and SSO. I get the impression the exam guide should say

Describe the configuration requirements of delegated authentication single sign-on (SSO) in Salesforce.

Are delegated authentication and SSO the same thing? Can there ever be an instance when working with delegated authentication that you are not using SSO?

Answered by Darsh K

With Delegated Authentication salesforce, the user logs in through the normal Salesforce login page, but Salesforce checks with a third-party server for the password. In this case, the user literally has no Salesforce password and cannot log in without the authentication server's permission.

Delegated Authentication Flow User -----> Salesforce Login -----> DA Server <----- Assertion <----- Salesforce Session
With SSO, the user logs in through an Identity Provider (not the Salesforce login page), and the user is given an "assertion" that Salesforce uses to log the user in. In this case, the user has a Salesforce password (though they may be unaware of what it is), and can conceptually log in directly to Salesforce without this assertion.
SSO Login Flow User -----> Salesforce Login <----- Redirect to IdP --- Steps above are optional --- -----> IdP Server <----- Assertion -----> Salesforce Login <----- Salesforce Session

Delegated Authentication isn't SSO, it's simply a way for an organisation to control the user's password policies. The main difference is that with SSO, the user still has a Salesforce password that can be reset, etc, while with DA, the user doesn't have a Salesforce password, and if they attempt to reset the password, will be told to contact their network administrator. In Salesforce, when you talk about SSO, you're talking about JWT- or SAML-based login mechanisms. When you talk about DA, you're talking about a single specific technology where the user no longer has a password in Salesforce and cannot login without the authentication server.

As the steps above attempt to demonstrate, the browser may be involved in several steps of SSO, while with Delegated Authentication, Salesforce does all the work and the user may never realise a third-party server was involved in the authentication.

Are delegated authentication and SSO the same thing?

No. Can there ever be an instance when working with delegated authentication that you are not using SSO? They are literally different things, so yes, every instance of DA will not be an instance of SSO, as far as they're defined.



Your Answer

Interviews

Parent Categories