For orgs on Delegated Authentication today, the pattern is: monitor the endpoint health, plan migration to SAML or Auth Providers, execute the migration over months. For new deployments, do not use Delegated Authentication; pick SAML or OAuth instead.
- Assess whether Delegated Authentication is the right tool
New deployments should default to SAML SSO or Auth Providers. Delegated Authentication is for legacy continuity, not new design.
- For existing Delegated Authentication, monitor endpoint health
Uptime monitoring, certificate expiration alerts, response-time tracking. The endpoint is a single point of failure for user login.
- Plan migration to SAML SSO or Auth Providers
Configure the new SSO path alongside Delegated Authentication. Pilot with a small user group on the new path; validate functionality.
- Migrate users from Delegated Authentication to the new SSO
Remove the Delegated Authentication checkbox on profiles as users migrate. Users keep their existing user records and identity; only the login mechanism changes.
- Verify SAML or Auth Provider login works for migrated users
Each migration wave needs verification. Failed migrations leave users unable to log in; rollback to Delegated Authentication is fast (re-enable the checkbox) but disruptive.
- Retire the Delegated Authentication endpoint after last user migrates
Once no profile has the checkbox enabled, the endpoint is unused. Decommission per the customer's infrastructure retirement process.
- Document the migration in the change log and audit trail
The migration is a security-relevant change; document the timeline, the validation steps, the rollback plan.
The customer's HTTPS SOAP endpoint that validates credentials.
Whether Salesforce validates the endpoint's TLS certificate. Always enable for production.
The Delegated Authentication checkbox on each profile. Users in profiles with the checkbox go through the callout.
Whether Salesforce blocks login on callout failure (the secure default) or falls back to local password.
SAML SSO or Auth Providers (OAuth/OIDC) for modern replacement.
- Endpoint downtime blocks every user's login. The endpoint is a single point of failure that needs high-availability operational practice.
- Certificate expiration on the endpoint blocks authentication. Add to the cert-rotation monitoring inventory.
- The password traverses the network on every login (TLS-protected but still server-visible). Modern SSO patterns avoid this entirely.
- Audit trail is split between Salesforce and the customer endpoint. Reconstructing login events requires correlating both.
- New SSO deployments should default to SAML or OAuth. Delegated Authentication is for legacy continuity, not new design.