What's the modern alternative to Delegated Authentication?

SAML and OAuth-based federated identity are the modern, more secure alternatives to Delegated Authentication.

When is Delegated Authentication still appropriate?

It still has a place when SAML can't be implemented, typically due to legacy authentication infrastructure that can't easily speak SAML.

Delegated Authentication

Q: What is Delegated Authentication?

Delegated Authentication delegates login credential verification to an external web service that returns a true/false response.

Security🟢 Beginner

Definition

Delegated Authentication is an SSO implementation method where Salesforce delegates login verification to an external web service rather than authenticating users directly. The external service validates credentials and returns a token to Salesforce, allowing integration with non-SAML identity providers.

Real-World Example

At their company, a Salesforce administrator at Coastal Health leverages Delegated Authentication to maintain data quality and enforce organizational policies across the platform. By properly setting up Delegated Authentication, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.

Why Delegated Authentication Matters

Delegated Authentication is an SSO implementation method where Salesforce delegates login credential verification to an external web service. When a user attempts to log in, Salesforce sends the username and password to a configured endpoint, the external service validates the credentials against its own user database, and returns a true/false response. If true, Salesforce establishes the session; if false, the login fails. This lets organizations use existing LDAP, Active Directory, or other authentication systems without needing SAML or OAuth.

Delegated Authentication is older than SAML-based SSO and is usually only chosen when SAML isn't an option. SAML is more secure and more standard, so most modern Salesforce SSO deployments use it instead. Delegated Authentication still has its place for legacy authentication systems that can't easily speak SAML, but new deployments should default to SAML or OAuth-based federated identity. Salesforce supports multiple authentication methods simultaneously, so organizations can transition gradually from delegated authentication to SAML over time.

How Organizations Use Delegated Authentication

•Redwood Financial — Maintains a Delegated Authentication setup for an old internal authentication system, while planning a migration to SAML as part of their identity modernization.
•Skyline Consulting — Recommends SAML over Delegated Authentication for any new SSO deployment, citing security and standardization benefits.
•NovaScale — Documented their legacy Delegated Authentication endpoint as a known dependency to address during their SSO migration project.