Definition
Delegated Authentication is a configuration tool or concept within Salesforce administration that governs platform behavior. Administrators use it to manage access, enforce data quality, and customize the user experience without writing code.
Real-World Example
At their company, a Salesforce administrator at Coastal Health leverages Delegated Authentication to maintain data quality and enforce organizational policies across the platform. By properly setting up Delegated Authentication, they prevent common data entry errors and ensure that users follow established business processes, which saves the support team hours of cleanup work each week.
Why Delegated Authentication Matters
Delegated Authentication is a Salesforce security feature that redirects the login authentication process to an external web service endpoint controlled by the organization. Instead of Salesforce validating the username and password directly against its own database, it sends the credentials to the organization's designated authentication service via a SOAP web service call. The external service verifies the credentials against the company's identity management system (like Active Directory or LDAP) and returns a true or false response. This allows organizations to enforce their existing password policies, multi-factor authentication requirements, and account lockout rules without replicating them in Salesforce.
As organizations adopt zero-trust security architectures and consolidate identity management, delegated authentication serves as a bridge between Salesforce and enterprise identity providers. It is particularly valuable for companies that cannot use SSO due to technical constraints or that need custom authentication logic beyond what standard SAML or OAuth flows support. However, delegated authentication introduces a critical dependency on the external service: if the authentication endpoint goes down, affected users cannot log in to Salesforce. Organizations must ensure high availability of their authentication service, implement proper SSL certificate management, and monitor the Delegated Authentication Error History for failures. Many organizations have migrated from delegated authentication to SSO with SAML 2.0 or OpenID Connect for more robust, standards-based identity federation.
How Organizations Use Delegated Authentication
- Coastal Health — Coastal Health uses delegated authentication to validate Salesforce logins against their on-premises Active Directory server. This ensures that their existing password complexity requirements, 90-day rotation policy, and account lockout after 5 failed attempts are enforced for Salesforce access without maintaining separate password policies in both systems.
- Apex Defense Systems — Apex Defense Systems implemented delegated authentication with a custom authentication service that checks username/password against their LDAP directory and also verifies that the user is connecting from an approved IP range and has completed their annual security certification. Only users passing all three checks are granted Salesforce access.
- Meridian Banking — Meridian Banking uses delegated authentication to add a geographic verification step to Salesforce logins. Their external authentication service validates credentials against Active Directory and then checks whether the login attempt originates from an approved country. Login attempts from non-approved countries are rejected at the authentication service level before reaching Salesforce.