+ Start a Discussion
SaintMichaelSaintMichael 

Misconceptions on SAML

With SAML, do I still need to use an LDAP server, locally?

I was thinking the big difference between federated and delegated is that delegated requires something

like an LDAP server.

 

I was thinking that SAML allows me to keep my users in salesforce??

Am I wrong?

BrendanOCBrendanOC

You don't *need* an LDAP server for SAML or Delegated Auth.  For SAML, you need some sort of software that can generate a front-channel SAML assertion.  This is generally called an Identity Provider. (Google SAML Identity Provider and you can see many commercial and open-source products.)

 

Most customers choose to integrate their Identity Provider (IDP) with their internal system of record.  This is usually Active Directory or some other LDAP server.   Its a convenience for single sign-on, but its not a requirement of the SAML protocol. 

 

 

SaintMichaelSaintMichael

So, I could use SAML with my current user table that is in salesforce?

BrendanOCBrendanOC

Salesforce.com can act as a Service Provider (SP) and/or Identity Provider (IDP).

 

Here's a quick overview of how SAML works:

http://en.wikipedia.org/wiki/Saml



As an SP, your IDP can reference Salesforce.com usernames directly in the assertion (such as "MyUsername@MyCompany.com), or you can choose to use an external identifier (such as employee number or internal username/ID.)

 

See here for a list of parameters and instructions for configuring SSO using SAML (external IDP):

https://help.salesforce.com/apex/HTViewHelpDoc?id=sso_saml_idp_values.htm&language=en

 

You can choose to make Salesforce.com an IDP if you have My Domains enabled.

How to setup Salesforce.com as an IDP:

https://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_about.htm&language=en

 

Hope that helps!