Salesforce allows two different types of authentication methods: SAML and delegated authentication. By default, Salesforce activates only the SAML authentication. SAML is available for browser-based authentication or for mobile devices. However, SAML SSO works on mobile devices only if the NetIQ MobileAccess app is also installed and configured on the device.
Delegated authentication must be activated on a per-Salesforce organization basis. This allows CloudAccess to support users authenticating with mobile devices as well as users authenticating with browsers.
The phone icon that CloudAccess displays on all the Salesforce connectors indicates that Delegated Authentication can be used with Salesforce. You must enable and configure Delegated Authentication in Salesforce, and enable it in the connector. For more information, see Step 2 and Step 8 in Section 6.3, Configuring the Connector for Salesforce.
The following setup is required in CloudAccess in order for delegated authentication to work properly:
The DNS name of the CloudAccess cluster must be publicly resolvable.
The SSL certificate must be signed by a well-known certificate authority (CA).
Follow the instructions in the Salesforce documentation to enable delegated authentication single sign-on for your organization.
For more information, see Configuring Salesforce for Delegated Authentication.
After delegated authentication has been enabled at Salesforce, complete the following configuration steps:
Log in to the Salesforce administration page.
Click Your Name > Setup > Security Controls > Single Sign-On Settings > Edit.
In the Delegated Gateway URL field, specify a value similar to the following: https://cloudaccess_public_dns_name/osp/a/t1/auth/external/sfda.
Do not select Force Delegated Authentication Callout.
This option affects the performance of user logins.
Enable the Is Single Sign-On Enabled permission. Note that if you want to prompt users to validate their accounts, you must disable this option instead. For more information about the Prompt Before Provisioning option, see Section 2.4, How CloudAccess Provisions User Accounts.
Configure a connector for Salesforce in CloudAccess as described in section Section 6.3, Configuring the Connector for Salesforce, but deselect the Delegated authentication single sign-on is disabled in Salesforce option.
When end users authenticate to Salesforce through their mobile devices, they will authenticate entering identity source credentials, where the user name is specified in email format to match the user name in the Salesforce account.
For example, if Active Directory user Ted with password password has been provisioned to Salesforce domain mydomain-dev-ed.my.salesforce.com, the user name for login from a mobile device app such as Salesforce Chatter would be Ted@mydomain-dev-ed.my.salesforce.com and the password would be password.