By default, Salesforce allows users to log in using their Salesforce usernames and passwords, even though Salesforce is configured to use SAML. When you implement single sign-on throughout your organization, you should avoid managing passwords in Salesforce. Instead, you should use the Delegated Authentication feature in Salesforce to delegate the password validation to OneLogin.
If OneLogin is set up to integrate with Active Directory or another LDAP directory, OneLogin will in turn delegate the password validation to those directories.
To enable delegated authentication:
-
Contact your Salesforce representative or support, and ask them to enable Delegated Authentication for your account.
Note: This requires the Professional edition of Salesforce or higher.
-
In Salesforce, go to Administer > Security Controls > Single Sign-On Settings.
-
Select your current security profile and click Edit.
-
Enter the Delegated Gateway URL field using the following format:
https://{your_subdomain}.onelogin.com/delegation/?app=salesforce
-
Click Save.
-
Update your App configuration in OneLogin to reflect the Delegated Gateway URL by going to Apps > Company Apps > Salesforce > Configuration and entering that value in the Salesforce Login URL field.
-
Click Save.
If you are using the Enterprise or Unlimited edition of Salesforce, you should edit your profiles and add the Use Single Sign-On permission.
Note: Do not add this setting to the administrator profile. Administrators should always be able to log in using their username and password in order to modify single sign-on settings if necessary.