function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

SAML, Blackberry, iPhone and API's - Authentication/SSO Options


I am trying to figure out how user's can authenticate using devices and salesforce api's when we plan on enabling SAML 2.0 based SSO for the web interface.  One of our goals is to have SSO available from the internet (off our core internal network).  

  • Will users be required to know their salesforce user name and password?  If so, one of the benefits of SSO, automatic disabling of access when the user is disabled at the identity provider, seems to be lost. 
  • Does delegated authentication fit somewhere in the equation?


I'm wondering this same thing - did you ever figure this out? We want to enable SAML, but not if it means Salesforce Mobile stops working.



If you enable SAML it will not stop the mobile technology working.  It will also still allow API access.  The Mobile will authenticate with a username and password the first time and then a token is set (using OAuth) and this is then used as the login to the device.  It will not change.


You are still able to use the API as SAML does not disable the username and password.  If you want people to automatically be marked as inactive in the application if they leave your company, then the best bet is to use the API (via Dataloader or some other way - Java, .Net, etc) and mark that user as inactive.  As soon as you do this, then they cannot log in and also if they are currently logged in, the next click they do will log them out.


Having a separate API user is a good idea as this user can have appropriate CRUD settings and only access what is permissable.