function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Salesforce - Active Directory Integration

I'm looking into integrating Salesforce with a client's Active Directory servers. They have a series of 6 AD servers that they'd like to integrate to ensure that when users leave the organisation their Salesforce account will be automatically de-activated. So the initial requirement is single authentication rather than single sign on (though this may be required later).


What I need to know is from people's experience, what's the best way to integrate with AD, is it the Delegated Authentication or Federated Authentication using SAML; which is better able to cope with having the failover AD servers without user intervention? I favour SAML but remember past issues with the level of support for SAML in AD.


Furthermore, what are the gotcha's, AD versions etc, that work with both and which would people recommend ?






I find SAML to be the simplest, as long as you have some sort of Identity Provider which can handle SAML.  Ping Identity has a product that easily integrates with AD and  I've also had success with OpenSSO (free, open source.) 


Using SAML, your AD environment becomes the authority for authentication. just waits for a SAML Assertion from your Identity Provider.  Using AD with a Ping or OpenSSO front-end, AD account deactivation should prevent a user from logging in to in near real time.  One gotcha I'd mention:  OpenSSO sometimes has a problem with authenticating against AD custom attributes.  If you use an AD custom attribute as part of the Auth decision, you may need to tweak your OpenSSO config.  (Example:  custom attribute salesforceUser=True)  If you are just using standard AD groups/attributes, this shouldn't be a problem.