function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Misconceptions on SAML

With SAML, do I still need to use an LDAP server, locally?

I was thinking the big difference between federated and delegated is that delegated requires something

like an LDAP server.


I was thinking that SAML allows me to keep my users in salesforce??

Am I wrong?


You don't *need* an LDAP server for SAML or Delegated Auth.  For SAML, you need some sort of software that can generate a front-channel SAML assertion.  This is generally called an Identity Provider. (Google SAML Identity Provider and you can see many commercial and open-source products.)


Most customers choose to integrate their Identity Provider (IDP) with their internal system of record.  This is usually Active Directory or some other LDAP server.   Its a convenience for single sign-on, but its not a requirement of the SAML protocol. 




So, I could use SAML with my current user table that is in salesforce?

BrendanOCBrendanOC can act as a Service Provider (SP) and/or Identity Provider (IDP).


Here's a quick overview of how SAML works:

As an SP, your IDP can reference usernames directly in the assertion (such as ", or you can choose to use an external identifier (such as employee number or internal username/ID.)


See here for a list of parameters and instructions for configuring SSO using SAML (external IDP):


You can choose to make an IDP if you have My Domains enabled.

How to setup as an IDP:


Hope that helps!