+ Start a Discussion

Delegated Authentication username mapping

Can someone explain how delegated authentication works / should be configured with respect to the following scenario.


Company A has a user stored in AD with username "firstname.surname".


Company A has setup delegated authentication in salesforce and mapped the Delegated Gateway url to an externally exposed web service that can authenticate users against their AD.


Since Company A cannot create a salesforce user with username firstname.surname (someone else in a different SF org is using this username) we create a salesforce username of format firstname.surname@companya.com.


User with username firstname.surname naviagtes to login.salesforce.com and types in firstname.surname as their username and types in their AD password. 


How does salesforce know that this user should be authenticated via delegation authentication? i.e. if there is a real salesforce user with username firstname.surname for an completely different org why doesn't salesforce return an invalid password error?


How can we map AD usernames to salesforce users?



Best Answer chosen by Admin (Salesforce Developers) 

It doesn't, it only knows about salesforce usernames, the user would have to type in firstname.surname@companya.com, then when it gets to your DA listener, it would have to be able to map that back to the AD username.


you may find the newer SAML based SSO to be a better fit for you.