Hi,

I am trying to figure out how user's can authenticate using devices and salesforce api's when we plan on enabling SAML 2.0 based SSO for the web interface.  One of our goals is to have SSO available from the internet (off our core internal network).  

• Will users be required to know their salesforce user name and password?  If so, one of the benefits of SSO, automatic disabling of access when the user is disabled at the identity provider, seems to be lost. 
• Does delegated authentication fit somewhere in the equation?

Thanks