Salesforce Delegated Authentication

This post is radically different from my previous posts – it’s going to be written in C#!!!
Salesforce allows users to use a delegated authentication mechanism for SSO. One option is SAML, which is nice – but it doesn’t work on mobile devices in disconnected mode. The other is delegated authentication. This way, Salesforce activates a web service that implements a predefined WSDL. The parameters the web service is getting are the username, password and IP address, and the service needs to return a true/false value.
So, let’s get down to business:

  1. Configure Delegated Authentication
    1. Open your Salesforce account for delegated authentication. For some reason, this is not enabled by default, and you need to ask your SF guys to enable this features.
    2. Login to Salesforce, and click the Setup link
    3. Click Security Controls→Single Sign-On Settings
    4. Click on Edit, and enter your Web Service URL
  2. Assign users to the Delegated Authentication
    1. Login to Salesforce, and click the Setup link
    2. Click Manage Users→Profiles
    3. Select the user profile
    4. Click the Edit button
    5. Make sure the “Is Single Sign-On Enabled” checkbox is enabled
    6. Click Save

    And now the code

    using System;
    using System.Collections.Generic;
    using System.Configuration;
    using System.DirectoryServices;
    using System.DirectoryServices.Protocols;
    using System.IO;
    using System.Linq;
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    using System.Threading;
    using System.Web;
    using System.Web.Services;
    namespace DelegatedAuthenticationService
        /// <summary>
        /// This service is used for delegated security for
        /// </summary>
        [WebService(Namespace = "", Description="v1.1.3")]
        [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
        public class DelegatedSecurityService : System.Web.Services.WebService, IAuthenticationBinding
            public bool Authenticate(string username, string password, string sourceIp, System.Xml.XmlElement[] Any)
                        // Run the business logic
    	                return true;
                    catch (Exception e)
                        // Connection can not be created - password is incorrect
                        log(ERROR,"Failed to get LDAP connection. Error message is : " + e.Message);
                        audit(username, "FAIL",e.Message);
                        return false;

    It’s important to note that Salesforce is limiting the time it will waits for the service – the entire request/response (including network) must take less than ~5 seconds, otherwise users will get a failed to login message.

    Good luck!