We have implemented Federated Authentication for SSO in an organization. But now we want to use SSO for the Salesforce mobile CRM app. According to this article, Federated Authentication does not support mobile CRM products:

Note: notably missing from supported clients are the Mobile CRM products. It is planned that the next generation of mobile CRM products, as well as mobile development offerings will support SAML based single sign-on. In the meantime, Delegated Authentication is the supported option.

Now, if we decide to use Delegated Authentication to support Mobile CRM products, do we have to disable Federated Authentication? Can we use FA and DA in parallel?

Attribution to: Anup

Possible Suggestion/Solution #1

Yes, you can use Federated Authentication (e.g. SAML) and Delegated Authentication (DA) in parallel. The Mobile CRM product prompts the user for username and password - they give their enterprise password, which is be verified by the DA mechanism - a SOAP message is sent to an endpoint in the enterprise, which validates the username/password.

When SAML is configured, the user (via their browser) hits either a URL at the enterprise Identity Provider (IdP) or, if My Domain is configured, any My Domain URL at Salesforce - e.g. https://mycompany.my.salesforce.com/SOMERECORDID. The SAML protocol redirects them for authentication in the enterprise, and sends them to Salesforce with a signed XML message representing that authentication.

The two protocols are orthogonal, and can happily co-exist in a single org.

Attribution to: metadaddy
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/976