1. When a user tries to log in—either online or using the API—Salesforce validates the username and checks the user’s permissions and access settings.
2. If the user has the Is Single Sign-On Enabled user permission, Salesforce doesn’t validate the username and password. Instead, a web service call is made to the user’s org to validate the username and password. When this user permission is enabled, Salesforce no longer manages the policies for user passwords, such as when passwords expire or the required minimum length. Instead, the delegated authentication endpoint’s service enforces password policies.Note Salesforce doesn’t store, log,or view the password. It’s disposed of immediately after the process completes.
3. The web service call passes the username, password, and source IP to your web service. The source IP is the address where the login request originated. You must create and deploy an implementation of the web service that Salesforce servers can access.
4. Your web service implementation validates the passed information and returns eithertrue or false.
5. When the response is true, the login process continues, a new session is generated, and the user proceeds to the app. When false, the user gets an error message that the username and password combination is invalid.