Explanation:

When designing a Delegated Authentication implementation in Salesforce, one of the most critical design considerations is how the external authentication web service will identify the user attempting to log in. Salesforce typically uses the Federation ID as the key identifier in Delegated Authentication setups. The Federation ID is a unique value on the Salesforce User record that correlates with the user’s identity in the external identity system. During the Delegated Authentication process, Salesforce sends the username or Federation ID to the external web service, which then verifies the credentials and returns a success or failure response. Therefore, the correct and secure approach is to design the web service to recognize and authenticate users based on the Federation ID, making Option C the correct choice.

Other options are incorrect or misleading:

A is incorrect because while the connection should be secured via TLS, there’s no requirement to use Salesforce trusted certificates specifically — standard SSL/TLS with a trusted CA is sufficient.

B is incorrect because the delegated authentication web service doesn’t need to accept a flexible number of parameters — it receives a standardized request from Salesforce with a specific structure.

D is incorrect because Salesforce does not send encrypted passwords to the web service — instead, it sends the plaintext password, and it’s the responsibility of the external service to securely verify it. There is no decryption involved.