diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index c2fc6d3261..4fb0aebb66 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -412,11 +412,12 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        </varlistentry>
 
        <varlistentry>
-        <term><literal>scram</></term>
+        <term><literal>sasl</></term>
         <listitem>
          <para>
-          Perform SCRAM-SHA-256 authentication to verify the user's
-          password. See <xref linkend="auth-password"> for details.
+          Perform SASL authentication to verify the user's password. See
+          <xref linkend="auth-password"> for details. The only mechanism
+          supported currently is SCRAM-SHA-256.
          </para>
         </listitem>
        </varlistentry>
@@ -425,7 +426,7 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
         <term><literal>md5</></term>
         <listitem>
          <para>
-          Perform SCRAM-SHA-256 or MD5 authentication to verify the
+          Perform SASL or MD5 authentication to verify the
           user's password. See <xref linkend="auth-password">
           for details.
          </para>
@@ -683,18 +684,18 @@ host    postgres        all             192.168.93.0/24         ident
 # "postgres" if the user's password is correctly supplied.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    postgres        all             192.168.12.10/32        scram
+host    postgres        all             192.168.12.10/32        sasl
 
 # Allow any user from hosts in the example.com domain to connect to
 # any database if the user's password is correctly supplied.
 #
-# Require SCRAM authentication for most users, but make an exception
-# for user 'mike', who uses an older client that doesn't support SCRAM
+# Require SASL authentication for most users, but make an exception
+# for user 'mike', who uses an older client that doesn't support SASL
 # authentication.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
-host    all             mike            .example.com            md5
-host    all             all             .example.com            scram
+host    all             mike            .example.com            sasl
+host    all             all             .example.com            sasl
 
 # In the absence of preceding "host" lines, these two lines will
 # reject all connections from 192.168.54.1 (since that entry will be
@@ -922,7 +923,7 @@ omicron         bryanh                  guest1
    </indexterm>
 
    <para>
-    The password-based authentication methods are <literal>scram</>
+    The password-based authentication methods are <literal>sasl</>
     <literal>md5</> and <literal>password</>. These methods operate
     similarly except for the way that the password is sent across the
     connection.
@@ -939,8 +940,9 @@ omicron         bryanh                  guest1
 
 
    <para>
-    <literal>scram</> performs SCRAM-SHA-256 authentication, as described
-    in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
+    <literal>sasl</> performs SASL authentication using SCRAM-SHA-256 as
+    mechanism, as described in
+    <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It
     is a challenge-response scheme, that prevents password sniffing on
     untrusted connections. It is more secure than the <literal>md5</>
     method, but might not be supported by older clients.
@@ -953,7 +955,7 @@ omicron         bryanh                  guest1
     protection if an attacker manages to steal the password hash from the
     server, and it cannot be used with the <xref
     linkend="guc-db-user-namespace"> feature. For all other users,
-    <literal>md5</> works the same as <literal>scram</>.
+    <literal>md5</> works the same as <literal>sasl</>.
    </para>
 
    <para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index a3c6c6d8b3..aa52d2e90f 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -57,7 +57,7 @@ static int	CheckPasswordAuth(Port *port, char **logdetail);
 static int	CheckPWChallengeAuth(Port *port, char **logdetail);
 
 static int	CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail);
-static int	CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail);
+static int	CheckSASLAuth(Port *port, char *shadow_pass, char **logdetail);
 
 
 /*----------------------------------------------------------------
@@ -284,7 +284,7 @@ auth_failed(Port *port, int status, char *logdetail)
 			break;
 		case uaPassword:
 		case uaMD5:
-		case uaSCRAM:
+		case uaSASL:
 			errstr = gettext_noop("password authentication failed for user \"%s\"");
 			/* We use it to indicate if a .pgpass password failed. */
 			errcode_return = ERRCODE_INVALID_PASSWORD;
@@ -545,7 +545,7 @@ ClientAuthentication(Port *port)
 			break;
 
 		case uaMD5:
-		case uaSCRAM:
+		case uaSASL:
 			status = CheckPWChallengeAuth(port, &logdetail);
 			break;
 
@@ -737,7 +737,7 @@ CheckPasswordAuth(Port *port, char **logdetail)
 }
 
 /*
- * MD5 and SCRAM authentication.
+ * MD5 and SASL authentication.
  */
 static int
 CheckPWChallengeAuth(Port *port, char **logdetail)
@@ -746,7 +746,7 @@ CheckPWChallengeAuth(Port *port, char **logdetail)
 	char	   *shadow_pass;
 	PasswordType pwtype;
 
-	Assert(port->hba->auth_method == uaSCRAM ||
+	Assert(port->hba->auth_method == uaSASL ||
 		   port->hba->auth_method == uaMD5);
 
 	/* First look up the user's password. */
@@ -774,12 +774,12 @@ CheckPWChallengeAuth(Port *port, char **logdetail)
 	 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
 	 * 'scram' authentication based on the type of password the user has.  If
 	 * it's an MD5 hash, we must do MD5 authentication, and if it's a SCRAM
-	 * verifier, we must do SCRAM authentication.  If it's stored in
+	 * verifier, we must do SASL authentication.  If it's stored in
 	 * plaintext, we could do either one, so we opt for the more secure
 	 * mechanism, SCRAM.
 	 *
 	 * If MD5 authentication is not allowed, always use SCRAM.  If the user
-	 * had an MD5 password, CheckSCRAMAuth() will fail.
+	 * had an MD5 password, CheckSASLAuth() will fail.
 	 */
 	if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
 	{
@@ -787,7 +787,7 @@ CheckPWChallengeAuth(Port *port, char **logdetail)
 	}
 	else
 	{
-		auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);
+		auth_result = CheckSASLAuth(port, shadow_pass, logdetail);
 	}
 
 	if (shadow_pass)
@@ -843,7 +843,7 @@ CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
 }
 
 static int
-CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
+CheckSASLAuth(Port *port, char *shadow_pass, char **logdetail)
 {
 	int			mtype;
 	StringInfoData buf;
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index af89fe898a..194a94485c 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -126,7 +126,7 @@ static const char *const UserAuthName[] =
 	"ident",
 	"password",
 	"md5",
-	"scram",
+	"sasl",
 	"gss",
 	"sspi",
 	"pam",
@@ -1327,8 +1327,8 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
 		}
 		parsedline->auth_method = uaMD5;
 	}
-	else if (strcmp(token->string, "scram") == 0)
-		parsedline->auth_method = uaSCRAM;
+	else if (strcmp(token->string, "sasl") == 0)
+		parsedline->auth_method = uaSASL;
 	else if (strcmp(token->string, "pam") == 0)
 #ifdef USE_PAM
 		parsedline->auth_method = uaPAM;
diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample
index 6b1778a721..96119a9022 100644
--- a/src/backend/libpq/pg_hba.conf.sample
+++ b/src/backend/libpq/pg_hba.conf.sample
@@ -42,9 +42,9 @@
 # or "samenet" to match any address in any subnet that the server is
 # directly connected to.
 #
-# METHOD can be "trust", "reject", "md5", "password", "scram", "gss",
+# METHOD can be "trust", "reject", "md5", "password", "sasl", "gss",
 # "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".  Note that
-# "password" sends passwords in clear text; "md5" or "scram" are preferred
+# "password" sends passwords in clear text; "md5" or "sasl" are preferred
 # since they send encrypted passwords.
 #
 # OPTIONS are a set of options for the authentication in the format
diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c
index d40ed412fc..0874d2cd3a 100644
--- a/src/bin/initdb/initdb.c
+++ b/src/bin/initdb/initdb.c
@@ -77,7 +77,7 @@
 extern const char *select_default_timezone(const char *share_path);
 
 static const char *const auth_methods_host[] = {
-	"trust", "reject", "md5", "password", "scram", "ident", "radius",
+	"trust", "reject", "md5", "password", "sasl", "ident", "radius",
 #ifdef ENABLE_GSS
 	"gss",
 #endif
@@ -99,7 +99,7 @@ static const char *const auth_methods_host[] = {
 	NULL
 };
 static const char *const auth_methods_local[] = {
-	"trust", "reject", "md5", "scram", "password", "peer", "radius",
+	"trust", "reject", "md5", "sasl", "password", "peer", "radius",
 #ifdef USE_PAM
 	"pam", "pam ",
 #endif
@@ -1130,8 +1130,8 @@ setup_config(void)
 							  "#update_process_title = off");
 #endif
 
-	if (strcmp(authmethodlocal, "scram") == 0 ||
-		strcmp(authmethodhost, "scram") == 0)
+	if (strcmp(authmethodlocal, "sasl") == 0 ||
+		strcmp(authmethodhost, "sasl") == 0)
 	{
 		conflines = replace_token(conflines,
 								  "#password_encryption = md5",
@@ -2329,16 +2329,16 @@ check_need_password(const char *authmethodlocal, const char *authmethodhost)
 {
 	if ((strcmp(authmethodlocal, "md5") == 0 ||
 		 strcmp(authmethodlocal, "password") == 0 ||
-		 strcmp(authmethodlocal, "scram") == 0) &&
+		 strcmp(authmethodlocal, "sasl") == 0) &&
 		(strcmp(authmethodhost, "md5") == 0 ||
 		 strcmp(authmethodhost, "password") == 0 ||
-		 strcmp(authmethodhost, "scram") == 0) &&
+		 strcmp(authmethodhost, "sasl") == 0) &&
 		!(pwprompt || pwfilename))
 	{
 		fprintf(stderr, _("%s: must specify a password for the superuser to enable %s authentication\n"), progname,
 				(strcmp(authmethodlocal, "md5") == 0 ||
 				 strcmp(authmethodlocal, "password") == 0 ||
-				 strcmp(authmethodlocal, "scram") == 0)
+				 strcmp(authmethodlocal, "sasl") == 0)
 				? authmethodlocal
 				: authmethodhost);
 		exit(1);
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 9a4f228d6a..6c7382e67f 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -30,7 +30,7 @@ typedef enum UserAuth
 	uaIdent,
 	uaPassword,
 	uaMD5,
-	uaSCRAM,
+	uaSASL,
 	uaGSS,
 	uaSSPI,
 	uaPAM,
diff --git a/src/test/authentication/t/001_password.pl b/src/test/authentication/t/001_password.pl
index d7bc13bd58..5731818e37 100644
--- a/src/test/authentication/t/001_password.pl
+++ b/src/test/authentication/t/001_password.pl
@@ -68,12 +68,12 @@ SKIP:
 	test_role($node, 'md5_role', 'password', 0);
 	test_role($node, 'plain_role', 'password', 0);
 
-	# For "scram" method, user "plain_role" and "scram_role" should be able to
+	# For "sasl" method, user "plain_role" and "scram_role" should be able to
 	# connect.
-	reset_pg_hba($node, 'scram');
-	test_role($node, 'scram_role', 'scram', 0);
-	test_role($node, 'md5_role', 'scram', 2);
-	test_role($node, 'plain_role', 'scram', 0);
+	reset_pg_hba($node, 'sasl');
+	test_role($node, 'scram_role', 'sasl', 0);
+	test_role($node, 'md5_role', 'sasl', 2);
+	test_role($node, 'plain_role', 'sasl', 0);
 
 	# For "md5" method, all users should be able to connect (SCRAM
 	# authentication will be performed for the user with a scram verifier.)
diff --git a/src/test/authentication/t/002_saslprep.pl b/src/test/authentication/t/002_saslprep.pl
index 7e373ed7bf..98d4c21b4f 100644
--- a/src/test/authentication/t/002_saslprep.pl
+++ b/src/test/authentication/t/002_saslprep.pl
@@ -73,7 +73,7 @@ SKIP:
 ");
 
 	# Require password from now on.
-	reset_pg_hba($node, 'scram');
+	reset_pg_hba($node, 'sasl');
 
 	# Check that #1 and #5 are treated the same as just 'IX'
 	test_login($node, 'saslpreptest1_role', "I\xc2\xadX", 0);