Identify Your Users and Manage Access

Deliver identity and access management services directly from your Salesforce org. With Salesforce identity services, you can authenticate users across your orgs, Experience Cloud sites, and digital channels to provide authorized access to your data.

Salesforce identity offers features to address many aspects of authentication (making sure that your users are who they say they are) and authorization (controlling who can access what). A well-designed Salesforce identity implementation begins with determining which features are right for your org and prioritizing them. Following are the solutions offered with Salesforce identity services.

• Who Is Salesforce Identity For?
  Salesforce identity services are for all users who interact with your Salesforce org, Experience Cloud sites, other apps, and other services. These users are employees, customers, potential customers, and partners of your company, and they all have unique identity needs.
• Salesforce Identity Licenses
  All identity services that are built into the Salesforce Platform are included with every paid license in the Enterprise, Unlimited, Performance, and Developer Editions.
• Multi-Factor Authentication for Salesforce Orgs
  Multi-factor authentication (MFA) is a secure authentication method that requires users to verify their identity with a second piece of evidence (or factor) in addition to their password. To protect users from security threats like phishing, credential stuffing, and account takeovers, Salesforce requires MFA for all logins to Salesforce products. This contractual requirement applies equally to direct logins with a Salesforce username and password and to logins via single sign-on (SSO). Salesforce provides free MFA functionality for all Salesforce products. To help customers satisfy the MFA requirement, MFA is automatically enabled for direct logins to production orgs.
• Single Sign-On
  Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.
• Identity Connect
  Identity Connect integrates Microsoft Active Directory (AD) user accounts with Salesforce user records. When a user account is created or updated in AD, Identity Connect pushes those updates to the Salesforce user record seamlessly and instantaneously. For example, when a user is created in AD, the Salesforce user record is created as part of the provisioning process. When deprovisioned, the user’s Salesforce session is revoked immediately. You can also use Identity Connect for single sign-on to Salesforce.
• Custom Login Flows
  A login flow directs users through a login process before they access your Salesforce org or Experience Cloud site. You can use a login flow to control the business processes that your users follow when they log in to Salesforce. After Salesforce authenticates a user, the login flow directs the user through a process, such as enforcing strong authentication or collecting user information. When users complete the login flow successfully, they’re redirected to their Salesforce org or site. If unsuccessful, the flow can log out users immediately.
• Login Access
  As a Salesforce admin, you can set up your org to allow Salesforce support users, partner support users, or subscribers to log in to a Salesforce org as another user. For example, to help troubleshoot user issues, a support user can log in to a Salesforce org as the user experiencing the problem. You can also configure your org to require users to grant login access to support users or subscribers trying to log in as that user.
• Manage User Passwords
  Salesforce provides each user in your org with a unique username and password that the user must enter at each login. As an admin, you can configure several settings to ensure that your users’ passwords are strong and secure.
• Passwordless Login with Passkeys
  Set up a fast, easy, and phishing-resistant login process for your employees. With passwordless login via passkeys, internal users log in by using a built-in authenticator (such as Touch ID or Windows Hello) or a security key.
• One-Time Password (OTP) Behavior
  Salesforce sends one-time passwords (OTPs) to verify identity for multiple use cases, such as passwordless login, device activation, multi-factor authentication (MFA) for Experience Cloud sites, and more. Learn about expiration time, limits, and generation behavior for OTPs for different use cases.
• Lightning Login for Password-Free Logins
  Say goodbye to the hassle of weak passwords, forgotten passwords, and locked-out accounts. With Lightning Login, you can give your users the enhanced speed, convenience, and security of password-free logins.
• Certificate-Based Authentication
  In addition to authentication methods like single sign-on, Salesforce provides certificate-based authentication, which you can configure to authenticate your Salesforce users with unique PEM-encoded X.509 certificates.
• External Client Apps and Connected Apps
  There are two options to connect your Salesforce data with third-party applications. Both connected apps and external client apps are frameworks to integrate data. External client apps are the next generation of connected apps. They’re fully metadata-compliant and include structural improvements to maintain separate user roles and allow second-generation managed packaging.
• Authorize Apps with OAuth
  OAuth is an open protocol that authorizes a client application to access data from a protected resource through the exchange of tokens. OAuth tokens are essentially permissions given to a client application.
• App Launcher
  The App Launcher is how users switch between apps. It displays tiles that link to a user’s available Salesforce, connected (third-party), and on-premises apps. You can determine which apps are available to which users and the order in which the apps appear. You can also make the App Launcher the default landing page when users first open Salesforce.
• Manage API Access
  Use API Access Control to manage access to your Salesforce APIs. With this feature, you can restrict all users from accessing your Salesforce APIs unless they’re pre-authorized through an approved (allowlisted) connected app. Or you can restrict only customers and partners from accessing your Salesforce APIs unless they’re using a connected app that is installed in your org.
• Manage Salesforce User Identities with SCIM
  You can provision and manage your Salesforce user identities across systems with the open standard System for Cross-Domain Identity Management (SCIM). The Salesforce implementation provides extensions to the SCIM 2.0 specification so that you can edit and manage Salesforce user properties using REST API operations.
• Salesforce Customer Identity
  Salesforce Customer Identity is an Identity and Access Management (IAM) service that improves your engagement with your customers and partners. Create sites for your customers and partners that are customized to your needs and best represent your brand. Use various tools to customize how your users log in, register, verify their identity, and use single sign-on to access your web pages and apps.
• Monitor Access to Your Salesforce Orgs and Experience Cloud Sites
  Monitor access to your Salesforce orgs and Experience Cloud sites by reviewing and managing who’s logging in and how they're verified. View SAML and OpenID Connect authentication request errors and success. And track and monitor which devices are accessing your orgs and sites.