Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Use Salesforce MFA for SSO (Salesforce Orgs)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Use Salesforce MFA for SSO (Salesforce Orgs)

            To help prevent unauthorized access to Salesforce accounts, customers are contractually required to use multi-factor authentication (MFA) when logging in via single sign-on (SSO). You can use the free MFA service included in Salesforce to satisfy this requirement. With this approach, when users log in to Salesforce, they’re prompted to provide an MFA verification method to confirm their identity.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To edit SAML settings: Customize Application AND Modify All Data
            To edit Auth Providers: Customize Application AND Manage Auth. Providers
            To edit session security settings: Customize Application
            Note
            Note

            For full details about the contractual requirement to use MFA, see the Salesforce Multi-Factor Authentication FAQ.

            Prior to Summer ‘23, the way to use Salesforce MFA for SSO logins was by applying a high-assurance session security requirement to user profiles. For improved functionality, including Visualforce compatibility, we recommend switching to the method shown in this help topic. For guidance on how to remove the old method, see Knowledge Article: Reset Session Security Settings for Your Salesforce MFA for SSO Configuration.

            To use Salesforce MFA for new or existing SSO configurations:

            1. Enable MFA for your users.

              Salesforce automatically enables MFA for all users in production orgs. If that’s not the case for your environment, see Enable MFA for Your Entire Org.

            2. Enable MFA for your SSO configuration.

              On the setup page for your SAML or Auth Provider SSO configuration, enable the Use Salesforce MFA for this SSO Provider setting. If you use multiple SSO configurations for logins to Salesforce, do this step for each configuration.

            3. Ensure that your session security level settings are correctly configured.
              1. From Setup, in the Quick Find Box, enter Session Settings, and select Session Settings.
              2. In Session Security Levels, make sure that your SSO provider is in the Standard column and Multi-Factor Authentication is in the High-Assurance column.

                This setup ensures that your SSO users receive a high-assurance session only if they complete MFA.

              3. Save your changes.

            If you’re creating a new SSO configuration, see these resources for help with the setup process.

            See Also

             
            Loading
            Salesforce Help | Article