You are here:
Authentication Provider Control
In Salesforce, an authentication provider is used when you want Salesforce to let users log in using their credentials from another service.
Security Health Review evaluates your authentication provider list allowed in your Salesforce org using configuration signals aligned with Salesforce-recommended best practices and highlights gaps that present the highest security and business risk.
Control Name
Authentication Provider Configuration and Validation
Recommended Configuration
Configure, validate, and regularly review all authentication providers to make sure that they are trusted, correctly scoped, and securely integrated.
Control Overview
Authentication providers allow Salesforce to delegate user authentication to trusted third-party identity platforms such as Apple, Google, Microsoft, OpenID Connect providers, and other supported services. Proper configuration ensures that authentication assertions are accepted only from verified sources and that user provisioning and access are securely controlled.
Security Risk If Not Configured
Unverified or misconfigured authentication providers can allow Salesforce to accept fraudulent authentication assertions, leading to unauthorized user creation, account takeover, or access from untrusted identity sources.
Threat Scenarios
Acceptance of forged or replayed authentication tokens, unauthorized user provisioning via misconfigured identity provider (IdP) mappings, trust relationships with deprecated or compromised IdPs, misuse of overly permissive provider configurations.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Risk severity depends on the number of authentication providers configured, user population size, access privileges granted upon login, and whether providers are externally managed or consumer-facing.
Higher Risk When
Authentication providers are not formally verified, provider metadata is outdated, attribute mappings are overly permissive, or multiple consumer-grade providers are enabled without governance controls.
Low or No Risk When
This control can be considered low risk when implementing one or more of the following:
- Trusted Provider Validation: Authentication providers are enabled only for approved and trusted identity platforms.
- Secure Attribute Mapping: User attributes and provisioning rules are tightly scoped to enforce least privilege.
- Metadata Management: Provider certificates, endpoints, and metadata are kept current and reviewed periodically.
- MFA Enforcement: MFA is enforced at the authentication provider or via Salesforce high-assurance policies.
- Governance Controls: Authentication providers are centrally governed, documented, and reviewed as part of identity lifecycle management.
Business and Integration Considerations
Customers should evaluate business justification for each authentication provider, especially consumer identity platforms, and ensure alignment with access policies, regulatory requirements, and user experience expectations.
Recommended Remediation
Review all configured authentication providers, turn off unused or untrusted providers, validate provider metadata and certificates, restrict attribute mappings, enforce MFA, and establish periodic governance reviews.
Security Health Review Guidance
Security Health Review identifies authentication providers configured in Salesforce to help customers reduce identity federation risk, prevent unauthorized access, and align third-party authentication integrations with Salesforce-recommended security baselines and Zero Trust principles by identifying connected authentication providers.
