Loading
Ongoing maintenance for Salesforce HelpRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Authenticate Experience Cloud Site Users Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Authenticate Experience Cloud Site Users Control

            The control objective of enabling SAML-based SSO for Experience Site users is to centralize external identity management.

            Control Name

            Experience Cloud Site Users Authentication

            Recommended Configuration

            Enable centralized SSO integrated with SAML authentication using an enterprise Identity Provider (IdP), enforce strong authentication policies.

            Control Overview

            The control objective of enabling SAML-based SSO for Experience Site users is to centralize external identity management, making sure that partners and customers authenticate against a single, managed corporate directory. This setup allows for real-time access revocation and consistent enforcement of enterprise security policies, such as Multi-Factor Authentication (MFA), preventing unauthorized access from orphaned or weak local credentials.

            Security Risk If Not Configured

            The primary security risk is a credential management gap where external users maintain active, unmonitored access via weak local passwords that are not synchronized with your corporate identity store. This lack of centralized control prevents real-time de-provisioning, allowing terminated partners or customers to retain access to proprietary documents and sensitive data long after their professional relationship has ended.

            Threat Scenarios

            An attacker exploits a weak or reused password on a partner's personal account to gain unauthorized entry into your Experience Site, silently harvesting proprietary pricing or customer data. Because the account is managed locally rather than through a centralized SSO, your IT team remains unaware of the breach and cannot instantly revoke access across the entire ecosystem.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Risk severity depends on user privilege levels, sharing rules, and the authentication mechanisms used.

            Higher Risk When

            Lack of strict roles and permissions of object access defined for users and profiles.

            Low Risk When

            This control can be considered low risk when one or more compensating controls are implemented, including:

            • Multi-Factor Authentication: MFA is enforced at the IdP or via Salesforce high-assurance authentication policies.
            • Login IP Allowlist: Restrict the IP address of the user profile to ensure it is from a trusted network.

            Business and Integration Considerations

            Customers should consider their business process, users permission and roles, and user experience for configuring the authentication process for experience site users.

            Recommended Remediation

            Configure Experience Site Users to authenticate using SAML.

            Security Health Review Guidance

            Require SAML authentication for experience site users.

            See Also

             
            Loading
            Salesforce Help | Article