Review Identity and Authentication Controls

Learn about identity and authentication controls.

• Review Single Sign-On Controls
  Single Sign-On (SSO) is a foundational security control in Salesforce that enables centralized, enterprise-grade identity management while reducing reliance on local credentials.
• Review Multi-Factor Authentication Controls
  Multi-factor authentication (MFA) is a secure authentication method that requires users to verify their identity with a second piece of evidence (or factor) in addition to their password.
• Authentication Provider Control
  In Salesforce, an authentication provider is used when you want Salesforce to let users log in using their credentials from another service.
• Identity Provider Control
  Configure Salesforce as an Identity Provider (IdP) when you want Salesforce to be the "source of truth."
• Identity Verification Control
  The control objective of Identity Verification settings in Salesforce is to enforce risk-based authentication by requiring users to provide secondary proof of identity whenever their login context changes.
• OAuth and OpenID Connect Settings Control
  OAuth is primarily used to provide secure, delegated access to the platform's data for external applications.
• Single Sign-On Settings Control
  Single Sign-On centralizes authentication by allowing users to access Salesforce and integrated applications using a trusted identity provider.
• Session Security Level Policies Control
  The control objective of High-Assurance Session Security is to enforce "Step-up Authentication" for high-risk operations.
• Authenticate Experience Cloud Site Users Control
  The control objective of enabling SAML-based SSO for Experience Site users is to centralize external identity management.
• Single Logout Control
  Configure Single Logout on applicable user cases for connections with external applications or identity providers.
• Login Access Control
  Salesforce allows Salesforce admin to set up your org to allow Salesforce support users, partner support users, or subscribers to log in to a Salesforce org as another user.
• Manage User Passwords Control
  Password Policies in Salesforce are to enforce robust authentication standards—such as complexity, length, and expiration—to prevent unauthorized access via "Brute Force" or "Credential Stuffing" attacks.
• Lightning Login for Password-Free Login Control
  The control objective of restricting Lightning Login to only users with the specific "Lightning Login User" permission is to make sure that passwordless authentication is deployed as a privileged, granular access method rather than an org-wide default.
• Manage Salesforce User Identities with SCIM Control
  Managing Salesforce user identities with SCIM (System for Cross-domain Identity Management) helps to automate the entire user lifecycle.
• Review Session Security Settings
  Learn about session security settings.
• Review Limit Interactions with External URLs and Origins
  Learn about limiting interactions with external URLs and origins.
• Limit Login IP Ranges Control
  Login IP Ranges at the profile level is to enforce zero trust boundary by restricting Salesforce access to only authorized, company-controlled network environments (like a corporate VPN or office IP).