Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Identity Provider Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Identity Provider Control

            Configure Salesforce as an Identity Provider (IdP) when you want Salesforce to be the "source of truth."

            Configuring Salesforce as an IdP allows users to log into Salesforce one time and then access other external applications without logging in again. You can Configure single sign-on (SSO) so users can log in to an external service provider or relying party with their Salesforce credentials. You can enable your Salesforce org as a SAML IdP and integrate a service provider as a SAML external client app or connected app. You can also use OpenID Connect to integrate a relying party with your org.

            When properly implemented, your Salesforce org becomes a reliable IdP that helps users to log in to Salesforce one time and then access the other external applications without logging in again. When misconfigured, companies face increased risk of credential compromise, unauthorized access, lateral movement, and reduced visibility into identity posture. Threat Actors don't just have access to your Salesforce org, they are automatically logged into every connected app that trusts Salesforce.

            Security Health Review provides information about whether your Salesforce instance is configured as IdP using configuration signals aligned with Salesforce-recommended best practices and highlights gaps that present the highest security and business risk.

            Control Name

            Identity Provider Configuration and Validation

            Recommended Configuration

            Configure, validate, and regularly review Salesforce Identity Provider setup to make sure that they are correctly scoped and securely integrated.

            Control Overview

            Identity Provider setup allows Salesforce to be the IdP allowing users to log in to Salesforce and then access the other external applications listed as Service Providers without logging in again. Proper configuration makes sure that authentication assertions are sent securely through secure signing algorithms, access scopes are configured with the right access control in place.

            Security Risk If Not Configured

            Misconfigured IdP setup can allow Salesforce to provide excessive access, incomplete offboarding leading to unauthorized account takeover, or access of the connected Service Providers and also Salesforce through lateral movement.

            Threat Scenarios

            Acceptance of forged or replayed authentication tokens, unauthorized user provisioning via misconfigured IdP mappings, trust relationships with deprecated or compromised IdPs, misuse of overly permissive provider configurations.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Risk severity depends on the number of external applications connected as Service Providers configured, user population size, access privileges granted upon login, and whether providers are externally managed or consumer-facing.

            Higher Risk When

            Identity Provider setup is not configured with a strong assertion security algorithm, and excessive permission scopes.

            Low or No Risk When

            This control can be considered low risk when one or more of the following are implemented:

            • Periodic Review of Service Providers: Review of applications connected to Salesforce as Service Providers and understand the risks.
            • Certificate Management: Periodically review the certificate used to enable your org to communicate with the service provider, use trusted CA for certificate.
            • Forced Authentication Configured: Ensuring users who are already logged in to Salesforce to reenter their credentials when they try to access the service provider..
            • Secure Attribute Mapping: User attributes and provisioning rules are tightly scoped to enforce least privilege.
            • Login timeout: Automatically log users out of the service provider when they log out of Salesforce.
            • Metadata Management: Metadata discovery endpoints are kept current and reviewed periodically.
            • MFA Enforcement: MFA is enforced for Salesforce users
            • IP Login Restriction: IP Login restriction for users with privileges to modify the setup
            • Governance Controls: Salesforce setup are centrally governed, documented, and reviewed as part of identity lifecycle management.

            Business and Integration Considerations

            Customers should evaluate business justification for each Authentication Provider, especially consumer identity platforms, and ensure alignment with access policies, regulatory requirements, and user experience expectations.

            Recommended Remediation

            Review all configured IdP setup, connected Service Providers, disable unused or untrusted providers, validate provider metadata and certificates, restrict attribute mappings, enforce MFA, and establish periodic governance reviews.

            Security Health Review Guidance

            Security Health Review identifies an IdP setup configured in Salesforce to help customers reduce identity federation risk, prevent unauthorized access with Salesforce-recommended security baselines and Zero Trust principles by identifying connected Service Providers and IdP setup.

            See Also

             
            Loading
            Salesforce Help | Article