Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Single Sign-On for Salesforce Customer Identity Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Single Sign-On for Salesforce Customer Identity Control

            This enables Federated Authentication (SAML or OpenID Connect), allowing customers to use a single, trusted set of credentials from an external identity provider (IdP) to access multiple Salesforce sites and integrated applications.

            Control Name

            Single Sign-On (SSO) for Salesforce Customer Identity

            Recommended Configuration

            With SSO for Salesforce Customer Identity, users can log in to multiple applications with one set of credentials.

            Control Overview

            This enables Federated Authentication (SAML or OpenID Connect), allowing customers to use a single, trusted set of credentials from an external IdP to access multiple Salesforce sites and integrated applications.

            Security Risk If Not Configured

            Users are forced to manage unique passwords for every individual application, leading to poor password hygiene (reuse) and making it impossible for the company to enforce a single, unified MFA policy across the entire digital ecosystem.

            Threat Scenarios

            An attacker successfully runs a credential-stuffing attack on a user's weaker, non-SSO account and uses those leaked credentials to gain entry to the Salesforce portal because the account wasn't protected by the centralized security controls of a master IdP.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Without a central authentication link, a security gap is created where revoking access in your main system fails to deactivate the corresponding Salesforce account, allowing former employees or partners to retain unauthorized access to sensitive company data after their departure.

            Higher Risk When

            "Password Never Expires" is enabled for local Salesforce users or when the company lacks a centralized way to detect anomalous login patterns across different platforms.

            Low Risk When

            if the company enforces Salesforce-native MFA and strict Password Complexity Policies for all local accounts to compensate for the lack of a centralized Identity Provider.

            Business and Integration Considerations

            Requires integration with customer-facing IdPs. Implementing SSO requires technical alignment on "Just-in-Time" (JIT) provisioning logic to make sure that user records are created or updated correctly in Salesforce without manual intervention during the first login.

            Recommended Remediation

            Navigate to Single Sign-On Settings in Setup, create a SAML or Auth. Provider configuration, and link it to your site's Login & Registration settings to enable the SSO button.

            Security Health Review Guidance

            Security Health Review prioritizes central identity management. SSO for portals allows you to apply enterprise-grade security checks, like MFA and conditional access, to your external users while reducing the friction of manual password management.

            See Also

             
            Loading
            Salesforce Help | Article