Single Sign-On Settings Control

Control Name

Single Sign-On (SSO) Configuration and Identity Architecture

Recommended Configuration

Enable centralized SSO using an enterprise Identity Provider (IdP), enforce strong authentication policies, and avoid legacy authentication mechanisms.

Control Overview

Single Sign-On centralizes authentication by allowing users to access Salesforce and integrated applications using a trusted IdP. Salesforce supports multiple SSO models, including acting as a Service Provider, Identity Provider, or both, and legacy Delegated Authentication. Proper SSO configuration ensures consistent identity enforcement, improved security posture, and reduced credential risk.

Security Risk If Not Configured

Without properly configured SSO, authentication relies on fragmented or legacy controls, increasing exposure to credential theft, weak passwords, inconsistent MFA enforcement, and unauthorized access to Salesforce and connected systems.

Threat Scenarios

Weak local passwords exploited through phishing, credential reuse across applications, insecure cross-org SAML trust enabling unintended access, legacy LDAP credential interception.

Estimated CVSS Score Range

Critical (9.0–10.0).

Risk Impact Considerations

Risk severity depends on user population size, privilege levels, exposure of the org to the internet, and the authentication mechanisms used across integrated systems.

Higher Risk When

Local Salesforce authentication is used with weak password standards, MFA is not enforced, IdP chaining is overly permissive, or Delegated Authentication relies on legacy LDAP.

Low Risk When

This control can be considered low risk when one or more compensating controls are implemented, including:

• Enterprise Identity Provider: Salesforce is integrated with a centralized IdP that enforces strong password policies and user lifecycle management.
• Multi-Factor Authentication: MFA is enforced at the IdP or via Salesforce high-assurance authentication policies.
• Modern Authentication Standards: SAML or OpenID Connect is used instead of legacy Delegated Authentication.
• Secure Identity Provider Chaining: Cross-org SAML and Experience Cloud trust relationships are explicitly scoped, documented, and periodically reviewed.
• Legacy Authentication Retirement: Delegated Authentication via LDAP is deprecated or tightly controlled with additional protections.

Business and Integration Considerations

Customers should consider user experience, integration compatibility, partner access, and migration planning when implementing or modernizing SSO. Legacy systems can require phased transition to modern identity platforms.

Recommended Remediation

Implement centralized SSO using a trusted IdP, enforce MFA and strong password policies, review and restrict IdP chaining, migrate away from Delegated Authentication, and regularly review authentication logs and access patterns.

Security Health Review Guidance

Security Health Review highlights SSO and identity architecture controls to help customers strengthen authentication, reduce identity-related risk, and align with Salesforce-recommended security baselines and Zero Trust principles.