You are here:
Supported SSO Scenarios: Salesforce as Identity Provider Control (OpenID Connect or SAML)
Allows Salesforce to act as the central identity authority for authenticating users to downstream applications.
Control Name
Salesforce as Identity Provider for Applications
Control Overview
Allows Salesforce to act as the central identity authority for authenticating users to downstream applications.
Description
Salesforce authenticates users to external service providers or internal applications using SAML or OpenID Connect.
Recommended Configuration
Configure Salesforce as an identity provider (IdP) with MFA, high-assurance session policies, and consistent authentication enforcement for all relying parties.
Security Impact
Makes sure authentication controls and MFA enforcement are consistent across integrated systems.
Business Impact
Improves identity governance and reduces risk from fragmented authentication models.
Security Risk If Not Configured
Inconsistent authentication enforcement and lack of MFA across downstream applications.
Threat Scenarios
Unauthorized access to connected applications, session misuse, inconsistent identity validation.
Estimated CVSS Score Range
High (7.0–8.9).
Risk Impact Considerations
Impact increases with the number of downstream applications relying on Salesforce identity.
Higher Risk When
Downstream apps authenticate independently or MFA is not enforced at the Salesforce login layer.
Low Risk When
Salesforce enforces MFA and session assurance consistently across all relying parties.
Business and Integration Considerations
Common in hub-and-spoke identity architectures and internal SaaS ecosystems.
Security Health Review Guidance
Security Health Review flags missing IdP configurations and highlights inconsistent identity propagation risks.
Who Is Impacted
Users accessing third-party or internal applications through Salesforce identity.
