Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Web App Settings: After Enabling SAML, Configure the Required Policies Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Web App Settings: After Enabling SAML, Configure the Required Policies Control

            This security setting defines the required cryptographic signing algorithms, assertion validation rules, and service provider endpoints to secure the Security Assertion Markup Language exchange between the identity provider and the web application.

            Control Name

            Connected Apps: Web App Settings: After enabling SAML, configure the required policies

            Recommended Configuration

            After enabling SAML, configure the required policies.

            Control Overview

            This security setting defines the required cryptographic signing algorithms, assertion validation rules, and service provider endpoints to secure the Security Assertion Markup Language exchange between the identity provider and the web application.

            Security Risk If Not Configured

            Weak SAML policy configuration for web applications leads to a risk of identity spoofing via assertion injection and XML-based attacks that bypass standard authentication protocols.

            Threat Scenarios

            An attacker intercepts an unencrypted assertion and performs an XML signature-wrapping attack or injects a forged identity claim to gain unauthorized access to a high-privilege user session.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to enforce strict SAML policies facilitates administrative account takeover and persistent session hijacking, potentially compromising the integrity of all federated data within the interconnected ecosystem.

            Higher Risk When

            When the company uses outdated SHA-1 hashing algorithms or fails to mandate the encryption of the entire SAML assertion during transit.

            Low Risk When

            If the company enforces SHA-256 for all digital signatures and uses a unique, short-lived nonce for every authentication request to prevent replay attacks.

            Business and Integration Considerations

            Implementing hardened SAML policies ensures seamless single sign-on for the workforce while requiring the service provider to support advanced cryptographic standards and specific attribute mapping.

            Recommended Remediation

            Go to the Web App Settings for the Connected App, turn on SAML, and configure the entity ID, ACS URL, and subject type while uploading the required security certificate.

            Security Health Review Guidance

            Security Health Review identifies the use of robust SAML assertion policies as a strongly recommended standard to protect federated identity flows from manipulation and ensure the authenticity of every external service access request.

            See Also

             
            Loading
            Salesforce Help | Article