Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Require Users to Log In with Single Sign-On (SSO)

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Require Users to Log In with Single Sign-On (SSO)

            By default, when you set up single sign-on, users can log in from the SSO provider or from Salesforce. To ensure that users can’t bypass your SSO system, disable their ability to log in with their Salesforce username and password so that they’re required to log in with SSO. We recommend that you don’t require SSO for Salesforce admins so that they can still access Salesforce to respond to SSO outages or other issues.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience
            Available in: all editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Modify All Data
            1. Disable direct logins through login.salesforce.com.
              1. From Setup, in the Quick Find box, enter My Domain, then select My Domain.
              2. In the Routing and Policies section, click Edit.
              3. In production, select Prevent login from https://login.salesforce.com. In a sandbox, select Prevent login from https://test.salesforce.com.
              4. Save your changes.
            2. For users who have the Is Single Sign-On Enabled user permission, disable their ability to log in with Salesforce credentials.
              1. From Setup, in the Quick Find box, enter Single Sign-On, then select Single Sign-On Settings.
              2. Click Edit.
              3. In Delegated Authentication, select Disable login with Salesforce credentials, then save your changes.
                This setting doesn’t directly disable username-password logins for all users. It applies only to users who have the Is Single Sign-On Enabled user permission. As long as you don’t assign this permission to users—such as admin users who must be able to log in if SSO is down— they can still log in with their Salesforce credentials when this setting is turned on.
            3. To require SSO of certain users, assign them the Is Single Sign-On Enabled user permission. To use permission sets, complete these steps.
              Note
              Note You can use profiles instead of permission sets, but it isn’t recommended.
              1. Create a permission set that includes the Is Single Sign-On Enabled user permission. Or, add this permission to an existing permission set.
              2. Assign the permission set to the users.
                Important
                Important As recommended, to exempt admins from the SSO requirement, don’t assign the Is Single Sign-On Enabled user permission.
              3. If you change an SSO implementation that users are currently using, ensure that users know the new URL where they can access your SSO login page.
             
            Loading
            Salesforce Help | Article