Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            FAQs for Single Sign-On

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            FAQs for Single Sign-On

            Review these frequently asked questions (FAQs) to help you implement and troubleshoot single sign-on (SSO).

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Customer Portals and partner portals aren’t available in Database.com
            What are the different ways that I can implement SSO?
            You can configure your Salesforce org as an identity provider, a service provider, or both. For each of these use cases, you select the authentication protocol to use. Salesforce supports SSO with SAML and OpenID Connect. Salesforce also has preconfigured authentication providers that you can use to enable SSO with systems that have their own authentication protocols, like Facebook. For more information, see Single Sign-On Use Cases. To see a SAML SSO implementation where Salesforce is the identity provider, watch this video.
            Where can I view SSO errors?
            You can view login errors in the Login History report. From Setup, in the Quick Find box, enter Login History, and then select Login History.
            Does SSO work outside my corporate firewall?
            Yes. When users are outside the corporate firewall, they can use their network passwords to log in to Salesforce. Or, you can require users to connect to your corporate network before logging in.
            Can I validate a SAML response?
            Yes. After you configure SSO, to access the SAML Validation page from Setup, click SAML Validation on the Single Sign-On Settings page. If a user tries to log in to Salesforce and fails, the invalid SAML assertion is used to automatically populate the SAML Assertion Validator. On the SAML Validation page, if the SAML assertion isn’t automatically populated, you can enter the XML or base64-encoded SAML response that you received from your service provider. Salesforce validates the response against the values provided during SSO setup, and provides detailed information about the response.
            Can I configure a start page and logout page that are specific to my company?
            Yes.
            Can I test my SSO configuration before implementing it?
            Yes. Use a Developer Edition account or a sandbox to develop and test the configuration first. To sign up for a free Developer Edition account, go to developer.salesforce.com.
            Keep in mind that sandbox copies are made with SAML disabled. Configuration information is preserved, except for the Salesforce Login URL. Salesforce Login URL is updated to match your sandbox URL after you re-enable SAML, for example, https://yourInstance.salesforce.com/. To enable SAML in the sandbox
            1. From Setup, in the Quick Find box, enter Single Sign-On Settings, then select Single Sign-On Settings.
            2. Click Edit, and select SAML Enabled.
            Can I prevent users from logging into Salesforce with their username and password?
            Yes. You can require users to log in to Salesforce with SSO by disabling direct logins for all standard users. Preventing logins with a Salesforce username and password ensures that users can’t bypass your SSO system. Make sure affected users know the URL where they can access your SSO login page.
            Note
            Note We don’t recommend disabling login credentials for Salesforce admins. As an admin, you must be able to log in directly to Salesforce with a username and password so you can respond to an SSO outage or other problem.
            Can I enable SSO for Salesforce admins?
            You’re welcome to enable SSO for Salesforce admins, but we recommend that you also allow some or all of your admins to log in directly using multi-factor authentication (MFA). Admins who can log in directly can address an outage or other problem with your SSO implementation. For example, consider a situation where your third-party SSO provider has a sustained outage. An admin can use the standard Salesforce login page to log in with their username, password, and MFA, and then they can disable SSO until the problem is resolved.
            Access the standard login page by modifying the Salesforce URL. You can add login as a query string parameter, for example, https://northerntrailoutfitters-dev-ed.my.salesforce.com/?login. Or you can append login=true to the URL, for example, https://northerntrailoutfitters-dev-ed.my.salesforce.com/?login=true.
            Can I Use Salesforce MFA for SSO?
            Yes. You can use the free MFA service included in Salesforce for SSO configurations that use Salesforce as your identity provider. With this approach, users log in to Salesforce and are prompted to provide a supported MFA verification method to confirm their identity.
            Can I Use My Third-Party Identity Provider’s MFA Service for SSO?
            Yes. You can use your third-party identity provider’s MFA service to centralize your SSO and MFA solutions. And it provides MFA to external apps that integrate with the third-party identity provider. And when users log in through your identity provider, they’re granted high assurance access and Salesforce doesn’t require them to provide a verification method.

            See Also

             
            Loading
            Salesforce Help | Article