Print this page

Can I force users to login with Federated SSO only?

Knowledge Article Number 000003861
Description

Some organizations have a requirement to force users to login to Salesforce using SAML Assertion / Federated SSO only, and to restrict them from logging in using the standard salesforce login (login.salesforce.com), while using Federated SSO.

This can be achieved by using the 'mydomain' feature. In summary, you must restrict users from using "login.salesforce.com", forcing them to use your own Identity Provider's login URL for authentication.

Doing this will result in the following behaviour:
- Users attempting to log in through login.salesforce.com will receive an authentication error.
- Users attempting to log in through the mydomain URL will be redirected to the Identity Provider Login URL.

Resolution

Here are the steps to implement this:

Browse to: Setup > Domain Management > My Domain
1. Enable MyDomain
2. Follow the instructions to set it up and deploy to users.
3. Set "Require login from <mydomain>" to True

* Note: The above process may take up to 48 hours for domain name propagation.
* Note: Doing the above is not reversible and will cause all pages in the Salesforce.com org to use the mydomain URL (https://<mydomain>.my.salesforce.com) rather than the instance URL (https://na1.salesforce.com)

Browse to: Setup > Security Controls > Single Sign-On Settings
4. Set "Identity Provider Login URL" to the URL users should be forced to log in
5. Set "Entity Id" to the <mydomain> value





promote demote