Print this page

Single Sign-On (SSO) and Password Management FAQ

Knowledge Article Number 000005229

Enabling Single Sign-On (SSO) for an organization changes the way passwords are managed in Salesforce. What follows are answers to frequently-asked questions about SSO and password management.


Q: What happens when an SSO-enabled user clicks on the "Forgot your Password?" link on the login page?

A: The user will be sent an email with a link to reset their password. When they click the link they'll be taken to a page with a notice that states, "Passwords cannot be reset for Single Sign-On Users. Please contact your System Administrator to reset your password." Note: This message isn't customizable.


Q: What happens when an SSO-enabled user visits the login page and enters the wrong password?

A: The user will see the same bold message to the right of the login box as regular users who forget their passwords: "Invalid username or password. Please remember that username must be in the form of an email address (example: Please try again or contact the Administrator at your company for more information."


Q: Do password policies remain in effect for SSO users? (For example: does impose any limit on the number of login attempts?)

A: No. Salesforce doesn't enforce anything around the password for SSO users. This all needs to be done in the SSO gateway.


Q: What happens if an Administrator clicks the "Reset Password" button on the Edit screen of an SSO-enabled user?

A: The administrator will be taken to the "Change Password" screen and will see a message that says "Password not reset for Single Sign-On User." No email will be sent.


Q: What notification does a new user receive upon creation of a Salesforce user account with an SSO-enabled profile?

A: The new user receives a welcome email containing their username and a link to login, but no password. The text of the email states, "Note that the Salesforce username is in the form of your email address, and the password is the same as your network password." Note: The text of the welcome email is not customizable.


Q: Does an existing user receive the notification email if his/her profile is switched to an SSO-enabled profile?
A: No.


Q: If an administrator needs to disable SSO, will a user's password revert to what it was before SSO was enabled or will Salesforce generate a new password?

A: The password will revert to what it was before SSO was enabled.


Q: If an administrator needs to disable SSO, what is the recommended best practice to permit users to continue working in Salesforce?

A: After disabling SSO, send a password reset to all affected users.

promote demote