Loading

Considerations for Setting Up Salesforce My Domain with Single Sign-On (SSO)

Publiseringsdato: Jun 19, 2026
Beskrivelse

Overview

Salesforce My Domain is a feature that allows organizations to define a unique Salesforce subdomain (for example: yourcompany.my.salesforce.com). When used alongside Single Sign-On (SSO), My Domain provides additional security, improved SSO configuration, and supports users across multiple Salesforce orgs. The following considerations apply when setting up Salesforce My Domain with SSO.

Løsning

1. Login History Tracking with My Domain

When My Domain is enabled, administrators can track when and which users log in by reviewing the Login History. Navigate to Setup > Manage Users > Login History and review the Username and Login URL columns to identify which users are logging in and from which domain.

2. SSO Configuration and Identity Provider Lookup

When using My Domain, the target hostname at Salesforce is unique to the organization. This means the correct Identity Provider (IdP) data for SSO can be looked up immediately from the org's own SSO configuration. This simplifies SSO setup compared to using the generic Salesforce login URL.

3. Multiple Orgs and the Same Salesforce Username

Using My Domain when an organization has multiple Salesforce orgs (production or sandboxes) allows users to use the same Salesforce username across all orgs. This makes SSO against IdP credentials — such as Active Directory (AD), LDAP, or Integrated Windows Authentication — simpler, as only one IdP identity per user needs to be verified.
In the best case, a successful SSO login to one org allows that user direct access to their other orgs without a separate login.

4. SSL Certificate and Domain Security

Using a custom My Domain provides a dedicated SSL certificate, which improves both security and SSO reliability because the organization's name is part of the domain. This helps reduce the risk of phishing and supports proper SSL certificate validation.

5. SP-Initiated SSO and Browser Cookies

When starting SSO from a Salesforce link (login page, deep link, Outlook Sync URL, and so on), Salesforce does not know in advance which Identity Provider to use. This is called Service Provider (SP)-initiated SSO, and is different from IdP-initiated SSO where the identity information is sent directly to Salesforce.
For generic login page setups, SP-initiated SSO requires the user to complete at least one IdP-initiated SSO first so that Salesforce can set a browser cookie identifying the correct IdP for future logins.

6. API and Desktop Client Access When SSO Is Enabled

If SSO is enabled for an organization, API and desktop client users cannot log in to Salesforce unless:

  • Their IP address is included on the organization's list of trusted IP addresses, or
  • Their profile has IP address restrictions configured that include their IP address.

7. Login Lockout Policies with SSO

The SSO authority typically handles login lockout policies for users with the "Is Single Sign-On Enabled" permission. However, if the security token is enabled for the organization, the organization's login lockout settings determine how many times a user can attempt to log in with an invalid security token before being locked out of Salesforce.

8. Recommendation: Exclude System Administrators from SSO

Salesforce strongly recommends that System Administrators are not configured as Single Sign-On users. If system administrators are SSO users and the SSO server experiences an outage, administrators cannot log in to Salesforce.
System administrators should always have a direct Salesforce login so they can disable SSO in the event of a problem.

Knowledge-artikkelnummer

000382364

 
Laster
Salesforce Help | Article