Salesforce My Domain is a feature that allows organizations to define a unique Salesforce subdomain (for example: yourcompany.my.salesforce.com). When used alongside Single Sign-On (SSO), My Domain provides additional security, improved SSO configuration, and supports users across multiple Salesforce orgs. The following considerations apply when setting up Salesforce My Domain with SSO.
When My Domain is enabled, administrators can track when and which users log in by reviewing the Login History. Navigate to Setup > Manage Users > Login History and review the Username and Login URL columns to identify which users are logging in and from which domain.
When using My Domain, the target hostname at Salesforce is unique to the organization. This means the correct Identity Provider (IdP) data for SSO can be looked up immediately from the org's own SSO configuration. This simplifies SSO setup compared to using the generic Salesforce login URL.
Using My Domain when an organization has multiple Salesforce orgs (production or sandboxes) allows users to use the same Salesforce username across all orgs. This makes SSO against IdP credentials — such as Active Directory (AD), LDAP, or Integrated Windows Authentication — simpler, as only one IdP identity per user needs to be verified.
In the best case, a successful SSO login to one org allows that user direct access to their other orgs without a separate login.
Using a custom My Domain provides a dedicated SSL certificate, which improves both security and SSO reliability because the organization's name is part of the domain. This helps reduce the risk of phishing and supports proper SSL certificate validation.
When starting SSO from a Salesforce link (login page, deep link, Outlook Sync URL, and so on), Salesforce does not know in advance which Identity Provider to use. This is called Service Provider (SP)-initiated SSO, and is different from IdP-initiated SSO where the identity information is sent directly to Salesforce.
For generic login page setups, SP-initiated SSO requires the user to complete at least one IdP-initiated SSO first so that Salesforce can set a browser cookie identifying the correct IdP for future logins.
If SSO is enabled for an organization, API and desktop client users cannot log in to Salesforce unless:
The SSO authority typically handles login lockout policies for users with the "Is Single Sign-On Enabled" permission. However, if the security token is enabled for the organization, the organization's login lockout settings determine how many times a user can attempt to log in with an invalid security token before being locked out of Salesforce.
Salesforce strongly recommends that System Administrators are not configured as Single Sign-On users. If system administrators are SSO users and the SSO server experiences an outage, administrators cannot log in to Salesforce.
System administrators should always have a direct Salesforce login so they can disable SSO in the event of a problem.
000382364

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.