Single Sign-On and Password Management FAQ for Salesforce Delegated Authentication

Udgivelsesdato: Apr 22, 2026

Beskrivelse

This article applies only to Delegated Single Sign-On (SSO) authentication in Salesforce, not to Federated Authentication (SAML) single sign-on. Enabling SSO for an organization changes the way passwords are managed in Salesforce. What follows are answers to frequently asked questions about SSO and password management.

Available Editions:

Professional, Enterprise, Performance (Unlimited), and Developer

How to Enable SSO:

Lightning Experience: Setup → Users → Profiles → Choose Profile Name → Look for "Is Single Sign-On Enabled" under the Administrative Permissions section
Salesforce Classic: Setup → Manage Users → Profiles → Choose Profile Name → Look for "Is Single Sign-On Enabled" under the Administrative Permissions section

If you do not see "Is Single Sign-On Enabled" in the System Permissions section, ensure you have first Enabled Delegated Authentication in your environment.

Prerequisites:

Review Salesforce documentation on Best Practices and Tips for Implementing Single Sign-On and Configure Salesforce for Delegated Authentication before making changes to SSO configuration.

Løsning

Password Reset Behavior for SSO Users

Q: What happens when an SSO-enabled user clicks the "Forgot your Password?" link on the Salesforce login page?

A: The user will be sent an email with a link to reset their password. When they click the link, they will be taken to a page with the notice: "Passwords cannot be reset for Single Sign-On Users. Please contact your System Administrator to reset your password."

Note: This message is not customizable.

Q: What happens when an Administrator clicks the "Reset Password" button on the Edit screen of an SSO-enabled user?

A: The administrator will be taken to the "Change Password" screen and will see the message: "Password not reset for Single Sign-On User." No email will be sent to the user.

Q: What notification does a new user receive upon creation of a Salesforce user account with an SSO-enabled profile?

A: The new user receives a welcome email containing their username and a link to log in, but no password. The email subject will be "Welcome to Salesforce: Verify your account."

Note: The text of the welcome email is not customizable.

Q: Does an existing user receive a notification email if their profile is switched to an SSO-enabled profile?

A: No. Existing users do not receive a notification when their profile is switched to an SSO-enabled profile.

Login Failures for SSO Users

Q: What happens when an SSO-enabled user visits the Salesforce login page and enters the wrong password?

A: The user will see the following message above the login box: "Your company's authentication service is currently down. Please contact the administrator at your company for more information."

Password Policy Enforcement

Q: Do Salesforce password policies remain in effect for SSO users? (For example: does Salesforce impose any limit on the number of login attempts?)

A: No. Salesforce does not enforce any password policies for SSO users. All password policy enforcement — including login attempt limits — must be configured and managed in the SSO gateway.

Disabling SSO

Q: If an administrator needs to disable SSO, will a user's password revert to what it was before SSO was enabled, or will Salesforce generate a new password?

A: The password will revert to what it was before SSO was enabled. Note that if the previous password had expired during the time the user was utilizing SSO, a password reset may be needed for the user to re-establish their Salesforce password.

Q: If an administrator needs to disable SSO, what is the recommended best practice to permit users to continue working in Salesforce?

A: After disabling SSO, send a password reset to all affected users to ensure they can log in without interruption.

Vidensartikelnummer

000385305

Løste denne artikel dit problem?

Giv os besked, så vi kan forbedre os!