Loading
Salesforce now sends email only from verified domains. Read More

Device Activation for SSO Logins Resources

Publish Date: May 5, 2026
Description

 

Salesforce has introduced Changes to Device Activation for Single Sign-On (SSO) Logins

 

There may be circumstances where a Salesforce org has been granted an extension to this change for up to 60 days if requested prior to 4/20/2026.

 

The Salesforce Security Product Team has confirmed that Support is unable to grant:

 

    • Any new or initial 60 day extensions that have not already been processed before the 4/20/2026 date.

 

    • Extensions beyond an additional 30 days. To process an additional 30 day extension, Support is required to go through a Security Team approval process. 

 

Resolution

To request an additional 30 day extension Support requires:

 

  • Formal approval and acknowledgement documented in a Support case from your organization's CISO and Legal teams of the following statement and associated risks:

 

Since device activation is a critical security enhancement implemented to prevent unauthorized account access and enforce secure-by-default settings, we must emphasize that the exception you are requesting for the Device Activation change carries additional security risks to your Salesforce environment. While we understand your legitimate business need, we want to note that your organization is assuming the potential risks by making this request.

 

 

NOTE: Any future requests for an extension will be denied by default. Exceptions beyond this point will only be considered if there is a documented "Product Limitation Exception" or a significant technical blocker that's both reviewed and approved by Security and clearly prevents compliance.

 

To comply with mandatory SSO MFA security requirements, organizations will need to implement the following:

 

The Identity Provider (IdP) needs to pass a recognized strong authentication signal such as multi-factor authentication (MFA) in the Security Assertion Markup Language (SAML) response.

 

    • Enable secure authentication in your SSO IdP (e.g. MFA, biometric, security key, smartcard).

 

    • Next, configure your IdP to provide information about the authentication method used:

 

For OIDC IdPs, ensure the identity token includes the Authentication Method Reference (AMR).


For SAML IdPs, ensure the Authentication Context or AuthnContext is included and it indicates the authentication method used.

 

Additional external resources for reference:

 

For Okta, follow these steps but make sure the value is just mfa and not session.mfa like it says in the doc here:
https://support.okta.com/help/s/article/okta-and-the-salesforce-sso-device-activation-change-customer-faq?language=en_US#faq1

 

For Microsoft Azure, follow the same approach here:
https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization#table-3-valid-id-values-per-source

 

Microsoft EntraID (SAML): Configure Salesforce for Single sign-on in Microsoft Entra ID
https://learn.microsoft.com/en-us/entra/identity/saas-apps/salesforce-tutorial

 

Microsoft EntraID (OIDC): ID token claims reference [use ID token v1.0 that includes amr by default. v2.0 does not currently support amr
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

 

Cisco Duo: Duo AMR support for Salesforce
https://help.duo.com/s/article/9600?language=en_US#:~:text=No%20action%20required%20if%20you,to%20the%20Duo%20Admin%20Panel

 

Knowledge Article Number

005321709

 
Loading
Salesforce Help | Article