Use Your SSO Identity Provider’s MFA Service for Salesforce Orgs

To help prevent unauthorized access to Salesforce accounts, customers are contractually required to use multi-factor authentication (MFA) when logging in via single sign-on (SSO). You can use your third-party identity provider’s MFA service to satisfy this requirement. This approach includes the benefit of providing MFA to external apps that integrate with the identity provider.

Required Editions

Available in: both Salesforce Classic and Lightning Experience

Available in: all editions

User Permissions Needed
To modify session security settings:	Customize Application

Note For full details about the contractual requirement to use MFA, see the Salesforce Multi-Factor Authentication FAQ.

To set up Salesforce so users receive MFA challenges from your third-party identity provider:

Configure your third-party identity provider and SSO implementation. See Salesforce as a Service Provider.
In Setup, in the Quick Find box, enter Session, then select Session Settings.
In Session Security Levels, make sure your SSO configuration is in the High Assurance column.

When users log in through your identity provider, they’re granted high assurance access. Salesforce doesn’t duplicate prompting users for an MFA verification method.

Use Your SSO Identity Provider’s MFA Service for Salesforce Orgs

Required Editions

See Also

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List

Product Area

Feature Impact

Edition

Experience

Use Your SSO Identity Provider’s MFA Service for Salesforce Orgs

Required Editions

See Also