Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Passwords
Cookies
Single Sign-On
My Domain
Two-Factor Authentication
Network-Based Security
Device Activation
Session Security
Custom Login Flows
Single Sign-On
Connected Apps
Desktop Client Access
Configure User Authentication
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Single Sign-On

Single sign-on (SSO) lets users access authorized network resources with one login. You validate usernames and passwords against your corporate user database or other client app rather than Salesforce managing separate passwords for each resource.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Federated Authentication is available in: All Editions

Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To view the settings: View Setup and Configuration
To edit the settings: Customize Application

AND

Modify All Data
Salesforce offers the following ways to use SSO.
  • Federated authentication using Security Assertion Markup Language (SAML) lets you send authentication and authorization data between affiliated but unrelated web services. You can log in to Salesforce from a client app. Salesforce enables federated authentication for your org automatically.
  • Delegated authentication SSO integrates Salesforce with an authentication method that you choose. You can integrate authentication with your LDAP (Lightweight Directory Access Protocol) server or use a token instead of a password for authentication. You manage delegated authentication at the permission level, not at the org level, giving you more flexibility. With permissions, you can require some to use delegated authentication while others use their Salesforce-managed password.
    Delegated authentication offers the following benefits.
    • Uses a stronger form of user authentication, such as integration with a secure identity provider
    • Makes your login page private and accessible only behind a corporate firewall
    • Differentiates your org from all other companies that use Salesforce to reduce phishing attacks
    You must contact Salesforce to enable delegated authentication before you can configure it on your org.
  • Authentication providers let your users log in to your Salesforce org using their login credentials from an external service provider. Salesforce supports the OpenID Connect protocol, which lets users log in from any OpenID Connect provider, such as Google, PayPal, and LinkedIn. When an authentication provider is enabled, Salesforce doesn’t validate a user’s password. Instead, Salesforce uses the user’s login credentials from the external service provider to establish authentication credentials.

When you have an external identity provider and configure SSO for your Salesforce org, Salesforce is then acting as a service provider. You can also enable Salesforce as an identity provider and use SSO to connect to a different service provider. Only the service provider needs to configure SSO.

The Single Sign-On Settings page displays which version of SSO is available for your org. To learn more about SSO settings, see Configure SAML Settings for Single Sign-On. For more information about SAML and Salesforce security, see the Security Implementation Guide.

Benefits of SSO

Implementing SSO brings several advantages to your org.
  • Reduced administrative costs—With SSO, users memorize a single password to access network resources and external apps and Salesforce. When accessing Salesforce from inside the corporate network, users log in seamlessly and aren’t prompted for a username or password. When accessing Salesforce from outside the corporate network, the users’ corporate network login works to log them in. With fewer passwords to manage, system admins receive fewer requests to reset forgotten passwords.
  • Leverage existing investment—Many companies use a central LDAP database to manage user identities. You can delegate Salesforce authentication to this system. Then when users are removed from the LDAP system, they can no longer access Salesforce. Users who leave the company automatically lose access to company data after their departure.
  • Time savings—On average, users take 5–20 seconds to log in to an online app. It can take longer if they mistype their username or password and are prompted to reenter them. With SSO in place, manually logging in to Salesforce is avoided. These saved seconds reduce frustration and add up to increased productivity.
  • Increased user adoption—Due to the convenience of not having to log in, users are more likely to use Salesforce regularly. For example, users can send email messages that contain links to information in Salesforce, such as records and reports. When the recipient of the email message clicks the links, the corresponding Salesforce page opens.
  • Increased security—All password policies that you’ve established for your corporate network are in effect for Salesforce. Sending an authentication credential that’s only valid for a single time also increases security for users who have access to sensitive data.