Salesforce Security Guide

Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Elements of User Authentication
Manage User Passwords
Cookies
Single Sign-On
My Domain
Multi-Factor Authentication
Network-Based Security
Device Activation
Session Security
Custom Login Flows
Single Sign-On
Desktop Client Access
Configure User Authentication
Connected Apps
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data's Security with Shield Platform Encryption
Monitoring Your Organization’s Security
Real-Time Event Monitoring
Security Guidelines for Apex and Visualforce Development
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Single Sign-On

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your org, they can automatically access all apps from the App Launcher. You can set up your Salesforce org to trust a third-party identity provider to authenticate users. Or you can configure a third-party app to rely on your org for authentication.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Federated Authentication is available in: All Editions

Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

User Permissions Needed
To view the settings: View Setup and Configuration
To edit the settings: Customize Application

AND

Modify All Data

When you set up SSO, you configure one system to trust another to authenticate users, eliminating the need for users to log in to each system separately. The system that authenticates users is called an identity provider. The system that trusts the identity provider for authentication is called the service provider.

For example, you can configure Google as an identity provider to authenticate users accessing your org. So users log in to your org using their Google credentials. In this example, your org acts as the service provider, trusting Google to accurately authenticate users.

You can configure your Salesforce org as an identity provider, a service provider, or both. For each of these use cases, you select the authentication protocol to use. Salesforce supports SSO with SAML and OpenID Connect. Salesforce also has preconfigured authentication providers that you can use to enable SSO with systems that have their own authentication protocols, like Facebook. For more information, see Single Sign-On Use Cases. To see a SAML SSO implementation where Salesforce is the identity provider, watch this video.

You can also set up a single identity provider to authenticate users for multiple service providers. For example, you can enable your org as an identity provider and configure Workday and Office 365 as service providers. Users can then access your org, Workday, and Office 365 with one login.

After you configure SSO, set up Single Logout so users can log out of a service provider and identity provider at the same time.

SSO Content

Refer to the following Help articles to learn about and set up SSO in Salesforce.