How to Use Identity

Using a combination of Salesforce Identity features, you can make it easy for employees to access Salesforce. You can also have more control over which users access which third-party apps.

Salesforce Identity provides single sign-on (SSO) for employees to sign in to multiple Salesforce and third-party apps.

Here’s an example of how the company Universal Containers uses several Salesforce Identities features to meet its login requirements.

Example

Universal Containers has employees that sign in to multiple apps to get their job done. To make it easier for employees to log in, the company wants an SSO solution and decides to use Salesforce Identity to implement it. To use Salesforce as an SSO provider (also called the identity provider), Universal Containers must set up a subdomain using My Domain. Then the company creates and manages authorization settings to control how employees log in to the subdomain.

Universal Containers uses the Security Assertion Markup Language (SAML) protocol to pass authentication and authorization information between its subdomain and other providers. Users logged in to the Universal Containers subdomain can use third-party apps without logging in again. Likewise, Universal Containers can give users access to its subdomain from approved third-party apps without logging in again. In this case, the third-party app is the identity provider. SSO is available between any app that supports SAML standards, such as G Suite.

Universal Containers decides to enhance security while enabling SSO. The company implements multi-factor authentication (MFA) to require that users enter an identity verification method in addition to their username and password when logging in. Universal Containers can also customize the login page to reflect its corporate identity. This way, when users log in, they can see where they are before entering authentication information.

Using the App Launcher, Universal Containers controls which apps are available to individual users and how long users can access Salesforce before reauthenicating. The App Launcher is also used to extend SSO to mobile users.

For login and user management, Universal Containers uses Active Directory (AD). The company decides to integrate AD with Salesforce using Identity Connect. With Identity Connect, admins can manage Salesforce users through the corporate AD database. Then users can log in to Salesforce using their AD credentials. And changes to users in Active Directory are immediately updated in Salesforce.

Universal Containers has an Experience Cloud site. They use the dynamic branding feature, where branding changes at run time according to who logs in and from where. Universal Containers displays different logos depending on whether the user is an employee, customer, partner, or guest. Branding impacts the entire login experience—the login page, plus any secondary pages that support MFA, Terms & Conditions, or login flows.

After the system is up and running, Universal Containers builds reports and dashboards to track user login history and app usage. With these reports, Salesforce admins can adjust authorization as needed.