Get to Know Salesforce Identity
- Describe how Salesforce Identity helps administrators.
- Understand how Salesforce Identity can benefit a business.
- Distinguish the difference between single sign-on (SSO) and social sign-on.
- Describe the benefits of My Domain.
What Does Salesforce Identity Do?
You can probably see how controlling access helps you improve your org’s security. But did you know that you can increase security while also making it easier for your users to get to the apps and services they need to do their jobs? Well, you totally can!
When users can sign in once to access all the apps that they need, everyone benefits.
- Users don’t have to remember lots of usernames and passwords.
- Admins spend less time dealing with user login woes.
- Developers build web and mobile applications that work seamlessly with existing business processes.
- CIOs strengthen security and trust while harnessing their authentication investment.
- Customers collaborate and get their questions answered without hassle.
- Partners integrate their solutions with your Salesforce org, making it a big win for everyone.
With Salesforce Identity, you log in once to access many connected apps.
What Does “Identity” Mean Anyway?
At Salesforce, we’re talking about digital information about users, like who the user is and what the user can do in a particular context. It can also include attributes about the user, such as first and last names, contact information, maybe even a job title.
What Features Does Salesforce Identity Provide?
Check out this list of the main features of Salesforce Identity. Then scroll down to learn about each one in more detail.
- Single sign-on
- Connected apps
- Social sign-on
- Multi-factor authentication
- My Domain
- Centralized user account management
- User provisioning
- Identity Connect
- App Launcher
Single sign-on (SSO) lets users access all authorized resources without logging in separately to each one—and without having to create (and remember) different user credentials for each app.
You can connect your users to several accounts and applications running in other Salesforce orgs and even in other clouds. For example, a call center rep with Salesforce Identity can click a link and be logged in immediately to other apps, like Google Apps, Microsoft Office 365, or Box.
And what are those “authorized resources” that your signed-on users have access to? You got it: They’re connected apps. Connected apps bring Salesforce orgs, third-party apps, and services together. If a connected app is created without implementing SSO, it acts like a bookmark. Users can get to the app from the App Launcher or dropdown app menu, but they sometimes have to sign in again to use it.
So to get the most out of connected apps, configure them for SSO. With SSO, admins can set security policies and have explicit control over who uses which apps. You can also use connected apps to manage authentication and policies for mobile applications.
Sound like a mathematical equation? Nope. It’s not. Multi-factor authentication (MFA) is just a Salesforce Identity feature that we highly recommend that you implement. By configuring a couple of settings, you can make your org login process, you got it, multiple times more secure.
Until now, we’ve been talking about features that make it easier for your users to access the orgs and apps they need to do their jobs. Initially, multi-factor authentication makes access a little more difficult, but this simple yet powerful tool strengthens user account security.
When you enable multi-factor authentication, users have to provide two or more pieces of evidence—or factors—when they log in. One factor is the user’s username and password combination. The requirement for additional factors is satisfied through the use of a verification method that the user has in their possession, such as an authenticator app or a Universal Second Factor (U2F) security key.
With the newest version of the Salesforce Authenticator app, the second factor can be a response to a push notification on the user’s mobile device.
Multi-factor authentication helps ensure that even if an attacker acquires a user’s password, the attacker can’t log in and do harm. So while you’re expanding your authentication options with other Salesforce Identity features, be sure to secure individual access to your org with multi-factor authentication.
You learn how to set up multi-factor authentication in a later module. It’s simple, we promise.
Would you like the URL to your Salesforce org to be something that makes sense to your users? Well, you can make that happen. With the My Domain Identity feature, you can customize your Salesforce URL to include your company or brand name. For example, if you work for Jedeye Technologies, you can include the name in your Salesforce login URL: https://jedeye-tech.my.salesforce.com.
Notice that the URL ends in salesforce.com. With My Domain, you’re actually creating a subdomain within the Salesforce domain, salesforce.com.
If you have a Trailhead Playground, you can see My Domain in action, because every playground has a unique My Domain subdomain. Here you can see that the org's My Domain, creative-raccoon-b6c0h0-dev-ed, is a subdomain of the Salesforce lightning.force.com domain. With a My Domain subdomain for your company’s org, you can customize your login page to reflect your company’s design scheme and messaging—your brand.
Having a My Domain isn’t just about convenience and branding your org’s login experience. It's about having more control over your login process and simplifying authentication. In fact, Salesforce requires you to have a My Domain in place to:
- Work in multiple Salesforce orgs in the same browser
- Set up single sign-on (SSO) with external identity vendors
- Set up authentication providers, such as Google and Facebook, so that your users can log in to your Salesforce org with their social account credentials
- Use Lightning components in Lightning component tabs, Lightning page, the Lightning App Builder, or standalone apps
- Use Financial Services Cloud, Health Cloud, or Work.com
Because having a My Domain is so important, all production and Developer Edition orgs created in Winter ’21 and later get one by default. If you don’t like your org’s My Domain name, you can change it.
You learn how to customize your login process with My Domain in the User Authentication module.
Centralized User Account Management
Centralized user account management means that admins can manage all their user account tasks in one place. Administrators can easily grant users access to other apps and revoke or freeze access when they have to.
Admins can apply login policy and explicit security controls. For example, they can set a policy that prevents login attempts by anyone who doesn’t know your domain name.
Centralized user account management is good for users, too. They don’t have to remember so many usernames and passwords. No more sticky notes dangling from monitors. In short, centralized management provides greater control over security, helps reduce access-related risk, and makes life easier for end users.
User Provisioning for Connected Apps
Want to create, manage, and secure user accounts across all your orgs and connected apps? That’s what Salesforce Identity user provisioning does for you. You can manage user information quickly, cheaply, reliably, and securely across multiple systems and connected applications.
Many people with Salesforce accounts also have accounts in other clouds, such as Google Apps, Office365, Concur, or Box. Salesforce user provisioning provides a single location where admins can create, update, delete, and manage those user accounts.
Salesforce Identity Connect synchronizes users and their attributes from Active Directory (AD) to Salesforce. When a user is created in AD, that same user account can also be created automatically in Salesforce. When a user is deleted from AD, the user account in Salesforce is deactivated at the same time.
With Identity Connect, you can let users sign in to Salesforce using their AD username and password. In some circumstances, you can configure Identity Connect to automatically sign users in to Salesforce. Yup—users can click a bookmark or link to Salesforce and they’re authenticated and taken to Salesforce without even seeing a login page. Users love this!
A future module helps you decide whether Identity Connect is right for you.
The App Launcher is part of Salesforce Identity and it plays a prominent role in Lightning Experience. The App Launcher presents tiles for all the standard apps, custom apps, and connected apps in your Salesforce org. Your users can go to one location in Salesforce to access all apps—without having to log in again. You choose which third-party and other connected apps to add the App Launcher. And you control which apps are available to which users.
Here’s the App Launcher: So clickable, and so convenient.
In Lightning Experience, users can access the App Launcher on the left side of the navigation bar.
In Salesforce Classic, users can access the App Launcher from the dropdown app menu.
A Fully Integrated Solution
Remember that diagram of a Salesforce org at the beginning of this unit? Let’s take another look at it. But this time, we’ll add a few more details. This diagram shows where all your identity information is stored in the “back office” of your Salesforce org. With a centralized identity management system, you go to one place to configure identities.
Users can go from their desktop to mobile with the same login credentials. Their identity is safely shared across many places. Admins can keep user information secure, up to date, and in one place. You can see how powerful Salesforce Identity is when several features are combined.
How to Enable Salesforce Identity for Your Org
So are you ready to turn on Salesforce Identity in your org? Good news, you already have licenses. Salesforce Identity is included in standard user licenses. Salesforce also offers special Identity Only licenses for users who want features like SSO but don’t need other parts of Salesforce, like Sales Cloud or Service Cloud.