Skip to main content
GroupsSalesforce IdentityGreg Rohman's Post
Greg Rohman (PrestigePEO) posted in Salesforce Identity
Jun 15, 2020, 4:33 PM

Hello.

 

We're in the middle of implementing a simple SSO configuration to permit users to login to Salesforce with their Azure AD credentials, and Summer '20 introduced some new features related to SSO implementation. Specifically, this information from the release notes:

 

To restrict a user from logging in with their Salesforce credentials, go to Setup, then Single Sign-On Settings. Under Delegated Authentication, select Disable login with Salesforce credentials. If you enabled this feature before Summer ’20, and you want to disable it before July 27, 2020, contact Salesforce Customer Support.

https://releasenotes.docs.salesforce.com/en-us/summer20/release-notes/rn_auth_delegated_authentication.htm?edition=&impact=

 

To restrict access to SSO only, we had previously requested that Salesforce enable delegated authentication and then created a permission set with the Is Single Sign-On Enabled permission, based on the Salesforce help document titled "Best Practices and Tips for Implementing Single Sign-On" (https://help.salesforce.com/articleView?id=sso_tips.htm&type=0):

 

When you configure users with an authentication provider for SSO, you can require them to log in only through the authentication provider. To prevent users from logging in with a Salesforce username and password, assign these users or a profile of these users the Is Single Sign-On Enabled user permission. .If the Is Single Sign-On Enabled permission isn’t available, ask Salesforce Support to enable the delegated authentication feature. You’re not required to configure delegated authentication, but it must be enabled.

 

I am confused by the language in the release notes regarding this new "Disable login with Salesforce credentials" feature. How would that "restrict a user from logging in with their Salesforce credentials" if it is a setting that is enabled org-wide? It would seem that the setting would work in conjunction with another setting, or perhaps that "Single Sign-On Enabled" profile permission, but the documentation is unclear.

 

Any insight as to how this new setting works? Thank you.

 

Greg

5 comments
  1. Ian Glazer (Salesforce)
    Jun 17, 2020, 7:42 PM

    For a user with SSO enabled:

    * If “Disable login with Salesforce credentials” is enabled, the user will not be able to login with un/pw.

    * If “Disable login with Salesforce credentials” is disabled AND the old “Single Sign On: Delegated Authentication” org perm is off, the user will be able to login with un/pw.

    For a user without SSO enabled:

    * If “Disable login with Salesforce credentials” is enabled or disabled, the user will be able to login with un/pw.

    In order to disable password login for a user, you need to

    1. Enable org preference "Disable login with Salesforce credentials"

    2. Enable user permission "Is Single Sign-On Enabled" (It will be visible on profiles once the org permission is turned on)

    Both of them needs to be on for a user to disable password login. This gives user level control.

    Hope that clears things up

Write a comment...
0/9000