How to Enable SSO ?
Enabling Single Sign-On (SSO) for an organization changes the way passwords are managed in Salesforce. What follows are answers to frequently-asked questions about SSO and password management.
To enable SSO:
- Lightning: Setup | Users | Profiles | Choose Profile Name | Look for “Is Single Sign-On Enabled” under Administrative Permissions section
- Classic: Setup | Manage Users | Profiles | Choose Profile name | Look for “Is Single Sign-On Enabled” under Administrative Permissions section
How to Force Users to use only SSO ?
To prevent users from logging in with a Salesforce username and password, assign these users or a profile of these users the Is Single Sign-On Enabled user permission. If the Is Single Sign-On Enabled permission isn’t available, ask Salesforce Support to enable the delegated authentication feature. You’re not required to configure delegated authentication, but it must be enabled.
Note: The following FAQs and answers only apply to Delegated SSO and not to Federated Authentication SSO .
Q: What happens when an SSO-enabled user clicks on the “Forgot your Password?” link on the salesforce.com login page?
A: The user will be sent an email with a link to reset their password. When they click the link they’ll be taken to a page with a notice that states, “Passwords cannot be reset for Single Sign-On Users. Please contact your System Administrator to reset your password.” Note: This message isn’t customizable.
Q: What happens when an SSO-enabled user visits the salesforce.com login page and enters the wrong password?
A: The user will see the same bold message above the login box as regular users who forget their passwords: “Your company’s authentication service is currently down. Please contact the administrator at your company for more information.”
Q: Do salesforce.com password policies remain in effect for SSO users? (For example: does salesforce.com impose any limit on the number of login attempts?)
A: No. Salesforce doesn’t enforce anything around the password for SSO users. This all needs to be done in the SSO gateway.
Q: What happens if an Administrator clicks the “Reset Password” button on the Edit screen of an SSO-enabled user?
A: The administrator will be taken to the “Change Password” screen and will see a message that says “Password not reset for Single Sign-On User.” No email will be sent.
Q: What notification does a new user receive upon creation of a Salesforce user account with an SSO-enabled profile?
A: The new user receives a welcome email containing their username and a link to login, but no password. The text of the email states, “Note that the Salesforce username is in the form of your email address, and the password is the same as your network password.” Note: The text of the welcome email is not customizable.
Q: Does an existing user receive the notification email if his/her profile is switched to an SSO-enabled profile?
Q: If an administrator needs to disable SSO, will a user’s password revert to what it was before SSO was enabled or will Salesforce generate a new password?
A: The password will revert to what it was before SSO was enabled. Take note that if the previous password had expired during the time that the user was utilizing SSO then a password reset might be needed for the user to setup his/her Salesforce password.
Q: If an administrator needs to disable SSO, what is the recommended best practice to permit users to continue working in Salesforce?
A: After disabling SSO, send a password reset to all affected users.