How to Disable Direct Login to Salesforce

Disable Direct Login to SalesforceIf you have implemented Single Sign-On (or SSO), you may not want the user to login to Salesforce directly. For the simple reason that you want your SSO to be the single place to control user access. So if the employee leaves the company, you just disable them in your SSO system and not worrying about disabling them in various other systems. With SSO, it is also easier to implement and maintain the corporate security policies (like 2FA, password complexity, retries, lockouts etc.) in one single system rather than having to ensure that the different systems adhere to these policies. So here is how you can disable direct login to Salesforce. 

Step 1: [Optional] Disable login through login.salesforce.com

When you enable “My Domain” in Salesforce, users can login to Salesforce either through login.salesforce.com or <mydomain>.my.salesforce.com. To prevent users from logging on through login.salesforce.com navigate to Setup -> Company Settings -> My Domain. Edit my domain settings and click the checkbox “Prevent login from https://login.salesforce.com

Prevent access from login.salesforce.com

Step 2: [Optional] Hide the username/password on the My Domain Login Page

Next, you may also want to hide Salesforce standard login/password option on the My Domain login page. Navigate to Setup -> Company Settings -> My Domain. Click on Edit under ‘Authentication Configuration’ and uncheck the option ‘Login Page’

Hide Username/Password from My Domain Login Page

Once done, now when the users navigate to my domain URL<mydomain>.my.salesforce.com, they will not see the login/password fields. Here is how the login page will look before and after unchecking the option

My Domain Login Page Difference

But this is still not foolproof. And that is because if the user is smart, they can simply append “?login” to the My Domain URL and still see the username/password box. Here is how that will look – Oops !!

My Domain Login Hack

Step 3: Log a Ticket with Salesforce to Enable Delegated Authentication

The third step will be to log a ticket with Salesforce support to enable “Delegated Authentication“. Don’t worry, we are not going to configure delegated authentication or anything, but will leverage on this feature to stop users from logging on to Salesforce directly.

Once Salesforce support enables the delegated authentication in your Org, you can confirm that by navigating to URL Setup -> Single Sign-On settings. If you see the Delegated Authentication as highlighted below, it has been enabled for you. Leave the Delegated Authentication section as-is. Do not specify any values here.

Verify Delegated Administration is Enabled

Step 4: Enable Single  Sign-On at the Profile Level

Once Delegated Authentication is enabled in your org, you are going to see a new system permission in profile setup called “Is Single Sign-On Enabled“. You need to check this for the profiles of the users you want to disable direct login to Salesforce.

Single Sign On Profile Permission

So what we have done is asked Salesforce support to enable ‘Delegated Authentication’ but then did not configure any settings for Delegated Authentication. And then enabled Single Sign-On at the user profile level.

The concept of delegated authentication is that once it is enabled for a user’s profile, Salesforce will not check the username and password itself. Rather, it will make a web service call to the Delegated Authentication URL, passing the username and password and if the web service call returns true, the user will be allowed to log in. If it returns false, the user will not be allowed to log in.

In our case, we have twisted the delegated authentication feature to disable direct login to Salesforce. Since we did not specify any web service URL, Salesforce will not be able to make a call to anywhere. And since the user profile has single sign-on checked, Salesforce will not verify the username/password itself. The end result is that users will not be able to login to Salesforce directly by providing username and password. Pretty nifty, hah!

IMPORTANT: Do not set this option for the System Admin profile. The simple reason that if your SSO system is down or not working for whatever reason, you still would want the administrators to login to Salesforce directly.

Step 5: Moment of Truth – Time to Test

Now, navigate to My Domain login URL and try to login to Salesforce directly with the profile of the user, where”Is Single Sign-On Enabled” is checked. Because Salesforce will try to call the delegated authentication web service, which has not been defined, direct login will fail with the error message “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator.

Disable direct login to Salesforce

Last But Not the Least

  1. Do not try out these steps in your Production Org. Always test in a Sandbox or Developer Org first.
  2. Before enabling the profile setting, do consider all aspects – E.g. if the users need to access from Salesforce Mobile App, ensure that your SSO login will work on mobile devices

25 thoughts on “How to Disable Direct Login to Salesforce”

  1. Hi Ashish,
    My org is using a SSO with MFA enabled. I plan to follow these steps to disable logins for the upcoming MFA requirement. Once disabled, will this affect users logging into the mobile app? Are there additional settings I need to consider for mobile app users? Thanks!

    1. Hi Christina, first time when your users login to Salesforce from the mobile App, they will be re-directed to your SSO login page. So, your SSO login page must be mobile compatible. Once the user logs in successfully, they will not need to login again till their refresh token expires. The expiry of refresh token is a setting that you can define in the Connected App in your Salesforce Org.

      Please refer to this help article for an explanation on the Refresh Token Policy on the Connected App – https://help.salesforce.com/s/articleView?id=sf.connected_app_manage_oauth.htm&type=5

  2. Hi Ashish,
    I got to know that the user can even bypass the SSO login and login directly into Salesforce. Now I want to know is there a way to determine if users are currently logging directly or using SSO and if so who all are bypassing the SSO login in the system?
    Please help!!

    1. Hi Sakshi, If you follow step 4 of this blog post, which is to check the system permission “Is Single Sign-On Enabled“ at the profile level, users should not be able to login directly to Salesforce. Are you saying that users can still login to Salesforce directly, even if this option is checked?

  3. Hi Ashish,

    I am able to configure all the steps and works fine. The only thing is we are not getting this error “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator.“. We are getting the OOB error. Can you help me.

  4. Hi Ashish,

    Hope you’re doing good.

    Thanks for this article, in our sandbox we followed above steps but while testing ,instead of getting a message “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator” we keep getting “Please check your username and password. If you still can’t log in, contact your Salesforce administrator”, any ideas what might have been causing this, thank you.

    Regards
    AJ

    1. Ashish Agarwal

      Hi Anudeep, Check the “Login History” for that user on User’s record. That should tell you the exact reason for this.

      1. Anudeep Jujjavarapu

        Hi Ashish,

        Thanks so much for replying back with the quick tip, “The Single Sign-On Gateway Url is invalid” is the error we are coming across, we are referring few articles on navigating this issue, if you are aware of any fix for this kindly let us know , thank you once again for your time.

        Regards
        AJ

    2. Hey Anudeep,

      Did you find the solution for this. Even I am getting the same error message. “Please check your username and password. If you still can’t log in, contact your Salesforce administrator”, any ideas what might have been causing this, thank you.

      1. It’s best practice not to give the reason why login failed. That’s the reason for the generic error message from now on.

  5. Hi

    I have like an idiot disabled the standard login before even testing SSO, so now all my organisation is locked out ( we can’t login) so is there a way to get back into the tenant and enable at least standard login until we resolve our SSO login?

  6. Can you help me this scenario
    1. If Delegated authentication is OFF
    2. On my domain, i have checked prevent login using https://login.salesforce.com
    3. SSO is enabled using federation id type.
    4. On my Salesforce user, i haven’t filled the federation id

    With this above steps, can i able to login via credentials using domain url?
    Please let me know.

    1. Hi Bhim, I assume by “login via credentials” you are referring to logging in using Salesforce username and password. Yes, you should be able to login using that.

    1. You can achieve this by checking the system permission ‘Is Single Sign-On Enabled’ on all profiles except for System Admin profile.

  7. Prasad Shiraskar

    After enabling Delegated Authentication and ”Is Single Sign-On Enabled” permission on the profile.. will it work without using my domain.

      1. Hello ASAGARWAL,
        Thanks for your great article. I have few questions with regards to Prasad’s question.
        1. Why do we need to select ” Prevent login from https://login.salesforce.com ” if we enable SSO in profile level ?
        2. Is there any way can we run a report to see if any of our user is login without SSO? since we haven’t enabled SSO for all profiles

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top