If you have implemented Single Sign-On (or SSO), you may not want the user to login to Salesforce directly. For the simple reason that you want your SSO to be the single place to control user access. So if the employee leaves the company, you just disable them in your SSO system and not worrying about disabling them in various other systems. With SSO, it is also easier to implement and maintain the corporate security policies (like 2FA, password complexity, retries, lockouts etc.) in one single system rather than having to ensure that the different systems adhere to these policies. So here is how you can disable direct login to Salesforce.
Step 1: [Optional] Disable login through login.salesforce.com
When you enable “My Domain” in Salesforce, users can login to Salesforce either through login.salesforce.com or <mydomain>.my.salesforce.com. To prevent users from logging on through login.salesforce.com navigate to Setup -> Company Settings -> My Domain. Edit my domain settings and click the checkbox “Prevent login from https://login.salesforce.com“
Step 2: [Optional] Hide the username/password on the My Domain Login Page
Next, you may also want to hide Salesforce standard login/password option on the My Domain login page. Navigate to Setup -> Company Settings -> My Domain. Click on Edit under ‘Authentication Configuration’ and uncheck the option ‘Login Page’
Once done, now when the users navigate to my domain URL<mydomain>.my.salesforce.com, they will not see the login/password fields. Here is how the login page will look before and after unchecking the option
But this is still not foolproof. And that is because if the user is smart, they can simply append “?login” to the My Domain URL and still see the username/password box. Here is how that will look – Oops !!
Step 3: Log a Ticket with Salesforce to Enable Delegated Authentication
The third step will be to log a ticket with Salesforce support to enable “Delegated Authentication“. Don’t worry, we are not going to configure delegated authentication or anything, but will leverage on this feature to stop users from logging on to Salesforce directly.
Once Salesforce support enables the delegated authentication in your Org, you can confirm that by navigating to URL Setup -> Single Sign-On settings. If you see the Delegated Authentication as highlighted below, it has been enabled for you. Leave the Delegated Authentication section as-is. Do not specify any values here.
Step 4: Enable Single Sign-On at the Profile Level
Once Delegated Authentication is enabled in your org, you are going to see a new system permission in profile setup called “Is Single Sign-On Enabled“. You need to check this for the profiles of the users you want to disable direct login to Salesforce.
So what we have done is asked Salesforce support to enable ‘Delegated Authentication’ but then did not configure any settings for Delegated Authentication. And then enabled Single Sign-On at the user profile level.
The concept of delegated authentication is that once it is enabled for a user’s profile, Salesforce will not check the username and password itself. Rather, it will make a web service call to the Delegated Authentication URL, passing the username and password and if the web service call returns true, the user will be allowed to log in. If it returns false, the user will not be allowed to log in.
In our case, we have twisted the delegated authentication feature to disable direct login to Salesforce. Since we did not specify any web service URL, Salesforce will not be able to make a call to anywhere. And since the user profile has single sign-on checked, Salesforce will not verify the username/password itself. The end result is that users will not be able to login to Salesforce directly by providing username and password. Pretty nifty, hah!
IMPORTANT: Do not set this option for the System Admin profile. The simple reason that if your SSO system is down or not working for whatever reason, you still would want the administrators to login to Salesforce directly.
Step 5: Moment of Truth – Time to Test
Now, navigate to My Domain login URL and try to login to Salesforce directly with the profile of the user, where”Is Single Sign-On Enabled” is checked. Because Salesforce will try to call the delegated authentication web service, which has not been defined, direct login will fail with the error message “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator.“
Last But Not the Least
- Do not try out these steps in your Production Org. Always test in a Sandbox or Developer Org first.
- Before enabling the profile setting, do consider all aspects – E.g. if the users need to access from Salesforce Mobile App, ensure that your SSO login will work on mobile devices
October 6, 2020 @ 8:11 PM
Great article, Ashish!
October 6, 2020 @ 8:16 PM
Thanks Ash
July 23, 2020 @ 4:27 PM
Can you help me this scenario
1. If Delegated authentication is OFF
2. On my domain, i have checked prevent login using https://login.salesforce.com
3. SSO is enabled using federation id type.
4. On my Salesforce user, i haven’t filled the federation id
With this above steps, can i able to login via credentials using domain url?
Please let me know.
July 26, 2020 @ 5:22 AM
Hi Bhim, I assume by “login via credentials” you are referring to logging in using Salesforce username and password. Yes, you should be able to login using that.
May 20, 2020 @ 4:42 PM
Hi , Is it possible to disable direct login for all users except System Admins ?
May 22, 2020 @ 5:13 AM
You can achieve this by checking the system permission ‘Is Single Sign-On Enabled’ on all profiles except for System Admin profile.
March 25, 2020 @ 5:29 AM
Can we disable sso verify mechanishm after login with userid/pwd,
March 26, 2020 @ 8:12 AM
Hi Chris, I am not sure if I have understood your question. Can you please elaborate.
February 16, 2019 @ 1:23 AM
My favorite article on Salesforce so far…
January 17, 2019 @ 3:38 AM
After enabling Delegated Authentication and ”Is Single Sign-On Enabled” permission on the profile.. will it work without using my domain.
February 1, 2019 @ 5:50 AM
Yes, it will. My Domain is not a pre-requisite for this to work.