If you have implemented Single Sign-On (or SSO), you may not want the user to login to Salesforce directly. For the simple reason that you want your SSO to be the single place to control user access. So if the employee leaves the company, you just disable them in your SSO system and not worrying about disabling them in various other systems. With SSO, it is also easier to implement and maintain the corporate security policies (like 2FA, password complexity, retries, lockouts etc.) in one single system rather than having to ensure that the different systems adhere to these policies. So here is how you can disable direct login to Salesforce.
Step 1: [Optional] Disable login through login.salesforce.com
When you enable “My Domain” in Salesforce, users can login to Salesforce either through login.salesforce.com or <mydomain>.my.salesforce.com. To prevent users from logging on through login.salesforce.com navigate to Setup -> Company Settings -> My Domain. Edit my domain settings and click the checkbox “Prevent login from https://login.salesforce.com“
Step 2: [Optional] Hide the username/password on the My Domain Login Page
Next, you may also want to hide Salesforce standard login/password option on the My Domain login page. Navigate to Setup -> Company Settings -> My Domain. Click on Edit under ‘Authentication Configuration’ and uncheck the option ‘Login Page’
Once done, now when the users navigate to my domain URL<mydomain>.my.salesforce.com, they will not see the login/password fields. Here is how the login page will look before and after unchecking the option
But this is still not foolproof. And that is because if the user is smart, they can simply append “?login” to the My Domain URL and still see the username/password box. Here is how that will look – Oops !!
Step 3: Log a Ticket with Salesforce to Enable Delegated Authentication
The third step will be to log a ticket with Salesforce support to enable “Delegated Authentication“. Don’t worry, we are not going to configure delegated authentication or anything, but will leverage on this feature to stop users from logging on to Salesforce directly.
Once Salesforce support enables the delegated authentication in your Org, you can confirm that by navigating to URL Setup -> Single Sign-On settings. If you see the Delegated Authentication as highlighted below, it has been enabled for you. Leave the Delegated Authentication section as-is. Do not specify any values here.
Step 4: Enable Single Sign-On at the Profile Level
Once Delegated Authentication is enabled in your org, you are going to see a new system permission in profile setup called “Is Single Sign-On Enabled“. You need to check this for the profiles of the users you want to disable direct login to Salesforce.
So what we have done is asked Salesforce support to enable ‘Delegated Authentication’ but then did not configure any settings for Delegated Authentication. And then enabled Single Sign-On at the user profile level.
The concept of delegated authentication is that once it is enabled for a user’s profile, Salesforce will not check the username and password itself. Rather, it will make a web service call to the Delegated Authentication URL, passing the username and password and if the web service call returns true, the user will be allowed to log in. If it returns false, the user will not be allowed to log in.
In our case, we have twisted the delegated authentication feature to disable direct login to Salesforce. Since we did not specify any web service URL, Salesforce will not be able to make a call to anywhere. And since the user profile has single sign-on checked, Salesforce will not verify the username/password itself. The end result is that users will not be able to login to Salesforce directly by providing username and password. Pretty nifty, hah!
IMPORTANT: Do not set this option for the System Admin profile. The simple reason that if your SSO system is down or not working for whatever reason, you still would want the administrators to login to Salesforce directly.
Step 5: Moment of Truth – Time to Test
Now, navigate to My Domain login URL and try to login to Salesforce directly with the profile of the user, where”Is Single Sign-On Enabled” is checked. Because Salesforce will try to call the delegated authentication web service, which has not been defined, direct login will fail with the error message “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator.“
Last But Not the Least
- Do not try out these steps in your Production Org. Always test in a Sandbox or Developer Org first.
- Before enabling the profile setting, do consider all aspects – E.g. if the users need to access from Salesforce Mobile App, ensure that your SSO login will work on mobile devices
If I disable the Prevent Login from login.salesforce.com will it affect the third party integration which has been present in the org.
Hi Karan, yes it will prevent the user from connecting through API also. These integrations will need to use the My Domain URL to connect to your Salesforce Org.
Hello,
Thank you for the great article, I have mistakenly enabled ‘Is single sign on enabled’ setting for admin profile and currently unable to login to my dev sandbox where i am working on SSO configuration setup .
I cant enable with login credentials as well as SSO is also not completely configured. As i am admin ,what should be my next step to resolve this blunder.
Hi Tanveer, you can reach out to Salesforce support to disable the option in the Sandbox. Or you if you are okay with losing everything in the Sandbox, you can refresh it again from Production.
Hello Ashish,
Thank you for the above advise, i contacted salesforce support and got it resolved.
I have another scenario where delegated authentication is enabled for my prod org . Since i am logging to the org using SSO login usually, password was never set when my user account was created. Therefore i never used salesforce credentials to login to my org. Now i want to reset my password and login using salesforce credentials. But i am shown error to contact system admin(but i am already with admin profile) .
Is it possible to reset the password with delegated authentication enabled with admin profile?
If yes, then what are the settings ?
If no, then how to log in to my org when there is an sso outage in case?
Appreciate your kind response.
Thanks in advance
Hi Tanveer, that is exactly the reason I mentioned “Do not set this option for the System Admin profile.” If you turn it on for a profile, Salesforce no longer controls the authentication, and you can’t reset the password from Salesforce.
Hi Ashish,
My org is using a SSO with MFA enabled. I plan to follow these steps to disable logins for the upcoming MFA requirement. Once disabled, will this affect users logging into the mobile app? Are there additional settings I need to consider for mobile app users? Thanks!
Hi Christina, first time when your users login to Salesforce from the mobile App, they will be re-directed to your SSO login page. So, your SSO login page must be mobile compatible. Once the user logs in successfully, they will not need to login again till their refresh token expires. The expiry of refresh token is a setting that you can define in the Connected App in your Salesforce Org.
Please refer to this help article for an explanation on the Refresh Token Policy on the Connected App – https://help.salesforce.com/s/articleView?id=sf.connected_app_manage_oauth.htm&type=5
Hi Ashish,
I got to know that the user can even bypass the SSO login and login directly into Salesforce. Now I want to know is there a way to determine if users are currently logging directly or using SSO and if so who all are bypassing the SSO login in the system?
Please help!!
Hi Sakshi, If you follow step 4 of this blog post, which is to check the system permission “Is Single Sign-On Enabled“ at the profile level, users should not be able to login directly to Salesforce. Are you saying that users can still login to Salesforce directly, even if this option is checked?
Hi Ashish,
I am able to configure all the steps and works fine. The only thing is we are not getting this error “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator.“. We are getting the OOB error. Can you help me.
Hi Santosh, what is OOB error? Can you upload a screenshot here?
Hi Ashish,
Hope you’re doing good.
Thanks for this article, in our sandbox we followed above steps but while testing ,instead of getting a message “We can’t log you in because you’re only allowed to use single sign-on. For help, contact your Salesforce administrator” we keep getting “Please check your username and password. If you still can’t log in, contact your Salesforce administrator”, any ideas what might have been causing this, thank you.
Regards
AJ
Hi Anudeep, Check the “Login History” for that user on User’s record. That should tell you the exact reason for this.
Hi Ashish,
Thanks so much for replying back with the quick tip, “The Single Sign-On Gateway Url is invalid” is the error we are coming across, we are referring few articles on navigating this issue, if you are aware of any fix for this kindly let us know , thank you once again for your time.
Regards
AJ
Hey Anudeep,
Did you find the solution for this. Even I am getting the same error message. “Please check your username and password. If you still can’t log in, contact your Salesforce administrator”, any ideas what might have been causing this, thank you.
It’s best practice not to give the reason why login failed. That’s the reason for the generic error message from now on.
Hi
I have like an idiot disabled the standard login before even testing SSO, so now all my organisation is locked out ( we can’t login) so is there a way to get back into the tenant and enable at least standard login until we resolve our SSO login?
Hi Sutha, sorry to hear that. You’ll need to reach out to Salesforce Support to enable the standard login. Since you won’t be able to log a case, you can call them ( https://help.salesforce.com/articleView?id=000321274&type=1&mode=1 ), send a twitter message to @salesforce and @asksalesforce or reach out to your Account Executive.
Great article, Ashish!
Thanks Ash
Can you help me this scenario
1. If Delegated authentication is OFF
2. On my domain, i have checked prevent login using https://login.salesforce.com
3. SSO is enabled using federation id type.
4. On my Salesforce user, i haven’t filled the federation id
With this above steps, can i able to login via credentials using domain url?
Please let me know.
Hi Bhim, I assume by “login via credentials” you are referring to logging in using Salesforce username and password. Yes, you should be able to login using that.
Hi , Is it possible to disable direct login for all users except System Admins ?
You can achieve this by checking the system permission ‘Is Single Sign-On Enabled’ on all profiles except for System Admin profile.
Can we disable sso verify mechanishm after login with userid/pwd,
Hi Chris, I am not sure if I have understood your question. Can you please elaborate.
My favorite article on Salesforce so far…
After enabling Delegated Authentication and ”Is Single Sign-On Enabled” permission on the profile.. will it work without using my domain.
Yes, it will. My Domain is not a pre-requisite for this to work.
Hello ASAGARWAL,
Thanks for your great article. I have few questions with regards to Prasad’s question.
1. Why do we need to select ” Prevent login from https://login.salesforce.com ” if we enable SSO in profile level ?
2. Is there any way can we run a report to see if any of our user is login without SSO? since we haven’t enabled SSO for all profiles