User Authentification

Secure Your Users' Identity

Describe ways to identify your users in addition to a username and password. Set up two-factor authentication. Use the Salesforce Authenticator app to verify identity. Get login information about users who log in to your org.
  • Two-Factor Authentication (2FA) is the most effective way to protect the org.
    • The second factor is typically a mobile device with an authenticator app installed.
    • Admins can 2FA can be required every time users log in, or just when users access the org from a new device or access a high-risk application.
  • To turn on 2FA for every login:
    • Setup » Quick Search » “Session Settings” » Session Settings
      • Under session security, make sure that 2FA is in the High Assurance category
    • Create a new Permission Set labeled “2fa Auth for User Logins” or similar
    • Under System, click System Permissions, then Edit. Select “Two-Factor Authentication for User Interface Logins”
    • On the detail page of the new permission set, assign the new permission set to the appropriate users.
    • Users will be prompted to download the Salesforce Authenticator Mobile App the first time they log in.
  • The Salesforce Authenticator app lets users assign trusted locations. When the phone is in that location, login attempts will be automatically approved.
  • Check who’s been logging in to the org via: Setup » Quick Find » “Verification” » Identity Verification History

Customize Your Login Process with My Domain

Understand how a custom domain provides more control over your login process. Customize your domain name, URL, and login page.
  • My Domain is a way to set up a custom subdomain within the salesforce domain. For example, this can look like
    • As distinct from a custom domain
  • Setting up My Domain isn’t just branding. It is required for:
    • Working in multiple salesforce orgs in the same browser,
    • Setting up authentication providers for social log in,
    • Setting up single sign-on, and
    • Using Lightning components.
  • Trailhead Playgrounds are all developer orgs set up with My Domain
  • Link to set up a dev edition org. Use a fictitious name that looks like an email address.
  • Set up via: Setup » Quick Find » “My Domain” » My Domain
    • Remember to “Deploy to Users”
  • Changing the subdomain may have broken customized links (such as custom buttons or pages with hard-coded references).
  • It is possible to brand the company login page to add a company logo, change the background, and add custom pictures. This can be useful for making announcements to users as they log in.
    • From My Domain, under “Authentication Configuration,” click Edit, then customize the page as desired.

Set Up Single Sign-On for Your Internal Users

Create a Federation ID. Set up single sign-on from an external identity provider. Become familiar with the tools to troubleshoot SAML requests.
  • There are four steps to configuring inbound SSO with a third-party identity provider. Inbound SSO is set up using the Axiom Heroku web app as the identity provider.
  • 1. Create a Federation ID for each user
    • When setting up SSO, you use a unique attribute to identify each user. The attribute links the Salesforce user with the external ID provider. This can be a username, user ID, or Federation ID.
    • A Federation ID must be unique for each user in an org. That’s why the username is handy. But if the user belongs to multiple orgs, use the same Federation ID for the user in each org.
    • Set up via: Users page » Single Sign On Information section
  • 2. Set up SSO settings in Salesforce.
    • Link to set up Axiom SSO.
    • Then, follow the detailed steps documented in trailhead.
  • 3. Set up Salesforce settings in the SSO provider.
  • 4. Make Sure It All Works
    • Request a SAML response from the third-party identity provider and attempt to use it to login.