You need to sign in to do that
Don't have an account?
Enforcing SSO for users to login to salesforce
Hi Salesforce experts,
I have implemented Federated SSO in salesforce. i have tested login from sso login url using my ADS user id and password and i am successful.
I tried to logging in from login.salesforce.com using my salesforce user id and password. i am successful to login from this too.
if a user is able to login throug login.salesforce.com after implementing federated sso in salesforce, there is no meaning at all for this implementation. because SSO gives company admin to control access to all applications but here admin can not control salesforce user even after sso implementation.
I tried emplyoing a trigger on user account which changes the password everytime time user record is being updated as below so that users will not be known what is their salesforce password as shown below
trigger testtrigger on User ( before update ) { Double ran=Math.random(); System.setPassword('005E0000000cSO9','asdfqwer'+ran); system.debug(' forgot '+'asdfqwer'+ran); }
This trigger is getting executed when ever the user record changes but the problem is when user clicks on forgot password and he reset the password , this trigger is not getting called.
at this moment, i dont have any option to enforce the users to login from sso login page.
Can anybody solve this problem.
Thanks
Company Profile -> My Domain -> My Domain Settings
Login Policy: Require login from https://samluser--xxx.csx.my.salesforce.com
Check the login policy will force your end user to login through MyDomain, and then they will use SSO login
Hi,
Thanks for the reply. could you please tell me where i need to check this login polocy.
if i can get this done, i will be very much thankful to you.
Sri.
1. use your admin account to register your Mydomain, at
Company Profile -> My Domain -> My Domain Settings
such as
https://XXX.my.salesforce.com
2. when the mydomain is ready, login with your admin account, access
Company Profile -> My Domain -> My Domain
you will see the link
Your domain name is available for testing. Click here to login
3. click the link to login from the mydomain with admin account
then you will see at Company Profile -> My Domain -> My Domain
3. after deploy the my domain to users,
your user can login from both login.salesforce.com and https://XXX.my.salesforce.com
4. access Company Profile -> My Domain -> My Domain again and
edit My Domain Settings, check
Login Policy Require login from https://XXX.my.salesforce.com
then all your users have to login from https://XXX.my.salesforce.com, and cann't login from login.salesforce.com
Is there a way of requiring the users to use the mydomain URL, yet have a specific Admin account that can login using the standard login.salesforce.com? If I turn on "require login from..." and our SSO server goes down then there is no way to turn off SSO as I won't be able to login via login.salesforce.com. Is there a solution for this?
Rohan B
Hi Jia Hu,
that is definitely correct - which of course means if your federated service server goes down you are locked out of SF.
Please promote this idea: https://sites.secure.force.com/success/ideaView?id=08730000000ZtgiAAC as without it the federated SSO is not a complete package.
Rohan
Thanks for your info.
hi,
We came across the same issue in our org and will use the domain settings to block end users to login through the cloud.
quick question - how does the sso integrates outlook and salesforce mobile? we use SAML for the authentication.
for chatter application i inserted the new domain and authenticated successfully but it has a web look and feel and not like the regular chatter application..
any ideas?
after i checked the "require login.." and Redirected to the same page within the domain
the end users are not redirected to the new domain... am i missing something?
when they drop their username password they get an error: "Your login attempt has failed. The username or password may be incorrect, or your location or login time may be restricted. Please contact the administrator at your company for help" this is a good start since it blocks them to use the cloud but i need them to be redirected to the new domain...
any ideas?
What you do is prevent logins form login.salesforce.com and make SSO the only available login method
Then if you need to log in using salesforce credentials you can backdoor in through https://[xxxx].my.salesforce.com/?login which will present you with a username/password prompt for your Salesforce credentials - you will need this to fix sso when it breaks