In this post, We are going to see on how to restrict username/password login using Delegated authentication.
Use Case: When the SSO is implemented in the organisation, Admin may want to restrict the users using a Salesforce username and password for login, so that the user always use SSO to login.
To achieve this requirement in Salesforce, We are going to use Delegated authentication.
Step 1: Enabling Delegated Authentication
In Lightning, Go to Gear Icon > Setup > Look for Single Sign-On Settings in Quick Find > Under Delegated Authentication, select Disable login with Salesforce credentials. Once you select this option, The UI will be shown like this
We don’t need to configure ‘Delegated Authentication URL’ and ‘Force Delegated Authentication Callout’ for this implementation.
Step 2: Enabling Delegated SSO at related Profile or Permission Set
Enabling the Delegated SSO will add "Is Single Sign-On Enabled" permission at the profile and permission set. Just enable this permission at the profile or permission set level and assign to the user who should not be using their Salesforce usernames and password.
How this works
When the user tries to login using Salesforce username and password, System checks if the permission "Is Single Sign-On Enabled" is enabled on the user (via profile or permission set). The login calls will then be redirected to Delegated SSO web service for the authentication. Since the Delegated web service URL is empty as we did not configure it, The login fails with the error "The Single Sign-On Gateway Url is invalid"
Caution :
- Don't restrict username and password login for all the profiles using this approach. In case your SSO is not working, Admin might want to use direct salesforce credentials to log into the org to troubleshoot anything further. If you have accidentally restricted for all the profiles, You need to contact Salesforce support to deactivate the delegated SSO temporarily.
- Once this Delegated SSO is enabled for the profile, The users will not be able to reset their username and password. Will get the below error message when they try to reset the password.
Hope this article helps and thank you for your time in reading this.
Cheers :)
Comments
Post a Comment