If you are a Salesforce Admin or CRM leader worried about users bypassing your SSO and directly login to Salesforce, this post will provide you guidelines to disable the direct login to Salesforce. I know if you implement this, you will face a bit of grumbling from your users but explaining to them on security loopholes and its impact will pacify them!! Also by doing this, you will be compliant with your MFA roll outs which is the last step of the process as well.
This guide outlines steps to disable direct Salesforce login for organizations that have implemented Single Sign-On (SSO). Please note that these steps should NOT be taken until SSO has been successfully implemented for your Salesforce instance. Failure to implement SSO before undergoing these steps may result in a system-wide lockout to your Salesforce application.
Disabling direct login is the last step to ensure compliance with Salesforce’s new Multi-Factor Authentication security policy.
These steps should be tested thoroughly in a sandbox environment before being implemented in production.
Disable Direct Login Guide
1. Enable “Disable Login with Salesforce Credentials” checkbox
What does this step do? This step is needed to display a backend system permission attribute that is used in the next step. It does not have any impact until Step 2 is completed.
End user impact: This does not have an end user impact.
Steps to take:
System admin logs into Salesforce. Clicks Setup cog wheel.
In Setup QuickFind box, type “Single Sign-On Settings”. Choose this option (under the Identity header).
Click “Disable login with Salesforce credentials” checkbox. Click Save.
2. “Enforce SSO” Attribute
What does this step do? Profiles or users with this enabled will no longer be able to login using username and password.
End user impact: Trying to login with username and password will result in the error message below. Note: this error message is the same as what end users would experience if they entered a wrong password. It is not possible to change this error message to something SSO-specific.
If your organization is using a “slow roll” deployment approach, it is recommended to complete this step several days or weeks before Step 3. This will encourage end users to use the SSO option and interact with system admins with questions / issues before the process is complete.
3. Uncheck Login Form
What does this step do? When end users enter their domain-specific login URL, they will automatically be redirected to SSO page (i.e. Google Workspace SSO)
End user impact: Significant. If the end user doesn’t have their SSO configured, they will not be able to access Salesforce. (Note: ensure “Additional Steps for System Admins” section below is completed before this step)
Steps to take:
System admin logs into Salesforce. Clicks Setup cog wheel.
In Setup QuickFind box, type “My Domain”. Select this choice (under header of Company Settings).
Click Edit button in the “Authentication Configuration” section.
Uncheck the “Login Form” option. (Note: your organization’s SSO authentication service should have already been checked during initial SSO setup)
Additional Steps for Integration Users
Integration users will need to have the “API Only User” attribute selected on their profiles. This prevents the user from being used for any purpose other than integration scenarios.
If an integration was configured using a non API Only User profile, it will need to be reconfigured using a profile with “API Only User” checked.
If issues arise, you may need to connect via Security Token.
Additional Steps for System Administrators
System Administrators should have the ability to login with a username and password, in case SSO fails.
Because of this, do NOT check the “Prevent login from https://login.salesforce.com” option within My Domain → Policies section.
To ensure System Admins are still compliant per Salesforce’s Multi-Factor Authentication (MFA) security policy, admins will need to use an approved MFA application (Salesforce Authenticator, Lightning Login, Google Authenticator, Duo, etc.) to access Salesforce.
For admin login via MFA:
Create a permission set labeled “Multi-Factor Authentication Enabled”. Select “Salesforce” as license type.
In the permission set, under System Permissions, check the box for the attribute named “Multi-Factor Authentication for User Interface Logins”.
Assign permission set to System Admin users
System admins will login at https://login.salesforce.com , using their MFA application.
General Notes
All future profiles should have the “Is Single Sign-On Enabled” attribute enabled during profile creation.
In a worst-case scenario where SSO fails and the system admin is unable to access Salesforce via MFA, Salesforce Support will need to deactivate SSO temporarily. In this unlikely scenario, send an email to your Salesforce Account Rep to have them contact Salesforce Support on your behalf.