+ Start a Discussion

authentication policy extension for SSO

Is there any way for the service provider to require a certain
authentication policy? The identity provider can send the authentication
policy that was used as part of the SAML assertions, then
Salesforce will look at this and if the authentication used by the
identity provider was strong enough, then it will let the user sign on.
For example, let's say that a certain account requires 2 factor
authentication. This can be set in the SSO configuration settings (I don't
see this setting anywhere but for this example's sake, go along with it).
The identity provider will do the 2 factor authentication and it will let
Salesforce know in the assertion that 2 factor authentication happened. Now
Salesforce can check for 2 factor authentication and let the user sign on.
The details about SAML supported SSO didn't have anything like this,
so I was wondering if this is even possible right now. If something like this is
possible or mentioned anywhere else, please let me know.

Thanks in advance.

You are right, we don't have a way to enforce the authentication policy in the current release.

Jong Lee