You need to sign in to do that
Don't have an account?
Disable Reset Password Option On Profiles/Users?
Hello,
We are considering introducing SSO for our Salesforce.com implementation. Once this has been done it would be good if we can disable the options for users to reset their passwords within SFDC (The passwords will be controlled externally to SFDC by our SSO identity provider.)
Do you know if it is posible to remove the possibility for a profile or user to change their passwords?
I note in the configuration settings for profiles there are 2 password options which can be activated/deactivated.
- "Password Never Expires"
- "Reset User Passwords and Unlock Users"
I presume option 2 above applies to all users who are assigned to the profile & not just the an indibidual user. Therefore if activated the profile user could reset every users password who is assigned to the profile?
On a User record it just displays the last date the password was changed "Last Password Change or Reset". There is an option for the user to go to "Personal Setup > My Personal Information > Change My Password" but I'd like to disable this.
Any help on this would be great.
Thanks!
Salesforce.com can't reset passwords that are external to itself, which is what I was basing my previous statement on; it'd be like trying to change your email password using Outlook. Any time salesforce.com can't control the password, it also can't reset the password. I presume that this means all manner of delegated logins, now and in the future, will probably (without a new SSO protocol that allows changing) be subject to this limitation.
All Answers
A user with SSO enabled can not reset their password through salesforce.com. Attempting to use Change Password, Reset Password, etc though all available channels will result in an error that states that they are unable to use the feature and must contact their IT department.
Thanks sfdcfox. Is this therefore a standard message that automatically comes up or is it something that is set by administrators for each company's instance of SFDC?
Thanks again!
It's not configurable, as far as I know. I haven't personally used SSO, but I understand it's fairly straight forward, assuming you have the software you need to implement SSO/Delegated Authentication. I saw it in action once, many years ago, and back then it was a standard message that advised the user to contact their IT department. They may have personalized it since then, such that it would show the actual name of the individual that they should contact. You should contact salesforce.com technical support and ask them. They should probably have the answer to that.
Thanks sfdcfox. I'll leave the question open for now in case anyone else has any further input but your responses are very helpful & a good guide on how this should work.
Hello,
I note in the SSO implementation guide https://na1.salesforce.com/help/doc/en/salesforce_single_sign_on.pdf it states in the Frequently Asked Questions Section:
"How are passwords reset when single sign-on has been implemented?
Salesforce.com can't reset passwords that are external to itself, which is what I was basing my previous statement on; it'd be like trying to change your email password using Outlook. Any time salesforce.com can't control the password, it also can't reset the password. I presume that this means all manner of delegated logins, now and in the future, will probably (without a new SSO protocol that allows changing) be subject to this limitation.
Thanks sfdcfox.
If you use federated SSO the user can still change their password. Is there a way to stop this?