+ Start a Discussion
vamsovamso 

Enforcing SSO for users to login to salesforce

Hi Salesforce experts,

 

 

I have implemented Federated SSO in salesforce. i have tested login from sso login url using my ADS user  id and password and i am successful.

 

I tried to logging in from login.salesforce.com using my salesforce user id and password. i am successful to login from this too.

 

if a user is able to login throug login.salesforce.com after implementing federated sso in salesforce, there is no meaning at all for this implementation.  because SSO gives company admin to control access to all applications but here admin can not control salesforce user even after sso implementation.

 

I tried emplyoing a trigger on user account which changes the password everytime time user record is being updated as below so that users will not be known what is their salesforce password as shown below

 

trigger testtrigger on User ( before update )
{
       Double ran=Math.random();
       System.setPassword('005E0000000cSO9','asdfqwer'+ran);
       system.debug(' forgot   '+'asdfqwer'+ran);

}

 

This trigger is getting executed when ever the user record changes but the problem is when user clicks on forgot password and he reset the password , this trigger is not getting called.

 

at this moment, i dont have any option to enforce the users to login from sso login page.

 

Can anybody solve this problem.

 

Thanks

Jia HuJia Hu

Company Profile -> My Domain -> My Domain Settings

Login Policy:  Require login from https://samluser--xxx.csx.my.salesforce.com

 

Check the login policy will force your end user to login through MyDomain, and then they will use SSO login

vamsovamso

Hi,

 

Thanks for the reply. could you please tell me where i need to check this login polocy.

 

if i can get this done, i will be very much thankful to you.

 

 

Sri.

Jia HuJia Hu

1. use your admin account to register your Mydomain, at

Company Profile -> My Domain -> My Domain Settings

 such as

https://XXX.my.salesforce.com

 

2. when the mydomain is ready, login with your admin account,  access

Company Profile -> My Domain -> My Domain

you will see the link

Your domain name is available for testing. Click here to login

 

3. click the link to login from the mydomain with admin account

then you will see  at  Company Profile -> My Domain -> My Domain

 

3. after deploy the my domain to users,

your user can login from both login.salesforce.com and https://XXX.my.salesforce.com

 

4. access Company Profile -> My Domain -> My Domain again and 

edit My Domain Settings, check

Login Policy  Require login from https://XXX.my.salesforce.com

 

then all your users have to login from https://XXX.my.salesforce.com, and cann't login from  login.salesforce.com

 


Rohan BRohan B

Is there a way of requiring the users to use the mydomain URL, yet have a specific Admin account that can login using the standard login.salesforce.com?  If I turn on "require login from..." and our SSO server goes down then there is no way to turn off SSO as I won't be able to login via login.salesforce.com.  Is there a solution for this?

 

Rohan B

Jia HuJia Hu
Based on my understanding, in the SAML way, if you enforce everyone to use mydomain, then the admin also has to use it for login.
Rohan BRohan B

Hi Jia Hu,

 

that is definitely correct - which of course means if your federated service server goes down you are locked out of SF.

 

Please promote this idea: https://sites.secure.force.com/success/ideaView?id=08730000000ZtgiAAC  as without it the federated SSO is not a complete package.

 

Rohan

Jia HuJia Hu
Hi Rohan B,

Thanks for your info.
ventoreroventorero

hi,

 

We came across the same issue in our org and will use the domain settings to block end users to login through the cloud.

quick question - how does the sso integrates outlook and salesforce mobile? we use SAML for the authentication.

 

for chatter application i inserted the new domain and authenticated successfully but it has a web look and feel and not like the regular chatter application..

 

any ideas?

ventoreroventorero

after i checked the "require login.." and   Redirected to the same page within the domain

the end users are not redirected to the new domain... am i missing something?

when they drop their username password they get an error: "Your login attempt has failed. The username or password may be incorrect, or your location or login time may be restricted. Please contact the administrator at your company for help" this is a good start since it blocks them to use the cloud but i need them to be redirected to the new domain...

 

any ideas?

Andrew B. DavisAndrew B. Davis
Here's a hybrid solution that requires ELS login for all users but lets you permit certain users to login directly: https://help.salesforce.com/apex/HTViewSolution?id=000133735&language=en_US. This provides some protection in case your SSO provider goes down.
Diego Carbonetti 6Diego Carbonetti 6
dont know if this ever got resolved...

What you do is prevent logins form login.salesforce.com and make SSO the only available login method

Then if you need to log in using salesforce credentials you can backdoor in through https://[xxxx].my.salesforce.com/?login which will present you with a username/password prompt for your Salesforce credentials - you will need this to fix sso  when it breaks