Meet Salesforce MFA requirements via SSO with Active Directory identities

Salesforce MFA requirements via SSO with Active Directory

This article explains how UserLock can deliver SSO and MFA access to Salesforce from anywhere for on-premise Active Directory identities.

In response to the global threat landscape, Salesforce now requires multi-factor authentication (MFA) for all logins. While Salesforce has enabled MFA on direct Salesforce logins, MFA is also a contractual requirement for users who access Salesforce products through a single sign-on (SSO) service. Here’s how to comply with the Salesforce MFA requirement, while providing secure access and easy adoption for your team.

How Can Active Directory Users Meet the Salesforce MFA Requirement?

Salesforce spells out a few ways all users, whether in an Active Directory environment or not, can meet the new MFA requirement:

  • Turn on MFA directly in your Salesforce products to protect direct logins
  • Enable MFA with your provider’s SSO service

What About Trusted Corporate Devices?

Salesforce also makes provisions for organizations that use trusted corporate devices. Now, on their own, trusted corporate devices with certificates issued by services like AD or Mobile Device Management (MDM) don’t meet Salesforce’s MFA requirement. And the reason why is simple: anyone who has access to the device can compromise and use these device certificates.

If you use device certificates for user access, you should turn on MFA for your SSO identity provider or your Salesforce products. If that’s not possible, you can satisfy the MFA requirement by meeting these two conditions for SSO or direct logins:

  • Your employees must log in from trusted corporate devices that have been issued a certificate, and
  • The trusted devices must be on an IP address in your corporate network’s IP range, either by accessing the network from inside the office or by using a VPN.

What MFA Solutions Are Best for Active Directory Users?

If you only want to apply MFA for Salesforce access, Salesforce’s native solution can be an option.

However, as Salesforce underlines, the increase in global threats makes MFA adoption a necessity – and adoption is well overdue for most companies. If you have any sensitive information at all on your company’s apps or network (spoiler: you do), it’s worth considering Salesforce’s requirement as an invitation to more broadly apply MFA to protect your Active Directory (AD) identities.

Before selecting a solution, you’ll want to make sure that your MFA solution builds on your existing AD infrastructure.

Then, you’ll want to choose the right type of MFA. Most organizations today opt for two-factor authentication (2FA), which requires two distinct authentication factors. It’s an optimal combination of increased login security, without being too burdensome to employees.

You can also choose between different authentication methods for the second step of 2FA. Among the most common methods are authentication apps like Google Authenticator or Microsoft Authenticator, and security keys, like YubiKey or Token2. Best of all, find an MFA solution that offers flexibility to choose different authentication methods.

As Salesforce emphasizes, “Driving adoption of strong MFA, the single best thing people and organizations can do to protect their user accounts and data, requires a range of MFA options, such as hardware keys.”

Of course, you don’t want your employees to lose time (and pull their hair out) with MFA for each and every app or service they access. That’s where combining MFA and SSO comes in.

Combine SSO and MFA Using Your Active Directory Login

With combined SSO and MFA, employees can log onto AD using their existing credentials and complete MFA just once to seamlessly access all line-of-business apps and cloud resources.

SSO eases MFA onboarding for your team, since it only adds one additional step to their access to network and cloud resources. It also makes teams more likely to stick with MFA, which is key. After all, the security methods we’re most likely to follow are the ones that are easiest to comply with.

Keep User Authentication On-Premises

For an on-premises AD environment, implementing SSO poses a unique challenge: how to safely transition to a hybrid AD environment. IT leaders at many on-premises AD organizations prefer, or are required, to keep user authentication on-premises.

But most SSO solutions on the market are cloud-based. So, to implement SSO in an on-premises AD setup, the first step is either to duplicate the on-premises AD user directory to the cloud, as is the case for SSO with Azure AD (now Microsoft Entra ID), or to create a new, separate directory altogether. This not only takes a lot of time to set up, but it can also become a nightmare to manage. Most importantly, sending user authentication off-premises increases the inherent security risks of SSO.

For optimal security, choose a secure SSO solution that uses your existing on-premises AD identities to keep user authentication safely on-premises.

Ease Adoption With Granular MFA

Granular access control offers organizations the ability to restrict or permit specific system access and control details on when and how MFA is prompted. The granular ability to force MFA for a specific cloud app like Salesforce can make it easier for your team to get used to MFA, requiring it now only for Salesforce access, and broadening it later on.

Choose Secure SSO With Granular MFA for Active Directory

Whether you’re looking for a better way to meet Salesforce’s MFA requirement, or simply want to apply MFA-enabled SSO, UserLock SSO provides frictionless access to cloud resources using your existing AD identities. Since it retains your on-premises AD for user authentication, SSO is secure, mitigating the risks on-premise AD environments encounter when shifting to a hybrid environment. And with granular MFA, you have full control over how often and under what circumstances to require MFA. So you choose the balance between security and productivity that’s right for your team.

Ready to see for yourself? Schedule a demo today to see UserLock SSO and MFA in action.

Keep Learning

Video: How to Activate UserLock SSO


To view the video, please accept all cookies.


Video: UserLock MFA


Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.