Single Sign-On (SSO) allows users to securely access multiple applications and services using a single set of credentials. When a user logs in to one application, this mechanism authenticates the user and provides a token or session that can be used to access other applications, without requiring additional credentials. SSO not only simplifies the user login process but also strengthens security by centralizing authentication and reducing the risk of password-related vulnerabilities. It is robust and widely used in various industries and platforms and is recommended by compliance frameworks such as NIST (SP-800-53, IA-2(1)) and CIS (CIS Controls V8 6.7).
Security and IAM teams view Salesforce as a crown jewel application due to the highly sensitive data it stores, including financial and customer information. Without Single Sign-On access to Salesforce, organizations face risks such as:
Configuring Single Sign-On involves enabling the integration in the Identity Provider (IdP - such as Azure Active Directory or Okta) and then enabling it in Salesforce itself.
To that end, Salesforce describes three steps:
Sounds simple enough. However, here are some of the challenges organizations face:
While the first two steps to configure SSO in Salesforce enable Single Sign-On login, only the third step enforces it. A common pitfall is not completing the third step, resulting in a false sense of security, while users can still log in directly with their credentials.
Another challenge is ensuring that all new accounts actually login through Single Sign-On. Administrators using the Salesforce console to create new users must enroll them with either the permission set or the profile that enforces Single Sign-On. There is no out-of-the-box capability to auto-enforce it. As a result, SSO is not automatically enforced on new users, allowing a risky direct login method. Solutions to this challenge include developing scripts or automation workflows.
Even after completing the steps above, ensuring that Single Sign-On is still applied to all users is not as simple as it sounds. Permission sets and profiles are dynamic objects, often updated by automated workflows or manual administrator changes. As a result, users may still be allowed to log in without Single Sign-On.
To overcome this challenge, teams are required to have continuous posture monitoring and validation that alert on violation of Single Sign-On configuration.
One of the benefits of Single Sign-On is applying MFA protection to all applications integrated through an IdP. Organizations that enforce SSO sometimes remove the need for MFA when logging into Salesforce, thinking they are fully covered by the MFA from their SSO provider. As described above, without continuous monitoring, direct login can still be a valid option for attackers. If a user can use their credentials to log in they might bypass the MFA requirement, allowing a threat actor to easily reach your sensitive information. To properly close this loophole, MFA must be required when logging in directly. This configuration requires enforcing MFA on all accounts, but requiring it only when a user logs into the system with their credentials.
In some organizations, Salesforce is managed by IT personnel (such as a Salesforce Administrator). Often CISOs and their teams do not have the required permissions to gain visibility to Salesforce, or the professional knowledge to understand the Salesforce access model.
A solution for this challenge is having an identity posture tool that lets security teams use a “trust but verify” approach to managing this critical asset.
Security and IAM teams must be able to continuously evaluate the impact of their Single Sign-On project, preventing blindspots and misconfigurations. Organizations must employ solutions and processes to gain visibility to both the identity provider and crown jewel applications such as Salesforce. They must be able to continuously monitors the changes in the organization identities and the assignment of permissions to validate that the Single Sign-On project applies to Salesforce users. Organizations must also validate that MFA is properly configured and required when a user logs in with their credentials when SSO is not enforced.
Spera Security enables organizations to successfully implement their SSO deployments for critical applications such as Salesforce and other business critical solutions.