Spera is now part of Okta and its commitment to secure Identity.   |   Read more
Top five challenges of enforcing single sign-on in Salesforce

Top five challenges of enforcing single sign-on in Salesforce

Ehud Blum, Sr. Engineer at Spera Security
Ehud Blum, Sr. Engineer at Spera Security
October 25, 2023

Importance of Single Sign-On

Single Sign-On (SSO) allows users to securely access multiple applications and services using a single set of credentials. When a user logs in to one application, this mechanism authenticates the user and provides a token or session that can be used to access other applications, without requiring additional credentials. SSO not only simplifies the user login process but also strengthens security by centralizing authentication and reducing the risk of password-related vulnerabilities. It is robust and widely used in various industries and platforms and is recommended by compliance frameworks such as NIST (SP-800-53, IA-2(1)) and CIS (CIS Controls V8 6.7).

Risks of non-Single Sign-On access to Salesforce

Security and IAM teams view Salesforce as a crown jewel application due to the highly sensitive data it stores, including financial and customer information. Without Single Sign-On access to Salesforce, organizations face risks such as: 

  1. A terminated employee may log in with their credentials to exfiltrate data or cause harm.
  2. A threat actor looking for sensitive information or planning a ransomware attack may use credentials stuffing or leaked passwords to log in. 

Challenges organizations face when enforcing SSO in Salesforce

Configuring Single Sign-On involves enabling the integration in the Identity Provider (IdP - such as Azure Active Directory or Okta) and then enabling it in Salesforce itself.

To that end, Salesforce describes three steps:

  1. Disable direct logins through login.salesforce.com.
  2. Disable logins using Salesforce credentials.
  3. Enable SSO at the profile level or assign this permission individually.

Sounds simple enough. However, here are some of the challenges organizations face:

1. Lack of  Single Sign-On enforcement

While the first two steps to configure SSO in Salesforce enable Single Sign-On login, only the third step enforces it. A common pitfall is not completing the third step, resulting in a false sense of security,  while users can still log in directly with their credentials.

2. Enforcing SSO login on new users

Another challenge is ensuring that all new accounts actually  login through Single Sign-On. Administrators using the Salesforce console to create new users must enroll them with either the permission set or the profile that enforces Single Sign-On. There is no out-of-the-box capability to auto-enforce it. As a result, SSO is not automatically enforced on new users, allowing a risky direct login method. Solutions to this challenge include developing scripts or automation workflows. 

3. Keeping enforcement in place

Even after completing the steps above, ensuring that Single Sign-On is still applied to all users is not as simple as it sounds. Permission sets and profiles are dynamic objects, often updated by automated workflows or manual administrator changes. As a result, users may still be allowed to log in without Single Sign-On.
To overcome this challenge, teams are required to have continuous posture monitoring and validation that alert on violation of Single Sign-On configuration. 

4. Non-MFA logins

One of the benefits of  Single Sign-On is applying MFA protection to all applications integrated through an IdP. Organizations that enforce SSO sometimes remove the need for MFA when logging into Salesforce, thinking they are fully covered by the MFA from their SSO provider. As described above, without continuous monitoring, direct login can still be a valid option for attackers. If a user can use their credentials to log in they might bypass the MFA requirement, allowing a threat actor to easily reach your sensitive information. To properly close this loophole, MFA must be required when logging in directly. This configuration requires enforcing MFA on all accounts, but requiring it only when a user logs into the system with their credentials.

5. Lack of visibility

In some organizations, Salesforce is managed by IT personnel (such as a Salesforce Administrator). Often CISOs and their teams do not have the required permissions to gain visibility to Salesforce, or the professional knowledge to understand the Salesforce access model.
A solution for this challenge is having an identity posture tool that lets security teams use a “trust but verify” approach to managing this critical asset.

Next Steps

Security and IAM teams must be able to continuously evaluate the impact of their Single Sign-On project, preventing blindspots and misconfigurations. Organizations must employ solutions and processes to gain visibility to both the identity provider and crown jewel applications such as Salesforce. They must be able to continuously monitors the changes in the organization identities and the assignment of permissions to validate that the Single Sign-On project applies to Salesforce users. Organizations must  also validate that MFA is properly configured and required when a user logs in with their credentials when SSO is not enforced.

Spera Security enables organizations to successfully implement their SSO deployments for critical applications such as Salesforce and other business critical solutions.

Secure your Identity Jungle. Fast.

See in action