How to login to Salesforce?

Obvious, right? Go to login page, enter name and password and you are done.

At the same time I would say this is THE area which separate small implementations from the bigger one. What is possible, what we need to do?

Name and password

Go to Salesforce website and top right corner. Or go to login.salesforce.com and some clicks. Or go to your specific domain and login there (remember the last tip?)

Single Sign-On (or Social Sign-On)

For this one and most of the following you need to have My Domain (see previous tip). When you setup all the different networks you can use for login you return to My Domain configuration and select which one should be available to users.

Name and password plus Google login

If you take the easy approach, Salesforce has already support for Google, Facebook, LinkedIn, Twitter and a few more. Go to the Auth. Providers section in the setup, select the right network and fill-in just the name.

As a second step users need to link their Salesforce account to the social account – just send them the link you will get when you save the provider. Or you can update the registration handler of the provider and it can do it for them.

 
//TODO:This autogenerated class includes the basics for a Registration
//Handler class. You will need to customize it to ensure it meets your needs and
//the data provided by the third party.

global class AutocreatedRegHandler1546635871775 implements Auth.RegistrationHandler{
global User createUser(Id portalId, Auth.UserData data){
       //Returning null or throwing an exception fails the SSO flow

// get user record based on their email
       String email = data.email;
       if (email == null) return null;
       User u;
       try {
           u = [SELECT Id, FirstName, LastName, Email, Username FROM User WHERE email = :email];
        } catch (Exception e){
               return null;
        }
        return u;
}

global void updateUser(Id userId, Id portalId, Auth.UserData data){
    // update basic user info based from the identity provider
User u = new User(id=userId);
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    update(u);
}
}

As a final step you can ask support do enable you a Delegated Authentication setting, which ultimately means that you can force users to use their social login (you just enable the Is Single Sign-On User permission).

And this thing brings a lot of great questions like who will create users, will they be auto created during first login (JIT provisioning) or you will sync their accounts with your internal system (for Active Directory you can use the Identity Connect) and much more.

Lightning Login

Just imagine to login without entering password. That’s it, just install the right app on your mobile phone, enter your login name on login page and just confirm it on your mobile phone. Done.

This feature come in Winter ’17 and it works in Classic as well. The setting is pretty easy, see Johan’s article.

Salesforce Authenticator or 2FA

Two factor authentication (2FA) is now-a-days recommended everywhere and if your system doesn’t support it, it looks strange. Salesforce has an application called Salesforce Authenticator, which you can install on your mobile phone, connect with your account and you are done. This feature works with all previous variants, just doesn’t make sense with Lightning Login. The application can remember your secure locations and automatically login you when your phone is there.

Salesforce Authenticator

Onetime password

Almost the same variant as before, for this one you can use any 2FA application such as Google Authenticator. You can connect it with your accoutn on the same page, you just don’t have the benefit of auto-login from known location.

Passwordless Login

Only for Community Cloud users, new from Summer ’18. Instead of username and password the user enters what he knows – email address or phone number. Then he will get onetime code which he enters and is logged-in.

Passwordless login

Implementation needs a bit of development, but nothing major.

Certificate

One of the newest addition (Spring ’19), also the „highest“ level of security, when even banks use it.

Just enable it in setup, upload certificates for users and add this way to login page.

Which way do you use?

Did you learn something new? Did you decide to enable something new? Which way do you use? Your users might hate you for 2FA (unless you use the secure location setting as well), there might be no difference when using SSO (as they use remembered password in browser), but your security will thank you.

Think about it and make sure that your instance is secure!

Leave a Reply