Steps to Prompt Users to Login with Federated SSO in Salesforce
We have seen how to login to Salesforce using Federated authentication in my last blog -
Federated Authentication Using SAML to Log in to Salesforce Org
To restrict user login from Salesforce Login we need to follow the below steps:
Don’t forget to check out: Salesforce to Salesforce SSO using Authentication Provider
1) Go to Set up and search for 'Domain Management' in the quick search. Click on 'My Domain' and enable it. Follow instructions to set up My Domain and deploy it to users. This process may take 48 hours for domain name registration and this process is not reversible. Once the domain name is registered, under 'My Domain Settings', set the 'Login Policy' and check the 'Prevent login from https://login.salesforce.com' checkbox. See the below image for reference.
Under Authentication Configuration, set the Authentication service to <your SSO Settings name>. In my case, it is 'SSOAxiom'. See the below image.
2) Single Sign-On Settings - Set the 'Identity Provider Login URL' to the URL that the user must force login from. Now set the 'Entity Id' to your domain URL with https. See the below image.
If you will try login through Salesforce Login, it will not let you log in to the system as you have prevented that from My Domain settings. So, to login to the System, copy 'Salesforce Login URL' from SSO settings and paste it in the browser window to login into Salesforce it will ask to Continue and redirected to the Identity Provider Login URL that you have set up in SSO settings. Now fill the entries as we did in the previous blog. This time Entity id would be your <domain name> as we provided in SSO Settings. See the image below.
Now click the 'Request SAML Response' button and the formatted SAML response page will be shown. No need to change anything on this page. Click on the Login button and you are logged into Salesforce. To troubleshoot the login errors, go through my last blog on Federated Authentication
This is a great article and we found it enormously helpful. One issue I ran into just now: a user who knows their user name can still click "Forgot Password" and get a Password reset email sent to them. Certainly there must be a setting we are missing somewhere in our set up that allows a user to do this despite being set up to use Single-Sign On? Would appreciate any feedback or insight you have!
Hey Allyn,
This article is for restricting user to log in from your 'My Domain' Url. If you have set up everything according to the blog, then it will automatically redirect you to the "Identity Provider Login Url" whenever user try to login from 'My Domain' Url. So forget password option will not be there.