Salesforce SAML integration - Getting users to buy in Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzorias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Rocky ReyesRocky Reyes 

Salesforce SAML integration - Getting users to buy in

I am about to implement Salesforce SAML in our Okta environment. Our Salesforce admins and I have successfully tested within the Salesforce sandbox. They say that I can go ahead as long as users can still login directly to Salesforce without Okta.

I have to explain to them that this will no longer be an option, as the user will be directed to the Okta login page.

Has anyone completed this implemenatation? How else can I put their minds at ease? I'm just looking for some tips and maybe hard evidence to throw their way. This may be more of a change management/culture issue.

Thanks!
Okta AdminOkta Admin

Hi Rocky,

Allowing users to have access to SFDC login page is defeating the purpose of SSO partly, however technically it is feasible, as there is always backdoor entry or bypass SSO option for most of the applications so that admins can login and trouble shoot any SSO related issues.

Below URL gives access to the SFDC login page even after SSO is enabled

https://<<customdomain>>.my.salesforce.com/?login

Best Regards,
Viswanath

Rocky ReyesRocky Reyes
Hi Viswanath,

I totally agree that a backdoor entry for all users defeats the purpose of SSO. In fact, I would like to "force" users to only go through Okta to log in to SFDC in order to leverage MFA and other features. Can grant access to the backdoor SFDC login page to the admin only, but have all other users redirect to Okta?

My concern is getting the SFDC users and admins to steer away from the need to bypass Okta. I am just looking for some assistance in the form of white papers or other testimony proving that the SFDC SAML login is proven and stable.
Can you point me in that direction?

If any other community members have implemented SFDC SAML, I would love to hear about your trials and tribulations.

Thanks!
api-workday api-workdayapi-workday api-workday
Hi Rocky, we have certainly faced our share of headwinds but we had the luxury of going live with Salesforce already having Okta in place so our adoption didn't require a relearning.

That said i would use the following features as the incentive:
  • Provisioning features of Okta->Salesforce
  • Desktop SSO if you leverage IWA
  • Granular MFA policices (who/where) with adaptive on the horizon
  • centralized control, especially when tying back to an AD group structure
We leverage delegated authentication to provide okta based (AD ultimatley) authentication to someone that decides they want to login through the salesforce login page. This also serves to provide consistent authentication experience for users of mobile applications or other thick client authentication flows.

We've had a global workforce of ~4k using salesforce with SSO through okta for several years with no real issues to speak of.

-Matt
Rocky ReyesRocky Reyes
Thanks for your input Matt, I really appreciate it. Several users are already using Okta and Salesforce through SWA, so I think this should help ease things.

Cheers!