Before you go out and start configuring Multi Factor Authentication (MFA), you need to ask yourself a few questions. Depending on what your business has done in the past and depending on what different tools and Salesforce Products your company uses, the path to enabling MFA will be different. Keep in mind that your organization’s requirements may be complicated, there is no one-size-fits-all solution. If you’re not sure if you have MFA implemented and meet the Salesforce requirements for the February 2022 deadline, use the questions below as a guide.
Do I have an IdP?
First things first, what is an IdP? IdP, or Identify Provider, is the service that verifies you are who you say you are. Companies will use this service as a layer of identification for users logging into the system. IdPs can support both Single Sign-On (SSO) and MFA verifications. Examples of IdPs are Microsoft Azure Active Directory, Okta, Google, and even Salesforce. All of these options will provide identity services and all will have SSO and MFA available to you.
If you’re not sure if you have an IdP, check out Salesforce’s Multi Factor Authentication Assistant that will walk you through your org configurations to figure that out.
We recommend that SSO and MFA are both enabled where possible as it will simplify your users’ experiences with the same username/password + MFA combination for all products (including outside Salesforce). But if you do not want to enable SSO, you must still enable MFA. Check out the Salesforce MFA FAQ for more info on what user, login, and environment types require MFA.
In Salesforce, it is recommended not to use SSO for the Standard System Admin profile, instead it is recommended to use only MFA, which can be handled by Salesforce or your third-party IdP. Not implementing SSO but implementing MFA for System Admin profiles is a simple set of steps of which we will discuss in an article later on in this series.
If you use a third-party IdP for your multi factor authentication – Salesforce will not validate that you have MFA on your IdP. It is up to you to comply that you will do these things as it is in your Salesforce contract Terms of Service to do so.
What if I don’t have an IdP?
That’s ay-okay! No need to fear, Salesforce is here. In the scenario where you do not have or do not use an IdP, the next question you need to ask yourself is do we use Lightning login? Lightning login means that Salesforce is doing that second verification step for you, they are the identity provider. Not many people have configured Lightning Login yet, but if you did you’re done and you’re good to go!
If you aren’t using Lightning Login that’s ay-okay too. Just check if you have MFA enabled using the Multi-Factor Authentication Assistant. If you do, you’re good to go! If not, now it is time to enable MFA. Do not wait to set up MFA in January 2022, things will break if you don’t have a strategy for rollout, testing, and enforcement. You can check out Salesforce’s MFA quick guide for admins, and you can also stay tuned to another Red Argyle article coming soon for more of those nitty-gritty details.
Integrations and Connected Apps
Always keep in mind that depending on what Integrations and Connected Apps you have, there may be an impact on MFA implementation. If set up improperly, users can experience authentication problems with their connected apps, logins and verification, and other failures like broken integrations.. We’ll do a deep dive on how to anticipate these issues, configure and test, and train your team on how to respond and resolve in a later article.
To see all of these questions and a visual representation of the steps to see if you meet the MFA requirements, fill out the form below to download our free infographic! If you have any questions drop a comment below or email us at firstname.lastname@example.org.