Question:
What MFA configuration is possible for the type of authentication method and device for Veeva CRM and the SFDC MFA requirement?
Answer:
Here are the different platforms users can use to access Veeva CRM, and the MFA behavior for each specific device:
-
Windows
-
Windows CRM App MFA is unsupported. MFA cannot be enforced on Windows devices and will not be currently prompted on the device.
-
Windows CRM App MFA is unsupported. MFA cannot be enforced on Windows devices and will not be currently prompted on the device.
-
iOS
- MFA can be prompted on iOS devices when using the "Use Custom Domain" Login option.
- MFA can also be prompted on iOS devices when using standard OAuth2.0 Authentication login when the configuration is enabled through a Mobile Device Management (MDM). For more information, see: Deploying Veeva CRM on iOS with OAuth 2.0 Support (MDM/MAM).
-
Standard (SFDC credentials), OAuth2.0, and SAML authentication methods are supported through the "Use Custom Domain" option and will prompt MFA if configured for users. For more information, see Signing In with MFA and Custom Domain.
- Customers using SFDC credentials can only choose SFDC MFA. Customers who use SSO (OAuth2.0 or SAML) can choose SFDC MFA or their Identity provider MFA.
- Through the standard login page, MFA will not be prompted when logging in with Standard or Delegated Authentication methods. This is against SFDC contractual requirements as the Mobile device uses API to login.
-
Browser
- MFA will be prompted when logging in through the browser and is part of the SFDC requirement.
- Customers using SFDC credentials can only choose SFDC MFA. Customers who use SSO (OAuth2.0 or SAML) can choose SFDC MFA or their Identity provider MFA.
- MFA will be prompted when logging in through the browser and is part of the SFDC requirement.
More information on SFDC and Identity provider MFA:
- MFA is now contractually required by Salesforce.
-
SFDC MFA can be used with Standard Authentication (SFDC credentials/ non-SSO), Delegated Authentication, OAuth2.0 Authentication, and SAML. Please see the above for specific scenarios where SFDC MFA could be used by device/authentication method.
- Multi-Factor Authentication for User Interface Logins can be set on the profile of users or through permission sets to enable for specific types of users.
- For SSO users using OAuth2.0 Authentication or SAML and SFDC MFA:
- Please check the "Use Salesforce MFA for this SSO Provider" setting on the SSO configuration to enable the Salesforce MFA prompt when logging in with the desired SSO configuration. (Use Salesforce MFA for SSO)
- For SSO users using SFDC or Identity provider MFA:
- Set the SSO configuration as High Assurance in Session Settings.
- Configure Disable Login with Salesforce Credentials in Single Sign-on Settings and add the Is Single Sign-on? permission to the users through their profile or permission set to ensure the user does not bypass SSO login.
-
Identity provider MFA is supported with SAML and OAuth2.0 Authentication. Please see the above for specific scenarios where Identity provider MFA can be used by device/Authentication Method.
- This MFA configuration is configured through the SSO provider.
- For SSO users using SFDC or Identity provider MFA:
- Set the SSO configuration as High Assurance in Session Settings.
- Configure Disable Login with Salesforce Credentials in Single Sign-on Settings and add the Is Single Sign-on? permission to the users through their profile or permission set to ensure the user does not bypass SSO login.
Users can use the Salesforce Authenticator application or a Third Party Authenticator application to approve/deny MFA requests.
Warning: When enabling MFA for users signing in with the existing authentication method:
- Do not select the Multi-Factor Authentication for API Logins check box for user profiles.
- Do not Set the Session Security Level Required at Login Session Setting to High Assurance on user profiles.
Performing either of these steps prevents the usage of Veeva CRM and potentially impacts custom integrations with Salesforce. Please note: the above settings when enabled do not affect users using SFDC Authentication using the Custom Domain login method or when the Customer would like to enforce using Custom Domain Login Method and prevent using legacy username & password fields on the standard Veeva CRM login page to enforce MFA.
Please refer to the Multi-Factor Authentication (MFA) Enforcement Roadmap and CRM Authentication Overview articles in the Related Documentation below for updated information regarding the auto-enablement date for MFA. This is currently scheduled for Summer '24 Salesforce Release, which will occur between May and June 2024 for Veeva Customers.
Please refer to the Everything You Need to Know About MFA Auto-Enablement and Enforcement Salesforce article for more information on the Auto-Enablement of MFA. This will enable the Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org setting in the Identity Verification settings in Setup for your org for ALL users. This will enable SFDC MFA for users. SSO users who are using the OAuth2.0 Authentication and SAML SSO configurations are not impacted.
Related Documentation:
CRM Help Documentation:
SFDC Help Documentation:
- Salesforce Multi-Factor Authentication FAQ
- Multi-Factor Authentication Quick Guide for Admins
- How to Roll Out Multi-Factor Authentication
- Everything You Need to Know About MFA Auto-Enablement and Enforcement
- Multi-Factor Authentication (MFA) Enforcement Roadmap
- Use Salesforce MFA for SSO