Authentication Overview
To allow users to sign in quickly and reduce authentication errors, the Veeva CRM app supports the following authentication methods:
- Delegated Authentication for Veeva CRM via MDM – Allows users on iPad or iPhone to sign in to Veeva CRM with third-party authentication
- OAuth 2.0 Authentication for Veeva CRM – Allows users on iPad, iPhone, or Browser to sign in to Veeva CRM with OAuth 2.0
- Touch ID and Face ID Authentication – Allows users on iPad or iPhone to sign in to Veeva CRM with fingerprint or facial authentication
Session Management
For offline (mobile) devices, each customer configures their own security policy, including session expiration, in their Salesforce org. When end users download and sign into the Veeva CRM app, they provide their credentials. The CRM app logs into Salesforce using the credentials.
Users of offline (mobile) devices can access certain CRM functionality without an internet connection or an established connection to Salesforce. However, a valid Salesforce session is required to sync data.
Each time the CRM app accesses data in Salesforce, the application needs a valid Salesforce session to query that data. If the application does not have a valid session, it uses the local user’s credentials to establish a new Salesforce session.
If the session expires based on the configured session timeout in Salesforce, the application attempts to reconnect using the cached credentials. This allows the application to automatically send data to Salesforce or access modules that require an internet connection without prompting the user to sign in again.
If a user signs out of the CRM app while on an offline (mobile) device, the Salesforce session expires and the user is signed out.
If a password changes or is expired, the offline (mobile) application cannot establish a valid Salesforce session; the user needs to go online to update their password in Salesforce. The next time the CRM app tries to connect with Salesforce on the offline (mobile) device, the user is prompted to enter the new credentials. Once signed in with a successful connection, the new credentials are written to the respective local data stores.
See OAuth for more information.
See Delegated Authentication for more information.
Requiring Multi-Factor Authentication for Salesforce
Salesforce has announced that with their Spring '24 release, they will require multi-factor authentication (MFA) for all direct UI logins to your Salesforce orgs. The Spring ‘24 release rolls out between January 12 and February 10, 2024.
MFA is available at no extra cost and provides the highest level of security for Veeva CRM. See the Salesforce announcement for more information.
Veeva CRM was reviewed and tested with Salesforce MFA enabled. Veeva CRM on Browser, iOS, Windows, and WeChat platforms all support MFA without configuration changes.
To enforce MFA on iOS platforms, see Signing In with MFA and Custom Domain for more information.
When enabling MFA for users signing in with the existing authentication method, do not perform the following steps: Select the Multi-Factor Authentication for API Logins check box for user profilesSet the Session Security Level Required at Login session setting to High Assurance on user profiles Performing either of these steps prevents usage of Veeva CRM and potentially impacts custom integrations with Salesforce. This does not affect users signing in with the Use Custom Domain link.
Enabling Multi-Factor Authentication for SSO
If customers enable MFA for their SSO identity providers, they do not need to enable Salesforce's MFA for their SSO users.
Some customers have reported that while their users can successfully log into Veeva CRM on their iOS devices using SSO with the MFA challenge of their identity provider, they are still being prompted to activate the Salesforce Authenticator when choosing to Go Online from the app. Salesforce recommends enabling the Waive Multi-Factor Authentication for Exempt Users permission as a temporary workaround when users are prompted for an additional MFA step for SSO login through a mobile app, even when the org complies with the MFA requirement by enabling MFA for the SSO provider.
Completing Multi-Factor Authentication Challenges
After MFA is enabled, Veeva CRM users must complete an MFA challenge when signing in, depending on the platform and authentication method. The MFA challenge is a secondary method of verification to provide an extra layer of protection. The following table specifies which supported platforms and authentication methods require users to complete an MFA challenge:
OAuth and Custom Domain are not supported on the Windows Tablet platform. Federated SAML authentication is supported on iOS platforms when using Custom Domain.
|
Platform |
Authentication Method |
Supported MFA Methods |
|---|---|---|
|
Windows |
Any |
MFA not supported |
|
iOS |
|
MFA not supported |
|
SSO via OAuth 2.0 |
|
|
|
SSO via Custom Domain |
|
|
|
Salesforce credentials via Custom Domain |
Salesforce MFA |
|
|
Browser |
Salesforce credentials |
Salesforce MFA |
|
SSO via OAuth 2.0 or Custom Domain |
|
