Authentication Overview

To allow users to sign in quickly and reduce authentication errors, the Veeva CRM app supports the following authentication methods:

Session Management

For offline (mobile) devices, each customer configures their own security policy, including session expiration, in their Salesforce org. When end users download and sign into the Veeva CRM app, they provide their credentials. The CRM app logs into Salesforce using the credentials.

Users of offline (mobile) devices can access certain CRM functionality without an internet connection or an established connection to Salesforce. However, a valid Salesforce session is required to sync data.

Each time the CRM app accesses data in Salesforce, the application needs a valid Salesforce session to query that data. If the application does not have a valid session, it uses the local user’s credentials to establish a new Salesforce session.

If the session expires based on the configured session timeout in Salesforce, the application attempts to reconnect using the cached credentials. This allows the application to automatically send data to Salesforce or access modules that require an internet connection without prompting the user to sign in again.

If a user signs out of the CRM app while on an offline (mobile) device, the Salesforce session expires and the user is signed out.

If a password changes or is expired, the offline (mobile) application cannot establish a valid Salesforce session; the user needs to go online to update their password in Salesforce. The next time the CRM app tries to connect with Salesforce on the offline (mobile) device, the user is prompted to enter the new credentials. Once signed in with a successful connection, the new credentials are written to the respective local data stores.

See OAuth for more information.

See Delegated Authentication for more information.

Requiring Multi-Factor Authentication for Salesforce

Beginning in Q2 2023 (originally February 2022) Salesforce will require customers to enable multi-factor authentication (MFA) in order to directly sign in to Salesforce. MFA is available at no extra cost and provides the highest level of security for Veeva CRM. See the Salesforce announcement for more information.

If customers enable MFA for their SSO identity providers, they do not need to enable Salesforce's MFA for their SSO users.

Veeva CRM was reviewed and tested with Salesforce MFA enabled. Veeva CRM on Browser, iOS, Windows, and WeChat platforms all support MFA without configuration changes.

To enforce MFA on iOS platforms, see Signing In with MFA and Custom Domain for more information.

When enabling MFA for users signing in with the existing authentication method, do not perform the following steps: Select the Multi-Factor Authentication for API Logins check box for user profilesSet the Session Security Level Required at Login session setting to High Assurance on user profiles Performing either of these steps prevents usage of Veeva CRM and potentially impacts custom integrations with Salesforce. This does not affect users signing in with the Use Custom Domain link.

After MFA is enabled, Veeva CRM users must complete an MFA challenge when signing in, depending on the platform and authentication method. The MFA challenge is a secondary method of verification to provide an extra layer of protection. The following table specifies which supported platforms and authentication methods require users to complete an MFA challenge:

Federated authentication is not supported on the Windows Tablet platform and federated SAML authentication is not supported on iOS platforms.

MFA Challenge Required?
  Standard Authentication Federated (SAML) Delegated Authentication Federated (OAuth)
Browser
Custom Domain Authentication (iOS)
Mobile (iOS) n/a
Mobile (Windows) n/a n/a