Authentication Overview

To allow users to sign in quickly and reduce authentication errors, the Veeva CRM app supports the following authentication methods:

Session Management

For offline (mobile) devices, each customer configures their own security policy, including session expiration, in their Salesforce org. When end users download and sign into the Veeva CRM app, they provide their credentials. The CRM app logs into Salesforce using the credentials.

Each time the CRM app accesses data in Salesforce, the application needs a valid Salesforce session to query that data. If the application does not have a valid session, it uses the local user’s credentials to establish a new Salesforce session.

If the session expires based on the configured session timeout in Salesforce, the application attempts to reconnect using the cached credentials. This allows the application to automatically send data to Salesforce or access modules that require an internet connection without prompting the user to sign in again.

If a user signs out of the CRM app while on an offline (mobile) device, the Salesforce session expires and the user is signed out.

If a password changes or is expired, the offline (mobile) application cannot establish a valid Salesforce session; the user needs to go online to update their password in Salesforce. The next time the CRM app tries to connect with Salesforce on the offline (mobile) device, the user is prompted to enter the new credentials. Once signed in with a successful connection, the new credentials are written to the respective local data stores.

See OAuth for more information.

See Delegated Authentication for more information.

Requiring Multi-factor Authentication for Salesforce

Beginning on February 1, 2022, Salesforce requires customers to enable multi-factor authentication (MFA) in order to access Salesforce. MFA is available at no extra cost and provides the highest level of security for Veeva CRM. See the Salesforce announcement for more information.

Veeva CRM was reviewed and tested with Salesforce MFA enabled. Veeva CRM on Online, iOS, Windows, and WeChat platforms all support MFA without configuration changes.

Users who sign in with delegated authentication using Ping Identity must use Salesforce Authenticator. Veeva is still researching if third-party authenticator applications (for example, Google Authenticator) work with MFA.

When configuring MFA, do not select the Multi-Factor Authentication for API Logins check box for user profiles. Selecting this check box prevents usage of Veeva CRM and potentially impacts custom integrations with Salesforce.