Signing In with MFA and Custom Domain

  • iPad
  • iPhone

Customers can enforce multi-factor authentication and enable a wide range of single sign-on (SSO) solutions without using MDM, including OAuth 2.0 and SAML. iPad and iPhone users can also sign in to Veeva CRM using a custom domain. This ensures a familiar and consistent signin experience for users across platforms.

For example, Verteo BioPharma uses SSO with Ping and wants to enforce MFA for their users. An admin configures MFA for Ping and requires users to sign in with the Use Custom Domain link. Sarah Jones, a user for Verteo BioPharma, launches Veeva CRM and selects the Use Custom Domain link. She enters the Salesforce signin URL and signs in with her SSO credentials. The MFA challenge displays. Once she completes the challenge and verifies her identity, the home page displays.

Alternately, Sarah Jones launches Veeva CRM and selects the Use Custom Domain link. She enters Verteo BioPharma’s My Domain name in the custom domain field and selects Next. The My Domain login page with the Verteo BioPharma logo displays in the embedded browser. Sarah enters her credentials and signs in.

Considerations

  • Users must have an active internet connection
  • For users who are capturing consent, the lock icon on the Consent Capture page does not display

Managing User Profiles for Custom Domain Signin

The Use Custom Domain link always displays on the login page. Any user can view and select the link. However, customers may only want to allow specific user profiles to be able to sign in with the Use Custom Domain link.

To only allow specific user profiles to sign in from the Use Custom Domain link:

  1. Navigate to Setup > Apps > Connected Apps > Manage Connected Apps.
  2. Select Edit for Veeva CRM Apps.
  3. Select the Admin approved users are pre-authorized option for the Permitted Users field in the OAuth Policies section.
  4. Select Save.
  5. Select Manage Profiles in the Profiles section.
  6. Select the appropriate profiles.
  7. Select Save.

If a user who does not have permission attempts to sign in from the link, the authentication fails and the Use Custom Domain screen displays.

Defining the Refresh Token Policy

When users sign in with the Use Custom Domain link and start an active Salesforce session, the session stays active forever. However, admins can define how long a session stays active to prevent sessions from staying active indefinitely. When a user signs in, the app receives a valid refresh token and an active session starts. When the session ends, if the refresh token is still valid, a new session starts automatically and a new refresh token is retrieved. As long as there is a valid refresh token, the user can launch and use the app without needing to sign in again. By default, refresh tokens never expire when users sign in from the Use Custom Domain link.

To define the refresh token policy:

  1. Navigate to Setup > Apps > Connected Apps > Manage Connected Apps.
  2. Select Edit for Veeva CRM Apps.
  3. Select the appropriate picklist option for Refresh Token Policy in the OAuth Policies section. The following options are available:
    • Refresh token is valid until revoked – Selected by default. The refresh token is valid indefinitely, unless it is specifically revoked by an admin. Revoke tokens on a user’s detail page under OAuth Connected Apps or on the OAuth Connected Apps Usage Setup page.
    • Immediately expire refresh token – The refresh token expires immediately after the user signs in. The current session is active, but after exiting the app and launching it again, the user must sign in again.
    • Expire refresh token if not used for n time – The refresh token expires if it is not used to start a session within the specified amount of time. For example, if refresh tokens are set to expire after 7 days of inactivity, the user must use the app for at least one full session within seven 7 of signing in and retrieving a refresh token. This ensures the refresh token is used to start a new session and then exchanged for a new token. The new token is valid for another 7 days. The monitoring period of session inactivity also resets.
    • Expire refresh token after n time – The refresh token is valid for a fixed amount of time. For example, if refresh tokens are set to expire after 24 hours, the user can maintain an active session only for 24 hours

Enforcing Multi-Factor Authentication

Customers can set up MFA through Salesforce or through their own identity provider (IDP) and enable it for the appropriate user profiles or permission sets. Once MFA is enabled, users must complete an MFA challenge when signing in. The MFA challenge is a secondary method of verification to provide an extra layer of protection. Customers who want to enforce MFA on iPad and iPhone devices must require users to sign in with the Use Custom Domain link.

Field Users

To configure Salesforce MFA for standard Salesforce authentication:

  1. Navigate to Setup > Users > Profiles or Setup > Users > Permission Sets.
  2. Select the appropriate user profile or permission set.
  3. Select System Permissions in the System section.
  4. Select Edit.
  5. Select the Multi-Factor Authentication Login Requirements for API Logins and Multi-Factor Authentication Login Requirements for User Interface Logins check boxes.

    Enabling the Multi-Factor Authentication Login Requirements for API Logins option prevents users from signing in using the existing authentication method.

  6. Select Save.
  7. Navigate back to the profile or permission set overview page.
  8. Select Session Settings in the System section.
  9. Select Edit.
  10. Set Session Security Level Required at Login to None.
  11. Select Save.

If the Enhanced Profile User Interface User Management Setting is not enabled, the System Permissions and Session Settings for user profiles display on the same page and can be edited at the same time. See Salesforce documentation about the original profile interface for more information.

Customers who want to enforce MFA for SSO with an IDP must configure MFA separately in their IDP. Even after MFA is configured, users can skip the MFA challenge by signing in with their Salesforce credentials. To ensure users complete the MFA challenge, admins must prevent users from signing in with their Salesforce credentials:

  1. Navigate to Setup > Identity > Single Sign-On Settings.
  2. Select Edit.
  3. Select the Disable login with Salesforce credentials check box.
  4. Navigate to Setup > Users > Profiles or Setup > Users > Permission Sets.
  5. Select the appropriate user profile or permissions set.
  6. Select System Permissions in the System section.
  7. Select Edit.
  8. Select the Is Single Sign-On Enabled check box.
  9. Select Save.
  10. Navigate back to the profile or permission set overview page.
  11. Select Session Settings in the System section.
  12. Select Edit.
  13. Set Session Security Level Required at Login to None.
  14. Select Save.

Using Permission Sets to configure Salesforce MFA for SSO users:

  1. Navigate to Setup > Users > Permission Sets.
  2. Select the appropriate permissions set.
  3. Select System Permissions in the System section.
  4. Select Edit.
  5. Select the Multi-Factor Authentication for User Interface Logins check box.
  6. Select Save.
  7. Navigate back to the permission set overview page.
  8. Select Session Settings in the System section.
  9. Select Edit.
  10. Set Session Security Level Required at Login to None.
  11. Select Save.

Using Profiles to configure Salesforce MFA for SSO users:

  1. Navigate to Setup > Users > Profiles.
  2. Select the appropriate user profile.
  3. Select Edit.
  4. Navigate to the General User Permissions section.
  5. Select the Multi-Factor Authentication for User Interface Logins check box.
  6. Navigate to the Session Settings section.
  7. Set Session Security Level Required at Login to None.
  8. Select Save.

System Admins

Ensure system admins are not integration users. Integration users must be able to sign in through API, which this configuration prevents.

To configure Salesforce MFA for standard Salesforce authentication:

  1. Navigate to Setup > Users > Profiles or Setup > Users > Permission Sets.
  2. Select the appropriate user profile or permissions set.
  3. Select Session Settings in the System section.
  4. Select Edit.
  5. Set Session Security Level Required at Login to High Assurance.
  6. Select Save.

Integration Users

To configure MFA for standard Salesforce authentication:

  1. Navigate to Setup > Users > Profiles or Setup > Users > Permission Sets.
  2. Select the appropriate user profile or permissions set.
  3. Select System Permissions in the System section.
  4. Select Edit.
  5. Select the Multi-Factor Authentication Login Requirements for User Interface Logins check box.
  6. Select Save.
  7. Navigate back to the profile or permission set overview page.
  8. Select Session Settings in the System section.
  9. Select Edit.
  10. Set Session Security Level Required at Login to High Assurance.
  11. Select Save.

Signing In

Users can sign in to Veeva CRM using the following authentication methods:

To sign in:

  1. Select Use Custom Domain on the login page.
  2. Populate the Custom Domain field with the full custom domain URL of the org. Do not included https://.

    If the user previously signed in with a custom domain, this screen is skipped and the My Domain login page automatically displays in the embedded browser.

  3. Select Next.
  4. Enter the appropriate credentials in the embedded browser.​​
  5. Select Log In.
  6. Complete the MFA challenge, if applicable.​​
  7. Select Allow to allow access to the app. This step is only required the first time a user signs in with a specific set of credentials.

Once a user successfully signs in, an active Salesforce session starts. While the session is active, the user remains signed in, even if the app is closed. Users must sign out to end the session or wait until the refresh token expires. See Defining the Refresh Token Policy for more information.