Hi,
To ensure that users can’t bypass your SSO system, disable their ability to log in with their Salesforce username and password so that they’re required to log in with SSO. Salesforce recommends that you don’t require SSO for Salesforce admins so that they can still access Salesforce to respond to SSO outages or other issues.
- Disable direct logins through login.salesforce.com.
- From Setup, in the Quick Find box, enter My Domain, then select My Domain.
- In the Routing and Policies section, click Edit.
- In production, select Prevent login from https://login.salesforce.com. In a sandbox, select Prevent login from https://test.salesforce.com.
- Save your changes.
- For users who have the Is Single Sign-On Enabled user permission, disable their ability to log in with Salesforce credentials.
- From Setup, in the Quick Find box, enter Single Sign-On, then select Single Sign-On Settings.
- Click Edit.
- In Delegated Authentication, select Disable login with Salesforce credentials, then save your changes.This setting doesn’t directly disable username-password logins for all users. It applies only to users who have the Is Single Sign-On Enabled user permission. As long as you don’t assign this permission to users—such as admin users who must be able to log in if SSO is down— they can still log in with their Salesforce credentials when this setting is turned on.
- To require SSO of certain users, assign them the Is Single Sign-On Enabled user permission. To use permission sets, complete these steps.
- Create a Permission Set that includes the Is Single Sign-On Enabled user permission or add this permission to existing Permission Set.
- Assign the Permission Set to the respective users
Reference:
- https://help.salesforce.com/s/articleView?id=sf.sso_enforce_sso_login.htm&type=5
