We have enabled SSO for our users. How can I prevent users from using salesforce login(login.salesforce.com) if they know saleforce password from before setting up sso or if they reset their password via forgot password link?
I cannot use the My domain login policy setting to restrict users from logging in via login.salesforce.com as I want admins to still login via standard salesforce login. Any help on this is appreciated.
Best Answer
You can always have admins login using direct URL even when the
Prevent login from ...is enabled. The way to do so is to append a query parameterloginin the login URL (example below) where admins can still use their Salesforce username and password.You can find more details here.
It's advisable that you expire passwords for all users so that even if they can get access using the query parameter, they won't be able to login. But if for any reasons any User has access to this URL, and that they have their Salesforce password known to them, they can still login using their Salesforce username/password.