Beginning February 1st, 2022, Salesforce requires customers to enable Multi-Factor Authentication (MFA) for all internal users to login to Salesforce products (including partner solutions) through the user interface. Below are some answers to what this means for Conga Commerce solutions built on the Salesforce platform.
What is MFA and why is Salesforce requiring it?
MFA is a secure authentication method that requires you to prove your identity by providing two or more pieces of evidence (or “factors”) when you log in.
- One factor is something you know, such as your username and password.
- Other factors are verification methods that the you may have, such as an authenticator app or a security key. By tying user access to multiple types of factors, MFA makes it much harder for common threats like phishing attacks and account takeovers to succeed.
What does this mean for Conga Commerce solutions?
This change in Salesforce does not impact the authentication experience for any users (internal, external, and guest users) using the standard Conga Commerce authentication process. Conga Commerce is built on the Salesforce REST APIs and hence, MFA is not enforced. For internal users (where MFA is enforced) that use both Salesforce and Conga Commerce, MFA flow is used to log in directly to the Salesforce application but only need the username and password when using Conga Commerce.
How does this impact internal users?
Internal users are those that use an internal identity license such as administrators, developers, and standard users. Any standard “internal” Salesforce users who log in to applications through the salesforce.com domain or a custom domain require to use MFA. This includes logging in to your company’s experience cloud sites or portals.
How does this impact external users?
External users are those that use an external identity license such as a customer community or partner community user. MFA is not required for these users. MFA can be enabled for these users, but it will not be enforced.
What about SSO?
Like internal users, SSO users require to use MFA when accessing the internal Salesforce applications. You can use the MFA service of your SSO provider or the MFA functionality provided in Salesforce instead. If SSO is used to access Conga Commerce, MFA is not be required.
What actions can I take now to ensure that we are ready?
To prepare for this rollout, you can enable MFA for your user base by assigning the Multi-Factor Authentication for User Interface Login permission to them. Those users will be prompted to setup MFA upon the next immediate login.
For additional information, see:
https://help.salesforce.com/s/articleView?id=000356005&type=1
https://help.salesforce.com/s/articleView?id=000352937&type=1