How to Configure AMR Claims in RSA ID Plus to Comply with Salesforce MFA Enforcement of mandatory MFA validation
Article Number
Applies To
RSA ID Plus, when configured to allow access to Salesforce.com
Issue
- From July 2026 onwards, Salesforce is enforcing MFA validation for all user's logins using any third-party IDP like RSA ID Plus.
- It now requires the IDP to provide Authentication Methods Reference (AMR) to Salesforce.
- This AMR will indicate the MFA method used for authentication and Salesforce will verify if it is sufficient depending on their criteria and the user level of access.
- Salesforce will enforce stricter method of phishing-resistance authentication for admins and privileged users.
- For more details about the criteria and this enforcement please check Salesforce's announcements here and here.
Tasks
If Impacted, Organizations can request temporary exemption from Salesforce to have a short-term relief until the RSA deployment is completed and configured.
Resolution
- In the coming RSA ID Plus July release (planned for mid-July), RSA will add the ability of sending the AMR signal in a statement attribute for SAML integration or in a claim for OIDC integrations.
- This change will require organizations to make manual changes in their Salesforce configurations on RSA Cloud Admin Console.
- The configuration will be the same if you configured Salesforce as a relying party or an SSO application on my page.
- For SAML integration:
- In the connection profile section > show connection profile advanced configuration > Statement Attribute
- add a statement attribute where the Attribute Name is amr, the Attribute Source is System and the property is Authentication Methods.
- For SAML integration:
-
- For OIDC integration:
- Under Access > OIDC Settings > Claims
- Add a claim where the Claim Name is amr, the Source is System and the Property is Authentication Methods.
- For OIDC integration:
-
-
- And then in the Salesforce OIDC configuration, add the new claim in the connection profile.
-
- Note:
- The source "System" will be added in the July release.
Notes
- Enforcement will start on July 1st for admins and July 20th for users, and will be staggered for 30 days.
- Timing and Schedule for this change is controlled by salesforce not RSA.
- Salesforce has communicated this change to vendors like RSA late in the process.
- RSA has asked Salesforce to delay this change to allow RSA to prepare its client for this change, but Salesforce denied this request.
- RSA will provide a technical solution for this change with RSA ID Plus July release, which should be fully deployed in all regions by 17th July.
- This means that, depending on Salesforce staggered deployment starting on 1st July, certain admin users for Salesforce systems protected by RSA ID Plus may be impacted from July 1st, and asked to re-authenticate.
- Once the RSA ID Plus July release is deployed, Organizations should apply the configuration changes as soon as possible to avoid end users being impacted by the enforcement from Salesforce.
- The authentication methods that RSA have and are considered Phishing-resistant by Salesforce are:
- FIDO
- Authenticate OTP
- Securid OTP
- Approve
- QR Code
- OATH HOTP
- Biometrics
Related Articles
RSA Announces Manual Configuration Change Mandated by Salesforce When Using ID Plus to Authenticate to Salesforce 1Number of Views Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … 359Number of Views Mandatory Migration/Upgrade Required for RSA Authentication Manager when connected to ID Plus 62Number of Views RSA ID Plus BlastRADIUS Vulnerability Fix: Frequently Asked Questions 299Number of Views A successful RSA Cloud Authentication Service OIDC authentication is rejected by the application due to id_token missing r… 122Number of Views
Trending Articles
RSA Release Notes for RSA Authentication Manager 8.8 RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager Upgrade Process Authentication Manager Security Console and Operations Console Inaccessible After Certificate Update RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?