How to Configure AMR Claims in RSA ID Plus to Comply with Salesforce MFA Enforcement of mandatory MFA validation
a day ago
Article Number
000073979
Applies To

RSA ID Plus, when configured to allow access to Salesforce.com 

Issue
  • From July 2026 onwards, Salesforce is enforcing MFA validation for all user's logins using any third-party IDP like RSA ID Plus.
  • It now requires the IDP to provide Authentication Methods Reference (AMR) to Salesforce.
  • This AMR will indicate the MFA method used for authentication and Salesforce will verify if it is sufficient depending on their criteria and the user level of access.
  • Salesforce will enforce stricter method of phishing-resistance authentication for admins and privileged users.
  • For more details about the criteria and this enforcement please check Salesforce's announcements here and here.
Tasks

If Impacted, Organizations can request temporary exemption from Salesforce to have a short-term relief until the RSA deployment is completed and configured.

Resolution
  • In the coming RSA ID Plus July release (planned for mid-July), RSA will add the ability of sending the AMR signal in a statement attribute for SAML integration or in a claim for OIDC integrations.
  • This change will require organizations to make manual changes in their Salesforce configurations on RSA Cloud Admin Console.
  • The configuration will be the same if you configured Salesforce as a relying party or an SSO application on my page. 
    • For SAML integration:
      • In the connection profile section > show connection profile advanced configuration > Statement Attribute
      •  add a statement attribute where the Attribute Name is amr,  the Attribute Source is System and the property is Authentication Methods.

 

 

    • For OIDC integration:
      • Under Access > OIDC Settings > Claims
      • Add a claim where the Claim Name is amr,  the Source is System and the Property is Authentication Methods.

  

      • And then in the Salesforce OIDC configuration, add the new claim in the connection profile.

  

  • Note:
    • The source "System" will be added in the July release.
Notes
  • Enforcement will start on July 1st for admins and July 20th for users, and will be staggered for 30 days.
  • Timing and Schedule for this change is controlled by salesforce not RSA.
  • Salesforce has communicated this change to vendors like RSA late in the process.
  • RSA has asked Salesforce to delay this change to allow RSA to prepare its client for this change, but Salesforce denied this request.
  • RSA will provide a technical solution for this change with RSA ID Plus July release, which should be fully deployed in all regions by 17th July.
    • This means that, depending on Salesforce staggered deployment starting on 1st July, certain admin  users for Salesforce systems protected by RSA ID Plus may be impacted from July 1st, and asked to re-authenticate.
  • Once the RSA ID Plus July release is deployed, Organizations should apply the configuration changes as soon as possible to avoid end users being impacted by the enforcement from Salesforce.
  • The authentication methods that RSA have and are considered Phishing-resistant by Salesforce are:
    • FIDO
    • Authenticate OTP
    • Securid OTP
    • Approve
    • QR Code
    • OATH HOTP
    • Biometrics