RSA Announces Manual Configuration Change Mandated by Salesforce When Using ID Plus to Authenticate to Salesforce
15 hours ago

Affected Products

RSA ID Plus, when configured to allow access to Salesforce.com (SFDC)

    

Details

Salesforce is enforcing Multi-Factor Authentication (MFA) validation for all users who authenticate to Salesforce through third-party Identity Providers (IdPs), such as RSA ID Plus.

Salesforce now requires third-party IdPs to explicitly include the Authentication Method Reference (AMR) in the authentication response. If the AMR is not provided, Salesforce will deny the user's login request.

For more details, refer to the following SFDC announcements:

Resolving this issue requires both the July 2026 release of RSA ID Plus and manual configuration by each organization that authenticates to Salesforce using RSA ID Plus.

 

Organizations can request a temporary exemption from Salesforce to defer enforcement of this requirement. This will provide short-term relief for organizations affected from July 01, 2026, until the RSA ID Plus July release is available and the necessary configuration is complete.

   

Overall Schedule

  • Salesforce will begin enforcing this change on July 01, 2026, for administrator accounts and July 20, 2026, for end users. Enforcement will be rolled out in phases over 30 days, with all administrators migrated by the end of July and all end users by August 20, 2026.
  • The enforcement schedule is determined entirely by Salesforce, including when individual customer organizations are migrated during the phased rollout. RSA has no control over this timeline.
  • Salesforce communicated this requirement to identity providers, including RSA, late in the implementation process. RSA requested that Salesforce postpone enforcement to allow sufficient time to prepare the customers for the change; however, Salesforce declined this request.
  • RSA will provide a technical solution for this change in the RSA ID Plus July 2026 release, which is expected to be fully deployed across all regions by July 17, 2026.
    • Because Salesforce's phased enforcement begins on July 01, 2026, administrator accounts for Salesforce environments protected by RSA ID Plus may experience authentication issues before the RSA July 2026 release is fully available.
  • After the RSA ID Plus July 2026 release has been deployed, each organization must manually update its SAML or OIDC configuration for Salesforce within RSA ID Plus to enable the required AMR.
    • Organizations should complete the required configuration as soon as the July 2026 release is available. Doing so will help ensure that end users are not affected when Salesforce begins enforcing the requirement for user accounts starting July 20, 2026.  

    

Required Actions

Refer to How to Configure AMR Claims in RSA ID Plus to Comply with Salesforce MFA Enforcement of mandatory MFA validation and complete the configuration.

 

 

 

Announcement