Salesforce is enforcing new security requirements this summer.
Phishing-resistant MFA for admins. Mandatory MFA for all employees. Step-up auth on reports. If your Okta or Entra IdP isn't sending the right AMR/ACR signals, your privileged users get blocked — even with SSO working today.
Phishing-resistant MFA
Admins must use passkeys, WebAuthn security keys, or built-in authenticators. TOTP apps no longer count.
MFA for every employee
All internal users must complete MFA — direct UI or SSO. Chatter External and Experience Cloud users are excluded.
SSO must prove it
Salesforce inspects AMR/ACR signals from your IdP. Okta and Entra don't send them out of the box.
"Waive MFA" is dead
The exempt-user permission is disabled. Only Salesforce Support can restore it for automation use cases.
What changes and when
Salesforce staggers enforcement across sandboxes first, then production. Dates below reflect the July 2, 2026 update from Salesforce.
Phishing-resistant MFA for privileged users
Applies to every user with the System Administrator profile — or any of the Modify All Data, View All Data, Customize Application, or Author Apex permissions. Direct UI logins and SSO logins are in scope, in production and sandboxes.
What satisfies the requirement
- • FIDO2 / WebAuthn security keys (YubiKey, etc.)
- • Built-in authenticators (Touch ID, Face ID, Windows Hello)
- • Cloud-synced passkeys (1Password, iCloud Keychain, Bitwarden)
- • Certificate-Based Authentication (x.509 / mTLS)
- • Admin-generated temporary verification codes
What no longer counts
- • Salesforce Authenticator app for privileged users
- • TOTP apps (Google Authenticator, Microsoft Authenticator)
- • SMS, email, or voice call codes
- • Password-only login
- • "Waive MFA for Exempt Users" (auto-disabled)
What still works unchanged
- • JWT Bearer and Client Credentials OAuth flows
- • API-only integration users (no UI login)
- • Chatter External / Chatter Free users
- • External users on Experience Cloud licenses
- • OAuth Web Server / Hybrid flows still trigger MFA on UI login
How Salesforce grades your SSO login
For SSO logins, Salesforce reads AMR (Authentication Methods Reference, RFC 8176) and ACR (Authentication Context Class Reference) values from your IdP. Any value in the phishing-resistant list also satisfies Standard MFA.
| Tier | Salesforce direct login | Accepted AMR values | Accepted ACR values | Result |
|---|---|---|---|---|
| Phishing-Resistant MFA | Security Keys (WebAuthn), Built-in Authenticators (Touch ID, Windows Hello), Admin-Generated Temporary Codes | cert, face, fido, fido2, fpt, hwk, iris, passkey, phr, pki, pop, pwlesspasskey, retina, sc, smartcard, swk, tlsclient, wia, x509 | fido, fido2, fpt, hwk, passkey, phr, pki, pwlesspasskey, retina, smartcard, swk, tlsclient, wia, x509 | Login allowed |
| Standard MFA | Salesforce Authenticator, TOTP Apps (Google / Microsoft Authenticator) | mfa, mobiletwofactorcontract, multipleauthn, okta_verify, pin, pgp, publickey, rsa, timesynctoken, user, vbm | mfa, mobiletwofactorcontract, multipleauthn, okta_verify, pgp, publickey, rsa, timesynctoken, vbm | Enroll & retry |
| Weak / No MFA | Password only | pwd, sms, tel, email | — | Enroll & retry |
Any attribute whose name contains amr or authnmethodsreferences is parsed. Semicolon-separated values (hwk;face;mfa) work; commas don't. URN / URL values split on : or /.
Sent as an array (e.g. [hwk, mfa]). Matched with exact, case-sensitive comparison against the accepted list.
Evaluated with a lowercase contains() check. Short tokens like mfa match long URNs like urn:oasis:names:tc:SAML:2.0:ac:classes:mfa.
Your IdP won't send the right signals by default
Both Okta and Entra can enforce phishing-resistant MFA — but neither transmits Salesforce's expected AMR/ACR values without explicit configuration. This is the most common gap causing admin lockouts today.
Okta
Okta enforces MFA via Authentication Policies, but the SAML/OIDC assertion won't include AMR/ACR unless you map them in the Salesforce app's assertion attributes.
- 01In the Okta admin console, open the Salesforce app → Sign On tab.
- 02Add an assertion attribute named authnmethodsreferences (SAML) or configure the OIDC amr claim.
- 03Emit values from the phishing-resistant list — e.g. hwk, phr, fido2 — when the Okta policy required a FIDO2 / WebAuthn factor.
- 04Require a phishing-resistant factor in the Authentication Policy that gates Salesforce.
- 05Verify with Salesforce Login History (OIDC) or a SAML tracer (SAML).
Microsoft Entra ID
Entra's default Salesforce enterprise app sends a minimal SAML assertion. AMR/ACR claims and phishing-resistant enforcement via Conditional Access must both be configured explicitly.
- 01In Entra admin center, open Enterprise applications → Salesforce → Single sign-on.
- 02Add a SAML claim named authnmethodsreferences and populate it from the user's authentication context.
- 03Create a Conditional Access policy requiring an authentication strength that includes only phishing-resistant methods (FIDO2 keys, Windows Hello, passkeys, certificate-based auth).
- 04Scope the policy to the Salesforce enterprise app and to your admin / privileged user group.
- 05Confirm ACR / AMR delivery using a SAML tracer or, for OIDC, Salesforce Login History.
Reality check: If your IdP is enforcing phishing-resistant MFA but isn't sending the AMR/ACR signal, Salesforce will still prompt privileged users to enroll a Salesforce passkey — or block them. Test with a real admin account in a sandbox before the July 6 sandbox enforcement date.
Nine steps to pass enforcement
Work through these before your sandbox enforcement date. Each item maps directly to guidance from the Salesforce Help article on phishing-resistant MFA.
Run a report to identify every user with System Administrator, Modify All Data, View All Data, Customize Application, or Author Apex.
Enable Security Keys and Built-in Authenticators in Identity Verification setup.
Turn on "Allow passwordless login with passkeys" for the fastest admin experience.
Audit "Waive MFA for Exempt Users" assignments and open a Salesforce Support case for any that must remain (automation, testing tools).
Configure your IdP to emit the correct AMR / ACR values on Salesforce logins.
Verify OIDC AMR in Salesforce Login History; use a SAML tracer for SAML ACR (Login History for SAML ACR is not yet available).
Pre-register admins with a phishing-resistant verifier before the sandbox enforcement date.
Test the end-to-end SSO flow with an admin account in a sandbox first.
Document a lockout recovery playbook: another admin can issue a temporary code; if no other admin exists, contact Salesforce Support.
Step-by-step: prove your AMR/ACR signals are landing
Six checks in order. Each one tells you exactly where in the Salesforce UI to look and what a passing vs failing signal looks like — so you can validate SSO before enforcement flips on.
1. Confirm the login was SSO (not direct)
- 01Add columns: Username, Login Time, Auth Method Reference, Login Type, Status, Application.
- 02Filter Login Type = SAML Idp Initiated or SAML SP Initiated (or OpenID Connect).
- 03Locate the specific user + timestamp you want to verify.
The row's Login Type is a SAML/OIDC value and Status is Success. Direct UI logins won't have IdP-supplied AMR/ACR — Salesforce evaluates the local factor instead.
Login Type = Application shows the user bypassed SSO with a Salesforce password — MFA policy applies locally, not via IdP claims.
2. Read the Auth Method Reference column
- 01Look at the Auth Method Reference value on the SSO login row.
- 02Compare it against the accepted lists in the AMR/ACR table above.
- 03For privileged users, at least one value must be phishing-resistant (e.g. fido2, passkey, hwk, wia, x509).
A value like fido2, passkey, hwk, or wia appears — that login satisfies phishing-resistant MFA.
Column is blank, or shows only mfa, okta_verify, pwd, or sms — the IdP is not sending a phishing-resistant signal and the user will be blocked after enforcement.
3. Inspect the raw SAML assertion or OIDC id_token
- 01Open the event for the target login and expand SAML Assertion (or ID Token for OIDC).
- 02For SAML: find <AttributeStatement> — look for an Attribute whose Name contains amr or authnmethodsreferences, plus an <AuthnContextClassRef>.
- 03For OIDC: copy the id_token, decode at jwt.io, read the amr array and acr claim.
- 04If the event log is disabled, temporarily enable SAML Assertion Validator (Setup → Single Sign-On Settings → SAML Assertion Validator) and re-run the login.
You can see the exact claim your IdP sent: e.g. <Attribute Name="authnmethodsreferences"><AttributeValue>hwk;fido2</AttributeValue></Attribute> or "amr": ["fido2", "hwk"].
No amr / authnmethodsreferences attribute exists, or values are comma-separated instead of semicolon-separated (SAML). Salesforce won't parse commas.
4. Cross-check the AuthnContext / acr value
- 01In SAML, read the <AuthnContextClassRef> inside <AuthnStatement>.
- 02In OIDC, read the top-level acr claim.
- 03Confirm it contains one of the accepted ACR tokens (e.g. fido2, phr, wia, x509). Substring match is case-insensitive.
A value like urn:oasis:names:tc:SAML:2.0:ac:classes:fido2 or acr = "phr" is present.
AuthnContextClassRef is urn:...:PasswordProtectedTransport or acr = "mfa" only — accepted for Standard MFA users, blocked for admins.
5. Reproduce with the SAML Assertion Validator
- 01Capture the base64 assertion from your browser's dev tools (Network tab, SAMLResponse form field) or from the IdP's debug log.
- 02Paste it into the validator and click Validate.
- 03Review the parsed AMR/ACR values Salesforce actually extracted.
The validator shows the AMR values it parsed and marks the login as satisfying phishing-resistant MFA.
Validator lists the attribute but Extracted Values is empty — check the delimiter (must be semicolons) and the AttributeValue element structure.
6. Test end-to-end with a pilot admin
- 01In a sandbox, enable Phishing-Resistant MFA enforcement for privileged users (Setup → Identity Verification).
- 02Have a pilot admin sign in via SSO using a phishing-resistant factor (passkey, security key, Windows Hello, Touch ID).
- 03If the session is granted, the full chain works. If blocked, the error page names which check failed.
Admin lands on the Setup home page without a step-up prompt. Login History shows a phishing-resistant AMR value on that login.
Admin sees "Your identity provider hasn't asserted a phishing-resistant authentication method" — go back to step 3 and fix the IdP claim before July 20, 2026.
Debug log & assertion samples
Real-shaped snippets you can paste next to your own logs to spot the difference between a phishing-resistant pass and a silent fail. Each sample tells you exactly where in Salesforce it comes from.
SAML assertion — phishing-resistant PASS
<saml:AttributeStatement> <saml:Attribute Name="authnmethodsreferences" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">hwk;fido2;phr</saml:AttributeValue> </saml:Attribute></saml:AttributeStatement><saml:AuthnStatement AuthnInstant="2026-07-06T14:22:19Z"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:fido2 </saml:AuthnContextClassRef> </saml:AuthnContext></saml:AuthnStatement>Look for: Values are semicolon-separated (not comma). AuthnContextClassRef contains fido2 — Salesforce's substring match satisfies the ACR check.
SAML assertion — FAIL (Standard MFA only)
<saml:AttributeStatement> <saml:Attribute Name="authnmethodsreferences"> <saml:AttributeValue>mfa,okta_verify</saml:AttributeValue> </saml:Attribute></saml:AttributeStatement><saml:AuthnStatement> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </saml:AuthnContext></saml:AuthnStatement>Look for: Two problems: values are comma-separated (Salesforce won't split them) and the only method is Okta Verify push. Fix the delimiter and enroll the admin in FastPass/FIDO2.
OIDC id_token — decoded payload (PASS)
{ "iss": "https://login.microsoftonline.com/{tenant}/v2.0", "sub": "a1b2c3d4-...", "aud": "3MVG9...salesforce-client-id", "email": "admin@example.com", "amr": ["fido2", "hwk", "mfa"], "acr": "urn:mace:incommon:iap:silver;phr", "auth_time": 1783359739, "exp": 1783363339}Look for: amr is a JSON array (not a string). At least one value (fido2, hwk) is in the phishing-resistant list — login is allowed for admins.
Login History (SOQL) — find the AMR column
SELECT Id, UserId, LoginTime, LoginType, Status, AuthMethodReference, Application, SourceIpFROM LoginHistoryWHERE LoginTime = LAST_N_DAYS:1 AND LoginType IN ('SAML Sp Initiated', 'SAML Idp Initiated', 'OpenID Connect')ORDER BY LoginTime DESCLIMIT 50Look for: AuthMethodReference is the exact value Salesforce parsed from your IdP. Empty on an SSO row = no AMR claim was sent. Use this query to bulk-audit admins before enforcement.
Anonymous Apex — audit privileged users still on weak MFA
List<LoginHistory> risky = [ SELECT UserId, LoginTime, AuthMethodReference, LoginType FROM LoginHistory WHERE LoginTime = LAST_N_DAYS:7 AND UserId IN ( SELECT AssigneeId FROM PermissionSetAssignment WHERE PermissionSet.PermissionsModifyAllData = true )];Set<String> ok = new Set<String>{ 'fido2','passkey','hwk','wia','x509','phr','smartcard','pki'};for (LoginHistory lh : risky) { Boolean pass = lh.AuthMethodReference != null && ok.contains(lh.AuthMethodReference.toLowerCase()); System.debug('User=' + lh.UserId + ' AMR=' + lh.AuthMethodReference + ' PhishingResistant=' + pass);}Look for: Run in sandbox and production. Any PhishingResistant=false row for a Modify All Data user will be blocked on July 20, 2026 unless their IdP starts asserting a stronger factor.
Debug log — enable & filter for auth events
# Trace flag levels (set on the user before they log in)System=DEBUG; Security=FINEST; Workflow=NONE; Validation=INFOCallout=INFO; ApexCode=NONE; Database=INFO # After the failed login, open the log and search for:|SAML_ASSERTION||AUTH_METHOD_REFERENCE||AUTHN_CONTEXT_CLASS_REF||PHISHING_RESISTANT_MFA| # A passing entry looks like:14:22:19.301 |AUTH_METHOD_REFERENCE|values=[fido2, hwk]|source=SAML14:22:19.301 |PHISHING_RESISTANT_MFA|result=SATISFIED|matched=fido2 # A failing entry looks like:14:22:19.301 |AUTH_METHOD_REFERENCE|values=[]|source=SAML14:22:19.301 |PHISHING_RESISTANT_MFA|result=BLOCKED|reason=NoAcceptedAmrOrAcrLook for: The Security category at FINEST is the only level that emits AUTH_METHOD_REFERENCE and PHISHING_RESISTANT_MFA lines. Debug logs auto-expire — set a 30-minute trace flag right before the pilot admin logs in.
Pinpoint the root cause in under a minute
Answer five yes/no questions about a failing login. The tree isolates whether the problem lives at the Identity Provider, in the SAML/OIDC claim mapping, or inside Salesforce's own policy enforcement.
Is the affected user actually reaching Salesforce via SSO on the failing login?
Where to check: Check Setup → Users → Login History. Login Type should be SAML Idp Initiated, SAML Sp Initiated, or OpenID Connect.
- 1Is the affected user actually reaching Salesforce via SSO on the failing login?
- IdP — Okta/Entra isn't asserting the factor, or is asserting a weak one.
- Mapping — Claim reaches Salesforce but delimiter or attribute name is wrong.
- Salesforce — Signal is fine; a policy, session level, or profile config is blocking.
One-page troubleshooting checklist
Mirrors the interactive decision tree. Print, take notes, and staple to the change ticket.
Phishing-Resistant MFA — evidence checklist
Use alongside the Salesforce enforcement rollout (Sandbox Jul 6, 2026 · Prod Jul 20, 2026).
- 1
Is the login actually via SSO?
Owner: Salesforce AdminActions- Open Setup → Users → Login History (filter last 24h).
- Confirm Authentication Method = SAML or OIDC (not Password).
Evidence to collect- Login History row: Application, Auth Method, IdP name
- Session ID / Login Time for the affected user
- 2
Does the assertion contain AMR / AuthnMethodsReferences?
Owner: IdP Admin + SF AdminActions- Setup → Identity → Identity Provider Event Log, open the event.
- In Okta / Entra, capture the raw SAML response or OIDC id_token.
Evidence to collect- Raw base64 SAML response OR decoded id_token JSON
- AttributeStatement with amr / authnmethodsreferences
- AuthnContextClassRef value (SAML) or acr claim (OIDC)
- 3
Is the parsed AMR phishing-resistant?
Owner: Salesforce AdminActions- Paste assertion into Setup → SAML Assertion Validator.
- Confirm values include fido2, passkey, hwk, wia, or x509.
Evidence to collect- Validator output: parsed AMR list
- Highlight of accepted vs. weak factor (e.g. mfa, otp, sms)
- 4
Is the user blocked or stepped-up?
Owner: Pilot User + SF AdminActions- Reproduce login as a pilot admin in sandbox.
- Note whether Salesforce hard-blocks or prompts for step-up.
Evidence to collect- Screenshot of Salesforce error / step-up prompt
- Login History Status column (e.g. Failed: MFA Required)
- 5
Diagnosis category
Owner: Program LeadActions- Match evidence to IdP, Mapping, or Salesforce Policy bucket.
- Assign owner and target fix date before enforcement window.
Evidence to collect- Category: ☐ IdP ☐ SAML/OIDC Mapping ☐ SF Policy ☐ OK
- Owner: __________________ Target date: ______________
FAQ: Okta, Entra & verifying AMR/ACR
The questions admins hit first when SSO logins start getting blocked. Each answer maps to something you can check in Salesforce, Okta, or Entra right now.
AMR/ACRHow do I verify what AMR/ACR values my IdP is actually sending?
How do I verify what AMR/ACR values my IdP is actually sending?
In Salesforce, open Setup → Identity → Identity Provider Event Log (or Login History with the SAML Assertion / OIDC ID Token columns). Pick a recent SSO login for a privileged user and inspect the raw assertion. For SAML, look for an AttributeStatement whose Name contains amr or authnmethodsreferences, and an AuthnContextClassRef element. For OIDC, decode the id_token at jwt.io and read the amr array and acr claim. If neither appears, your IdP isn't sending them — no amount of Salesforce config will help until the IdP is fixed.
SalesforceA privileged user is blocked at login even though SSO works. What do I check first?
A privileged user is blocked at login even though SSO works. What do I check first?
Confirm three things in order: (1) the user actually authenticated with a phishing-resistant factor at the IdP (passkey, security key, Windows Hello, Touch ID) — a fresh password + push does not count; (2) the IdP included that factor in the AMR/ACR claim on this specific login (check the assertion); (3) the value sent matches Salesforce's accepted list exactly, case-sensitive for AMR. A common failure is the IdP sending mfa only, which satisfies Standard MFA but is blocked for admins.
OktaOkta says WebAuthn was used, but Salesforce still blocks the admin. Why?
Okta says WebAuthn was used, but Salesforce still blocks the admin. Why?
Okta does not include AMR or ACR in SAML assertions by default. Open the Salesforce app in Okta → Sign On → SAML 2.0 → Attribute Statements and add authnmethodsreferences with a value like appuser.authnMethodReferences (or a hardcoded hwk;fido2;phr for testing). For OIDC, enable the Include AMR claim option on the OpenID app and confirm claims like fido2, hwk, or phr appear. Use Okta's System Log → filter on Authentication of user via SAML/OIDC to see the assertion payload sent to Salesforce.
OktaOkta Verify push is authenticating my admin — is that OK?
Okta Verify push is authenticating my admin — is that OK?
No. Okta Verify push and TOTP are Standard MFA (okta_verify, mfa) and are blocked for privileged users. Enroll the admin in FastPass with biometric + device-bound key, or a FIDO2 security key. In the Okta Authenticator policy, require Possession factor is hardware protected and Phishing-resistant for the Salesforce app.
EntraEntra Conditional Access is enforcing MFA, so why does Salesforce still block admins?
Entra Conditional Access is enforcing MFA, so why does Salesforce still block admins?
Enforcing MFA in Conditional Access doesn't automatically send the AMR/ACR claim to Salesforce. In Entra → Enterprise Applications → Salesforce → Single sign-on → Attributes & Claims, add a claim named http://schemas.microsoft.com/claims/authnmethodsreferences sourced from user.authenticationmethods, and an authnContextClassRef claim. Then create a Conditional Access → Authentication Strength policy requiring Phishing-resistant MFA scoped to the Salesforce app.
EntraWhich Entra Authentication Strength should I assign to Salesforce?
Which Entra Authentication Strength should I assign to Salesforce?
Use the built-in Phishing-resistant MFA strength (passkeys, Windows Hello for Business, FIDO2 keys, CBA). Assign it to a Conditional Access policy targeting the Salesforce enterprise app and the group of privileged Salesforce users. Verify with a test admin: sign-in log → Authentication Details should show fido2 or windowsHelloForBusiness, and the outbound SAML/OIDC claim should include a matching AMR value like fido2 or hwk.
AMR/ACRMy IdP sends amr as a comma-separated string in SAML. Why isn't it matching?
My IdP sends amr as a comma-separated string in SAML. Why isn't it matching?
Salesforce splits SAML AMR attribute values on semicolons, not commas. Send hwk;fido2;mfa (semicolon separated) or send each value as its own <AttributeValue> element inside the same Attribute. URN- or URL-shaped values (e.g. urn:ietf:params:oauth:...:hwk) are additionally split on : and /, so the trailing token is what gets matched.
SalesforceWhere in Salesforce can I confirm a login was accepted as phishing-resistant?
Where in Salesforce can I confirm a login was accepted as phishing-resistant?
Setup → Users → Login History. Add the Authentication Method Reference and Login Type columns. For a phishing-resistant SSO login you should see a value from the accepted AMR list (e.g. fido2, passkey, hwk, wia). If the column is empty on an SSO login, the IdP sent nothing — the login will be blocked once enforcement begins.
SalesforceCan I test this before the July 2026 enforcement date?
Can I test this before the July 2026 enforcement date?
Yes. In a sandbox, go to Setup → Identity Verification → Enable Phishing-Resistant MFA for privileged users. Have a test admin sign in via SSO and confirm the assertion contains a phishing-resistant AMR/ACR value. If it doesn't, the login is blocked immediately — that's your regression signal. Fix the IdP, retest, and roll the same claim configuration to production before July 20, 2026.
Primary sources
Everything on this page is drawn from Salesforce's own documentation, RFC 8176, and vendor guides from Okta and Microsoft.