Salesforce Changes to Device Activation for SSO

Single Sign-On
Feb 2, 2026
Overview

This article outlines the configuration required for Auth0 to comply with Salesforce's Multi-Factor Authentication (MFA) requirements, as announced in Changes to Device Activation for Single Sign-On (SSO) Logins. Salesforce requires specific indicators in the authentication response to verify that MFA was performed during the sign-in process.

When Auth0 is acting as an IdP (Identity Provider) for Salesforce as an SP (Service Provider), there are two configurations of note as outlined below:

  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)
Applies To
  • Auth0
  • Salesforce
  • OpenID Connect (OIDC)
  • Security Assertion Markup Language (SAML)
Solution

The following two configurations explain any requirements as needed:

OpenID Connect

The amr value in the returned JSON Web Token (JWT) from Auth0 contains mfa, which Salesforce recognizes as a valid MFA indicator. For example, the JWT will contain the following if MFA is completed in Auth0 via OIDC 

...  
  "amr": [
    "mfa"
  ],
...

 

SAML (Security Assertion Markup Language)

The SAML AuthnContext is dynamic but does not match the specific values required by Salesforce by default. An Auth0 Action is required to provide the correct AuthnContextClassRef.

  1. Create a new Post-Login Action in the Auth0 dashboard.

  2. Enter the following code to set the appropriate SAML context:

    exports.onExecutePostLogin = async (event, api) => {
  const samlpClientName = [AUTH0-APPLICATION-NAME]; // replace with Application name from tenant with 'SAML Web Application' configured. https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/enable-saml2-web-app-addon

  const mfaCheck = event?.authentication?.methods.find(item => item.name === 'mfa');
  const samlpClientTransactionName = event?.client?.name;

  const samlpClientCheck = samlpClientName === samlpClientTransactionName;
  const samlpIdpCall = ( event?.transaction?.protocol === 'samlp' );

  // Test if 1. MFA is completed 2. The specific SAML Application is used and 3. The transaction is SAML with this tenant acting as an IdP
  if (mfaCheck && samlpClientCheck && samlpIdpCall)
  {
    api.samlResponse.setAuthnContextClassRef('urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract');
  }

};

    event.authentication.method return type description for above code: Actions Triggers: post-login - Event Object.

    Information on SAML manipulation using Actions in the api.samlResponse.setAuthnContextClassRef(authnContextClassRef) documentation.

  3. Deploy the Action and add it to the Post-Login flow.

This will return a SAMLResponse with the following relevant SAML element to the SP (Salesforce) upon completion of the login process in Auth0 (IdP):

...
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>
                    urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
                </saml:AuthnContextClassRef>
            </saml:AuthnContext>
...

 

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community