Enable MFA for SFDC Tab + Frontdoor

Enable MFA for SFDC Tab + Frontdoor

Customers who leverage the SFDC tab rely on MFA through SFDC. SSO is not enabled in the Anaplan platform as a result (or users are set as exception users if SSO is enabled).

 

The consequence of this configuration is that end users have the ability to access Anaplan via the front door without any kind of MFA. This is a control risk for clients.

 

Would it be possible to reconfigure Anaplan access to limit or restrict front door access based on a setting....so that clients who want their users to access the platform via SFDC do not have to worry about those same users also gaining access to the platform in a less secure manner using the standard login? @rupert_tagnipes

3 Comments
Miran
Community Manager
 
Status changed to: Your support is needed

We have customers who have used Salesforce as the IDP in a SAML flow. By configuring authentication with a SAML flow and not the SFDC Tab flow, this will allow customers to take advantage of Salesforce capabilities like MFA and to restrict access to just IDP authentication.

CrystalZ
Occasional Contributor

I am handling a case right now where the customer created a new SFDC environment that uses Azure as their SSO.  However, they were unable to access the Anaplan connected app in this environment.  Their SFDC usernames did not match their Anaplan usernames, so we had to create a work-around.

 

1. Make sure that in the SFDC user configuration that Anaplan is checked for both "Connected Apps" and "Visible."

2. Create a new Anaplan account that matches the SFDC username.  Match all workspaces and permissions of the original account.

3. Uncheck the Single Sign-On box for this new account, making it an exception user.

4. Map the SFDC Org ID and User ID to this new Anaplan account.

5. Log out, clear cache and cookies, re-log in to Salesforce.  Open Anaplan tab.

 

Upon trying this work-around, the customer was able to see the Anaplan tab.

 

However, this customer was worried about the scalability of this work-around.  We would like to know what it would take for the development team to create an SSO-enabled SFDC tab that would allow the customer to avoid these extra steps.