Skip to main content

Salesforce SSO considerations for Gearset service accounts

The functionality of Salesforce authentication means that certain configuration is needed in order to use the recommended service account approach for org connections from Gearset

Andy Barrick avatar
Written by Andy Barrick
Updated yesterday

Assuming that your SSO configuration has followed Salesforce's guidelines to ensure that users go through that route, when needing to add a service account user with which Gearset connects, as opposed to a named individual which risks breaking pipelines if that user is deactivated, then you have the following options:

Permit LoginForm access

This is our recommended approach. Within the Authentication Configuration section of the My Domain menu in Setup, in the Authentication Service property, ensure that LoginForm is also ticked and available.

Not having this active is not a method of ensuring that users cannot access via username and password, even if this option is unchecked, there are still ways in which users can access the login form. However, if provisioned only in the IdP, then active human users will likely not have a password with which they can enter the org anyway.

If you have also checked Disable login with Salesforce credentials in the Single Sign-On Settings Setup menu, as well as granting all relevant users the Is Single Sign-On Enabled system permission via permission set, then they will be directed through the delegated authentication flow on login regardless of the LoginForm setting.

Having LoginForm set though allows the service account to be connected when authenticating an org in Gearset, whilst ensuring that human users continue to access via the configured delegation authentication route.

Temporary LoginForm Activation

Should there be a need to not have LoginForm enabled for general usage, then this can be adjusted solely for the period of time during which an org is being authenticated in Gearset.

Once configured, ongoing Gearset operations, including org re-authentication, will not need the LoginForm to be available.

Create IdP account for the service user

The final alternative would be to formally create an account for the service account so that it can use the same delegated authentication flow as the human users.

This may incur additional license costs across service and identity providers and so should be considered with caution.

Related Articles
Managing Salesforce org connections
Does Gearset support SSO?
Resolving issues with logging in and connecting orgs via Salesforce
Why does Gearset have two Connected Apps?
OKTA and Gearset setup
Did this answer your question?