Authenticate Your Users with Certificates

Salesforce now provides certificate-based authentication. Using either Salesforce Setup or API, you can upload unique PEM-encoded X.509 digital certificates to authenticate individual users to your org.

Where: This change applies to Lightning Experience and Salesforce Classic in all editions and is available only in orgs configured with My Domain.

Why: This new authentication method complies with FedRAMP Digital Identity requirements and certification through personal identification verification cards. Your org can also use certificate authority-signed certificates with this authentication method.

How: Enable certificate-based authentication from Salesforce Setup or API.

If you use API to configure certificate-based authentication, you can integrate the uploaded user certificates with an external API tool, such as Data Loader. External API tools can help you manage your user certificates. To configure the new UserAuthCertificate object, you can use REST API, SOAP API, and standard API object creation.

From Salesforce Setup, enable certificate-based authentication from Session Settings.Enable certificate-based-authentication from the Identity Verification section of the Session Settings page

Upload certificates in User Authentication Certificates.Upload user authentication certificates in Setup

And enable certificate-based authentication in My Domain.Enable certificate-based authentication services in My Domain