"Phishing-Resistant MFA" documentation for SSO/Shibboleth?
Is anyone else currently losing their minds over the upcoming Phishing-Resistant MFA enforcement (July 2026)?
We are trying to get our Shibboleth IdP compliant, but Salesforce’s documentation (Article 005321563) is impressively vague. It feels like they wrote these specs for Okta/Azure shops and completely ignored anyone running a standard SAML setup.
The most frustrating part is the "Authentication Strength Tiers" table. They list generic values like user as a "Phishing-Resistant" signal for SSO.
What is an architect supposed to do with the value user? That’s not a technical standard; that’s an ambiguous placeholder that gives us zero guidance on what to actually configure in our SAML assertion.
We aren't looking for marketing fluff—we need technical specs…
Where is the SAML Profile? There is no clear technical blueprint for exactly how our IdP needs to format assertions to be officially recognized as "phishing-resistant."
Does Salesforce actually expect us to map the string user to our AuthnContextClassRef? That is not an industry-standard definition for phishing resistance. Where is the documentation mapping these to NIST/FIDO standards?
Salesforce admits that SAML ACR values aren't even recorded in Login History yet. They are asking us to comply with a mandate that we can’t even audit or verify in our own logs.
We’re a Shibboleth organization, and it feels like we’re being held to a standard that Salesforce hasn't bothered to document for SAML users.
Is anyone else hitting this wall? Has anyone managed to get a straight answer from a Salesforce Architect on what the actual expected SAML assertion looks like? Or are we all just waiting for the July "surprise"?