From Setup, enter Auth. Providers in the Quick Find box, then select Auth. Providers.
Select Google for the Provider Type.
Enter a Name for the provider.
Enter the URL Suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is “MyGoogleProvider”, your single sign-on URL is similar to: https://login.salesforce.com/auth/sso/00Dx00000000001/MyGoogleProvider.
Use the Application ID from Google for the Consumer Key field.
Use the Application Secret from Google for the Consumer Secret field.
Optionally, set the following fields.
Authorize Endpoint URL to specify the base authorization URL from Google. For example, https://accounts.google.com/o/oauth2/authorize. The URL must start with https://accounts.google.com/o/oauth2.
You can add query string parameters to the base URL, if necessary. For example, to get a refresh token from Google for offline access, use https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force. The approval_prompt parameter is necessary to ask the user to accept the refresh action so that Google continues to provide refresh tokens after the first one.
Token Endpoint URL to specify the OAuth token URL from Google. For example, https://accounts.google.com/o/oauth2/accessToken. The URL must start with https://accounts.google.com/o/oauth2.
User Info Endpoint URL to change the values requested from Google’s profile API. The URL must start with https://www.googleapis.com/oauth2/.
Default Scopes to send with the request to the authorization endpoint. Otherwise, the hardcoded defaults for the provider type are used. For the defaults, see Google’s developer documentation.
Custom Error URL to specify a URL for the provider to report errors.
Custom Logout URL to provide a specific destination for users after they log out, if they authenticated using the single sign-on flow. Use this field to direct users to a branded logout page or destination other than the default Salesforce logout page. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com.
To create an Apex class template for the registration handler, select an existing Apex class as the Registration Handler class or click Automatically create a registration handler template. Edit this class and modify the default content before using it.
Specify a registration handler class for Salesforce to generate the Single Sign-On Initialization URL.
Select the user that runs the Apex handler class for Execute Registration As. The user must have “Manage Users” permission. You must specify a user if you selected a registration handler class or are automatically creating one.
To use a portal with your provider, select the portal from the Portal list.
Use the Icon URL field to add a path to an icon to display as a button on the login page for a community. This icon applies to a community only, and does not appear on the login page for your Salesforce organization or custom domain created with My Domain. Users click the button to log in with the associated authentication provider for the community.
You can specify a path to your own image, or copy the URL for one of our sample icons into the field.
Note the generated Auth. Provider Id value. You use it with the Auth.AuthTokenApex class.
Several client configuration URLs are generated after defining the authentication provider:
Test-Only Initialization URL: Administrators use this URL to ensure that the third-party provider is set up correctly. The administrator opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL: Use this URL to perform single sign-on into Salesforce from a third party (using third-party credentials). The end user opens this URL in a browser and signs in to the third party. The third party then either creates a user or updates an existing user, and then signs them into Salesforce as that user.
Existing User Linking URL: Use this URL to link existing Salesforce users to a third-party account. The end user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
Oauth-Only Initialization URL: Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token; this flow does not provide for future single sign-on functionality.
Callback URL: Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider redirects to the Callback URL with information for each client configuration URL.
The client configuration URLs support other request parameters that enable you to direct users to log in to specific sites, obtain customized permissions from a third party, or go to a location after authenticating.
Update Your Google Application
After defining the Google authentication provider in your Salesforce organization, go back to Google and update your application to use the Callback URL as the Google Website Site URL.
Test the Single Sign-On Connection
In a browser, open the Test-Only Initialization URL on the Auth. Provider detail page. It redirects you to Google and asks you to sign in. You’re then asked to authorize your application. After you authorize, you’re redirected to Salesforce.