Before you can configure a Web application for your Salesforce organization, you must register it with your service provider. The process varies depending on the service provider. For example, to register a Google app, Create an OAuth 2.0 Client ID.
Register your application on your service provider’s website.
Modify the application settings and set the application domain (or Home Page URL) to Salesforce.
Note the Client ID and Client Secret, as well as the Authorize Endpoint URL, Token Endpoint URL, and User Info Endpoint URL, which should be available in the provider’s documentation. Here are some common OpenID Connect service providers:
Define an OpenID Connect Provider in Your Salesforce Organization
You need some information from your provider (the Client ID and Client Secret, as well as the Authorize Endpoint URL, Token Endpoint URL, and User Info Endpoint URL) to configure your application in your Salesforce organization.
From Setup, enter Auth. Providers in the Quick Find box, then select Auth. Providers.
Select OpenID Connect for the Provider Type.
Enter a Name for the provider.
Enter the URL Suffix. This is used in the client configuration URLs. For example, if the URL suffix of your provider is “MyOpenIDConnectProvider,” your single sign-on URL is similar to: https://login.salesforce.com/auth/sso/00Dx00000000001/MyOpenIDConnectProvider.
Use the Client ID from your provider for the Consumer Key field.
Use the Client Secret from your provider for the Consumer Secret field.
Enter the base URL from your provider for the Authorize Endpoint URL.
You can add query string parameters to the base URL, if necessary. For example, to get a refresh token from Google for offline access, use https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force. In this specific case, the additional approval_prompt parameter is necessary to ask the user to accept the refresh action, so Google will continue to provide refresh tokens after the first one.
Enter the Token Endpoint URL from your provider.
Optionally, set the following fields.
User Info Endpoint URL from your provider.
Token Issuer. This value identifies the source of the authentication token in the form https: URL. If this value is specified, the provider must include an id_token value in the response to a token request. The id_token value is not required for a refresh token flow (but will be validated by Salesforce if provided).
Default Scopes to send along with the request to the authorization endpoint. Otherwise, the hardcoded defaults for the provider type are used (see the OpenID Connect developer documentation for these defaults).
You can select Send access token in header to have the token sent in a header instead of a query string.
Optionally, set the following fields.
Custom Error URL for the provider to use to report any errors.
Custom Logout URL to provide a specific destination for users after they log out, if they authenticated using the single sign-on flow. Use this field to direct users to a branded logout page or destination other than the default Salesforce logout page. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com.
Select an existing Apex class as the Registration Handler class or click Automatically create a registration handler template to create an Apex class template for the registration handler. You must edit this class and modify the default content before using it.
You must specify a registration handler class for Salesforce to generate the Single Sign-On Initialization URL.
Select the user that runs the Apex handler class for Execute Registration As. The user must have the “Manage Users” permission. A user is required if you selected a registration handler class or are automatically creating one.
To use a portal with your provider, select the portal from the Portal drop-down list.
Use the Icon URL field to add a path to an icon to display as a button on the login page for a community. This icon applies to a community only, and does not appear on the login page for your Salesforce organization or custom domain created with My Domain. Users click the button to log in with the associated authentication provider for the community.
You can specify a path to your own image, or copy the URL for one of our sample icons into the field.
Be sure to note the generated Auth. Provider Id value. You must use it with the Auth.AuthToken Apex class.
Several client configuration URLs are generated after defining the authentication provider:
Test-Only Initialization URL: Administrators use this URL to ensure the third-party provider is set up correctly. The administrator opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL: Use this URL to perform single sign-on into Salesforce from a third party (using third-party credentials). The end user opens this URL in a browser, and signs in to the third party. This then either creates a new user for them, or updates an existing user, and then signs them into Salesforce as that user.
Existing User Linking URL: Use this URL to link existing Salesforce users to a third-party account. The end user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
Oauth-Only Initialization URL: Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token; this flow does not provide for future single sign-on functionality.
Callback URL: Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the Callback URL with information for each of the above client configuration URLs.
The client configuration URLs support additional request parameters that enable you to direct users to log into specific sites, obtain customized permissions from the third party, or go to a specific location after authenticating.
Update Your OpenID Connect Application
After defining the authentication provider in your Salesforce organization, go back to your provider and update your application’s Callback URL (also called the Authorized Redirect URI for Google applications and Return URL for PayPal).
Test the Single Sign-On Connection
In a browser, open the Test-Only Initialization URL on the Auth. Provider detail page. It should redirect you to your provider’s service and ask you to sign in. Upon doing so, you’re asked to authorize your application. After you authorize, you’re redirected back to Salesforce.