Before you can configure the auth provider plug-in for your Salesforce org, set up an account with your chosen external auth provider.
Go to your provider’s site and create an application.
Modify the application settings, and set the Application Domain to Salesforce.
Note the application ID and application secret, if required by your external auth provider.
Create Your Custom Metadata Types
When you have an account, create the custom metadata types for your Salesforce org required by your external auth provider.
From Setup, enter metadata in the Quick Find box, then select Custom Metadata Types.
Click New Custom Metadata Type.
Enter a label name and plural label name for your custom metadata, and click Save.
Under the Custom Fields section, click New and select the custom fields you and your auth provider require. For example, if the auth provider requires an application ID or application secret, you can create fields with labels like “Consumer Key” or “Consumer Secret.”
You are prompted to enter details for each field type, such as label, description, and Help text. You can choose to make these fields required.
Build Your Apex Classes and Methods
To create a custom auth provider for SSO, create a class that implements the Auth.AuthProviderPlugin interface. This interface allows you to store the custom configuration for your auth provider and handle its authentication protocols. It also creates the name for your external auth provider, and displays this name in the list of available auth providers.
From Setup, enter apex classes in the search field, and select Apex Classes.
In the field provided, create an Apex class and method.
Implement the Auth.AuthProviderPlugin interface.
Enter the API Name listed on your newly created custom metadata for the return string for the getCustomMetadataType method.
You need your auth provider’s application ID and application secret to set up your custom provider in your Salesforce org.
From Setup, enter Auth. Providers in the Quick Find box, then select Auth. Providers.
For the provider type, select your custom provider.
Enter a name for the provider.
Enter the URL suffix, which is used in the client configuration URL. For example, if your provider’s URL is MyAwesomeProvider, your SSO URL is similar to https://login.salesforce.com/auth/sso/00Dx00000000001/MyAwesomeProvider.
Enter your information in the custom fields you created.
To create an Apex class template for the registration handler, click Automatically create a registration handler template. Edit the class template later, and modify the default content before using it.
Specify a registration handler class for Salesforce to generate the Single Sign-On Initialization URL.
In the Execute Registration As field, select a user to run the Apex handler class. The user must have the “Manage Users” permission. This field is required for all custom auth providers.
Use the Icon URL field to add a path to an icon to display as a button on the login page for a community. This icon applies to a community only, and does not appear on the login page for your Salesforce organization or custom domain created with My Domain. Users click the button to log in with the associated authentication provider for the community.
You can specify a path to your own image, or copy the URL for one of our sample icons into the field.
Note the generated Auth Provider Id value. You use it with the Auth.AuthTokenApex class.
Several client configuration URLs are generated after defining the auth provider.
Test-Only Initialization URL—Use to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL—Use to initialize SSO into Salesforce from a third party (using third-party credentials). The end user opens this URL in a browser and signs in to the third party. The third party then either creates a user or updates an existing user, and then signs that user into Salesforce.
Existing User Linking URL—Use to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
Oauth-Only Initialization URL—Use to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
Callback URL—Use as the endpoint that the authentication provider calls back to for configuration. The authentication provider redirects to the Callback URL with information for each client configuration URL.
The client configuration URLs support other request parameters that enable you to direct users to log in to specific sites, obtain customized permissions from a third party, or go to a location after authenticating.
Updating Your External Auth Provider
After defining your authentication provider in your Salesforce org, go back to your external authentication provider’s site and update your application to use the Callback URL as your custom auth provider’s Website Site URL.
Test the SSO Connection
In a browser, open the Test-Only Initialization URL on the Auth Provider detail page. It redirects you to your provider’s site and asks you to sign in. You’re then asked to authorize your application. After you authorize, you’re redirected to Salesforce.