Before you can configure a Salesforce provider for your Salesforce organization, you must define a connected app that uses single sign-on. From Setup, enter Apps in the Quick Find box, then select Apps.
After you finish defining a connected app, save the values from the Consumer Key and Consumer Secret fields.
From Setup, enter Auth. Providers in the Quick Find box, then select Auth. Providers.
Select Salesforce for the Provider Type.
Enter a Name for the provider.
Enter the URL Suffix. This s used in the client configuration URLs. For example, if the URL suffix of your provider is “MySFDCProvider”, your single sign-on URL is similar to https://login.salesforce.com/auth/sso/00Dx00000000001/MySFDCProvider.
Paste the value of Consumer Key from the connected app definition into the Consumer Key field.
Paste the value of Consumer Secret from the connected app definition into the Consumer Secret field.
Optionally, set the following fields.
Authorize Endpoint URL to specify an OAuth authorization URL.
For the Authorize Endpoint URL, the host name can include a sandbox or custom domain name (created using My Domain), but the URL must end in .salesforce.com, and the path must end in /services/oauth2/authorize. For example, https://login.salesforce.com/services/oauth2/authorize.
Token Endpoint URL to specify an OAuth token URL.
For the Token Endpoint URL, the host name can include a sandbox or custom domain name (created using My Domain), but the URL must end in .salesforce.com, and the path must end in /services/oauth2/token. For example, https://login.salesforce.com/services/oauth2/token.
Default Scopes to send along with the request to the authorization endpoint. Otherwise, the hardcoded default is used.
When editing the settings for an existing Salesforce authentication provider, you might have the option to select a checkbox to include the organization ID for third-party account links. For Salesforce authentication providers set up in the Summer '14 release and earlier, the user identity provided by an organization does not include the organization ID. So, the destination organization can’t differentiate between users with the same user ID from two sources (such as two sandboxes). Select this checkbox if you have an existing organization with two users (one from each sandbox) mapped to the same user in the destination organization, and you want to keep the identities separate. Otherwise, leave this checkbox unselected. After enabling this feature, your users need to re-approve the linkage to all of their third-party links. These links are listed in the Third-Party Account Links section of a user's detail page. Salesforce authentication providers created in the Winter '15 release and later have this setting enabled by default and do not display the checkbox.
Custom Error URL for the provider to use to report any errors.
Custom Logout URL to provide a specific destination for users after they log out, if they authenticated using the single sign-on flow. Use this field to direct users to a branded logout page or destination other than the default Salesforce logout page. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com.
Select an already existing Apex class as the Registration Handler class or click Automatically create a registration handler template to create the Apex class template for the registration handler. You must edit this template class to modify the default content before using it.
You must specify a registration handler class for Salesforce to generate the Single Sign-On Initialization URL.
Select the user that runs the Apex handler class for Execute Registration As. The user must have “Manage Users” permission. A user is required if you selected a registration handler class or are automatically creating one.
To use a portal with your provider, select the portal from the Portal drop-down list.
Use the Icon URL field to add a path to an icon to display as a button on the login page for a community. This icon applies to a community only, and does not appear on the login page for your Salesforce organization or custom domain created with My Domain. Users click the button to log in with the associated authentication provider for the community.
You can specify a path to your own image, or copy the URL for one of our sample icons into the field.
Note the value of the Client Configuration URLs. You need the Callback URL to complete the last step, and you use the Test-Only Initialization URL to check your configuration. Also be sure to note the Auth. Provider Id value because you must use it with the Auth.AuthToken
Return to the connected app definition that you created earlier (on the Apps page in Setup, click the connected app name) and paste the value of Callback URL from the authentication provider into the Callback URL field.
Several client configuration URLs are generated after defining the authentication provider:
Test-Only Initialization URL: Administrators use this URL to ensure the third-party provider is set up correctly. The administrator opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL: Use this URL to perform single sign-on into Salesforce from a third party (using third-party credentials). The end user opens this URL in a browser, and signs in to the third party. This then either creates a new user for them, or updates an existing user, and then signs them into Salesforce as that user.
Existing User Linking URL: Use this URL to link existing Salesforce users to a third-party account. The end user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
Oauth-Only Initialization URL: Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token; this flow does not provide for future single sign-on functionality.
Callback URL: Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the Callback URL with information for each of the above client configuration URLs.
The client configuration URLs support additional request parameters that enable you to direct users to log into specific sites, obtain customized permissions from the third party, or go to a specific location after authenticating.
Test the Single Sign-On Connection
In a browser, open the Test-Only Initialization URL on the Auth. Provider detail page.