Integrate Service Providers as Connected Apps with OpenID Connect

To integrate a service provider with your Salesforce org, you can use a connected app that implements OpenID Connect for user authentication. To use this option, the service provider must accept OpenID Connect tokens. Configure a connected app with the OpenID Connect scope for your service provider. The OpenID Connect scope passes user information in an ID token. Users can then log in to the external app with their Salesforce or Experience Cloud credentials.

Required Editions

Available in: both Salesforce Classic and Lightning Experience

Connected Apps can be created in: Group, Essentials, Professional, Enterprise, Performance, Unlimited, and Developer Editions Connected Apps can be installed in: All editions

User Permissions Needed
To read, create, update, or delete connected apps:	Customize Application AND either Modify All Data OR Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes:	Customize Application AND either Modify All Data OR Manage Connected Apps
To update Profiles, Permission Sets, and Service Provider SAML Attributes:	Customize Application AND Modify All Data AND Manage Profiles and Permission Sets
To rotate the consumer key and consumer secret:	Allow consumer key and secret rotation
To install and uninstall connected apps:	Customize Application AND either Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected apps:	Download AppExchange Packages AND Customize Application AND either Modify All Data OR Manage Connected Apps

Note Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

See New connected apps can no longer be created in Spring ‘26 for more details.

For example, you want your users to sign on directly from your Salesforce org to an external Wellness Tracker app that accepts OpenID Connect. So you create a connected app for the Wellness Tracker app. For the connected app, you enable OAuth settings, select the “Allow access to your unique identifier (openid)” scope, and configure an ID token. This configuration enables the SSO flow for your Wellness Tracker app by integrating the service provider with your Salesforce org.

1. Create your connected app, and complete its basic information.
2. Configure the necessary OAuth settings for the connected app.
3. Select the Allow access to your unique identifier (openid) scope to apply to the connected app.
4. Select Configure ID token.
5. With the primary ID token setting enabled, configure the secondary settings that control the ID token contents in both access and refresh token responses. Specify these settings.

   Setting	Description
   Token Valid for	The length of time that the ID token is valid for after it’s issued. The period can be from 1 to 720 minutes. The default is 2 minutes.
   ID Token Audiences	The intended consumers of the ID token. For example, the target service where you use the ID token, such as https://your_service.com.
   Include Standard Claims	Include the standard claims that contain information about the user, such as the user’s name, profile, phone number, and address. The OpenID Connect specifications define a set of standard claims to be returned in the ID token.
   Include Custom Attributes	If your app has specified custom attributes, include them in the ID token.
   Include Custom Permissions	If your app has specified custom permissions, include them in the ID token.

6. To automatically log users out of the service provider when they log out of Salesforce, select Enable Single Logout.
7. Enter the single logout endpoint of the service provider. Salesforce sends logout requests to this URL when users log out of Salesforce. The single logout URL must be an absolute URL starting with https://.
8. When you’ve configured all settings for your connected app, click Save.