You are here:
Embedded Login Advanced Features
Embedded Login takes care of authenticating users so that you can add login capabilities to a web page without worrying about the details. You can also take advantage of the advanced features that Salesforce offers.
Embedded Login relies on third-party cookies, which are blocked or restricted in most browsers. And Embedded Login works only on Google Chrome and only as long as third-party cookies are allowed there by default.
Multi-Language Support in Embedded Login
Set the locale code parameter dynamically in the Embedded Login script. This example displays the embedded login page in Japanese.
<script src="https://embeddedlogin-dev-ed.my.site.com/demo/servlet/
servlet.loginwidgetcontroller?type=javascript_widget&locale=jp" async defer></script>Use the following Salesforce-defined (nonstandard) locale codes with the locale parameter.
- Chinese (Simplified):
cn - Chinese (Traditional):
tw - Danish:
da - Dutch (Netherlands):
nl - English (Australian):
au - English (Canada):
ca - English (India):
in - English (Ireland):
eu - English (Singapore):
ap - English (US):
us - English (UK):
uk - Finnish:
fi - French (France):
fr - French (Canada):
fr-ca - German:
de - Italian:
it - Japanese:
jp - Korean:
kr - Norwegian:
no - Portuguese (Brazil):
br - Russian:
ru - Spanish (Spain):
es - Spanish (Mexico):
mx - Swedish:
sv - Thai:
th
Embedded Login External Client App on Your App Launcher
As an option, you can add your Embedded Login–enabled web page to your App Launcher to provide transparent single sign-on. To do so, add a Start URL to the external client app that you want displayed.
The start URL format is the community URL's OAuth authorization endpoint plus these parameters:
- Token response type
- Client ID of the Embedded Login's external client app
- Encoded URL to the callback
- State
Here’s an example of the start URL where the site OAuth endpoint is https://embeddedlogin-dev-ed.my.site.com/demo/services/oauth2/authorize and the callback to Embedded Login is https://embeddedlogin.herokuapp.com/_callback.
https://embeddedlogin-dev-ed.my.site.com/demo/services/oauth2/authorize?response_type=token&
client_id=3MVG9Iu66FKeHhIPrRneLTDFdiuLfgLjycFpg6SbLpZAJScEXuD.oRdaWnJE7QGNFWHxunp0ut1&
redirect_uri=https%3A%2F%2Fembeddedlogin.herokuapp.com%2F_callback.html&state=%2F
Embedded Login Authorization Process
Here’s an overview of the Salesforce OAuth authorization process.
- The user enters a username and password or social credentials in the login form on the web page.
- Salesforce validates the credentials and then redirects the response to the OAuth authorization endpoint https://login.salesforce.com/services/oauth2/authorize. The Embedded Login external client app’s scopes and attributes define the permissions that are granted with the access token.
- Salesforce sends the access token to the callback URL.
- The callback URL receives the access token, parses it out as a message, and caches the access token. If it’s a client-side callback, the token is cached in the web browser local storage.
- The callback URL uses the access token to call the Salesforce Identity service endpoint to pull the required and authorized information about the user.
- The callback URL stores the user information with the access token.
- Embedded Login gets the user information from storage and checks the online function to determine which login information to show on the web page and how.
- The external client app maintains the connection between the page and Salesforce and uses the access token to retrieve data from Salesforce.
By default, Embedded Login uses a simple authentication process that’s completed
inside an iframe and hidden from the user with a mask redirect. However, if one of these
scenarios applies to your org, set the salesforce-mask-redirects metatag to false:
- Your org uses a login flow that requires extra steps within the website, such as multi-factor authentication (MFA) or a custom login flow.
- Your org uses a login page that requires extra steps within the website, such as a Login Discovery Page or custom login page.
- Your org sets the OAuth Permitted Users policy for the Embedded Login external client app to All users may self-authorize.
In these scenarios, the user takes the journey to Salesforce to complete the login process.
Relationship Between the Embedded Login Callback URL and the External Client App
The Embedded Login external client app is at the core of the authorization process and controls ongoing communication between the website and Salesforce after initial authorization. The callback URL is involved during the initial process, receiving the access token and the user information passed from Salesforce. When the initial user authentication is complete, the external client app takes over. It maintains the connection with your Salesforce site as long as the session is active.
