Embedded Login Considerations

When implementing Embedded Login, be aware of these considerations.

Warning In Summer ’24, Salesforce made Embedded Login disabled by default. We recommend that you use the web server flow, the user-agent flow, or another redirect-based OAuth 2.0 flow instead of Embedded Login.

Embedded Login relies on third-party cookies, which are blocked or restricted in most browsers. And Embedded Login works only on Google Chrome and only as long as third-party cookies are allowed there by default.

Supported Browsers

Embedded Login is supported on all browsers that support Lightning Experience. Embedded Login works on these browsers: Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, and Internet Explorer 11.

HTTP and HTTPS URLs

Modern browsers don’t allow mixing the HTTP and HTTPS protocols on the same page. Your right-frame content is inside an iframe, so the URL must use the same protocol as your site. Generally, we recommend using HTTPS for logo and right-frame URLs. However, in local and test environments, HTTP can be more flexible.

URL Redirection for Self-Registration and Forgot Password Links

Embedded Login relies on the site to handle self-registration and forgotten passwords. When customers complete the password or self-registration page, they must navigate back to your website. They’re not redirected to the website automatically.

Login Redirects

By default, Embedded Login uses a simple authentication process that’s completed inside an iframe and hidden from the user with a mask redirect. However, if one of these scenarios applies to your org, set the salesforce-mask-redirects metatag to false:

• Your org uses a login flow that requires extra steps within the website, such as multi-factor authentication (MFA) or a custom login flow.
• Your org uses a login page that requires extra steps within the website, such as a Login Discovery Page or custom login page.
• Your org sets the OAuth Permitted Users policy for the Embedded Login external client app to All users may self-authorize.

Error Configuring CORS

If you get an error that contains the phrase … an ancestor value violates the following Content Security Policy directive, configure CORS according to instructions in Step 1: Enable Resource Sharing Across Domains.

HTML5 localStorage for Storing Data

Embedded Login stores data locally within the user’s browser using localStorage, which is more secure than storing data in cookies. localStorage can store large amounts of data locally without affecting website performance. localStorage is per origin (per domain and protocol). All pages from one origin can store and access the same data. Data in localStorage has no expiration date and is cleared only through JavaScript or by clearing the browser cache or locally stored data.

Note If you get access denied messages, check whether localStorage is available.

Missing Login Button Due to Limited Access to Cookies

If a user sets the browser to block third-party websites from storing cookies and other data locally, the Login button doesn’t appear on the web page. For example, if the Chrome Block third-party cookies option is set, the Login button doesn’t appear.

While this behavior applies to all browsers, it particularly applies to Safari because of its cookie and local storage blocking policies. To enable Embedded Login in Safari, deselect Prevent cross-site tracking in Safari’s privacy preferences.

Note Salesforce issues a session cookie only to record encrypted authentication information during a specific session. The session cookie doesn’t include the username and password of the user. Salesforce doesn’t use cookies to store other confidential user and session information. Instead, Salesforce implements more advanced security methods based on dynamic data and encoded session IDs.