Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Embedded Login Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Embedded Login Control

            Embedded Login is a legacy feature that lets you put a login form directly on an external webpage using a small piece of JavaScript.

            Control Name

            Embedded Login

            Recommended Configuration

            With Salesforce Identity Embedded Login, customers can integrate Salesforce login capabilities into their own external website. This control is not recommended.

            Control Overview

            Embedded Login is a legacy feature that lets you put a login form directly on an external webpage using a small piece of JavaScript and an <iframe>-like structure.

            Security Risk If Not Configured

            Embedded Login is not recommended because it creates a high risk of clickjacking and cross-site scripting (XSS), as the login interface is technically "hosted" inside an external, third-party site rather than on a dedicated, secure Salesforce domain.

            Threat Scenarios

            An attacker compromises the hosting web server and injects malicious code into the embedded login script to "sniff" and capture user credentials as they are typed into the form.

            Estimated CVSS Score Range

            Critical (9.0–10.0).

            Risk Impact Considerations

            Because the authentication occurs within an external frame, the user loses the visual security of the Salesforce-branded URL bar, making it nearly impossible for them to verify they are interacting with a legitimate login portal.

            Higher Risk When

            If the hosting website does not have a strict Content Security Policy (CSP) or if it lacks specific security headers that tell the browser exactly which domains are authorized to show the login form in a frame, leaving the site open to hijacking by unauthorized third-party pages.

            Low Risk When

            The scenario is lower risk only when the external site is fully managed, highly secure, and uses the most restrictive browser-based security headers to isolate the embedded login code.

            Business and Integration Considerations

            Maintaining Embedded Login requires heavy developer maintenance to make sure the third-party site’s JavaScript remains compatible with Salesforce's evolving security updates and cookie-handling policies.

            Recommended Remediation

            Rather than using Embedded Login, organizations should migrate to Headless Identity for a custom UI or use standard OAuth 2.0 Redirect Flows to make sure that authentication happens on a hardened Salesforce domain.

            Security Health Review Guidance

            Security Health Review does not recommend use of Embedded login due to its reliance on iframes, which introduces significant clickjacking risks and frequent session failures caused by modern browser restrictions on third-party cookies.

            See Also

             
            Loading
            Salesforce Help | Article