Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Authentication Provider SSO

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Authentication Provider SSO

            With authentication providers, your users can log in to your Salesforce org or Experience Cloud site with single sign-on (SSO) using credentials from a third party. Authentication providers also give your users access to protected third-party data. Salesforce offers several ways to configure authentication providers, such as with OpenID Connect or with a custom OAuth 2.0 configuration. Which protocol you can use depends on the third party.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            Single Sign-On Authentication and Authorization Flow

            Most authentication providers serve a dual purpose. In addition to authenticating users for SSO, they provide access to user data. With access to this third-party data, you can enrich your users’ Salesforce profiles with additional information after they log in with SSO.

            For example, when a user logs in to Salesforce using their Facebook credentials, they can authorize access to their Facebook data. Facebook then sends Salesforce an access token, which you can use to access Facebook profile data in order to populate the user’s Salesforce user profile.

            Authentication Provider Setup

            Authentication provider setup includes these high-level steps.

            • Create a registration handler. The registration handler is a key part of your implementation. It handles the heavy lifting of creating and updating users during SSO. You can set up a registration handler by using Apex or Flow Builder.
            • Define the authentication provider. This step includes creating an app on the identity provider, creating an authentication provider in Setup, and configuring the provider to use the registration handler.
            • Add the provider to the login page for your org or Experience Cloud site.
            • Optionally, add functionality to the authentication provider with request parameters.
            • Create an Authentication Provider Registration Handler
              To set up single sign-on (SSO) with an authentication provider, you must set up a registration handler. The registration handler creates and updates Salesforce users after they authenticate with the identity provider. To set up a registration handler, you can use Flow Builder or Apex.
            • Define an Authentication Provider
              To use an authentication provider for single sign-on (SSO), define an authentication provider in Setup by using configuration information from a third-party identity provider. Control security settings, customize the SSO experience with error and logout URLs, and configure registration handler settings. Most authentication providers support single sign-on (SSO) and third-party data access, with the exceptions of GitHub, Microsoft Access Control Service, and X (formerly Twitter).
            • Add an Authentication Provider to Your Org’s Login Page
              After you set up an authentication provider, make it easy for your employees to use it by adding it to your org’s login page.
            • Add an Authentication Provider to Your Experience Cloud Site’s Login Page
              After you set up an authentication provider, make it easy for customers and partners to use it by adding it to your Experience Cloud site’s login page.
            • Add Functionality to an Authentication Provider
              After you set up single sign-on (SSO) with an authentication provider, Salesforce generates several client configuration URLs, such as the Single Sign-On Initialization URL. These client configuration URLs support request parameters, which you can use to add functions to your authentication provider. For example, use these parameters to get customized permissions from the third party or direct users to a specific location after authenticating.

            See Also

             
            Loading
            Salesforce Help | Article