Loading
Salesforce now sends email only from verified domains. Read More
Help Agent Performance DegradationRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Create an Identity Provider Chain

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Create an Identity Provider Chain

            To simultaneously authenticate users for your Salesforce org and a third-party client app, create an identity provider chain. In this SSO configuration, a third party authenticates users for Salesforce, while Salesforce authenticates users for the client app. Users can log in to the third party and immediately access Salesforce and the client app. You can chain identity providers with SAML or OpenID Connect exclusively. Or, you can create a chain that implements two different authentication protocols.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions

            Create a SAML-Only Chain

            The SAML-only chain is especially effective when both Salesforce and the client app are set up for service provider-initiated SAML SSO. To create an identity provider chain using SAML, follow these instructions.

            1. Define Salesforce as a SAML service provider for your third-party identity provider.
            2. Configure Salesforce as a SAML identity provider for your client app.

            After you configure a SAML identity provider chain, users can log in to Salesforce from a third-party identity provider and immediately access the client app. The third-party identity provider authenticates users in Salesforce, and Salesforce authenticates users in the client app.

            For example, you want your users to log in to Google and then directly access Salesforce and your mobile customer service app. To create a SAML-only chain, define your org as a SAML service provider with Google as the identity provider. Then configure Salesforce as a SAML identity provider for your mobile customer service app, which acts as the service provider.

            Create an OpenID Connect-Only Chain

            With OpenID Connect, you can set up a third-party authentication provider to authenticate users for Salesforce. Authentication providers don't only authenticate users so they can log in to Salesforce. They also authorize Salesforce to access protected third-party data. To create an identity provider chain using OpenID Connect, follow these instructions.

            1. Set up an OpenID Connect authentication provider for your third-party OpenID Connect provider. The authentication provider allows users to log in to Salesforce with third-party credentials.
            2. Create an OpenID Connect connected app for your client app. With OpenID Connect, there's no need to enable Salesforce as an identity provider.

            After you configure an OpenID Connect identity provider chain, users can log in to Salesforce from a third-party authentication provider and immediately access the client app. The third-party authentication provider authenticates users in Salesforce, and Salesforce authenticates users in the client app.

            For example, you want your users to log in to your org with Amazon credentials and then log in to your custom mobile app. To create this chain, you set up an OpenID Connect authentication provider for Amazon, enabling users to log in to your org from Amazon. Then, you enable your org as an identity provider and integrate the custom mobile app as an OpenID Connect connected app.

            Create a Chain That Implements Two Protocols

            If you have two apps that implement different protocols, you can use Salesforce to link them. You can create an identity provider chain that implements SAML and OpenID Connect. You can also configure a chain with a third party that implements a custom authentication protocol.

            For example, you want your users to authenticate into Salesforce with Facebook credentials and then directly access Workday. Facebook implements its own custom authentication protocol, while Workday uses SAML. Here's how you can configure SSO so that your users can move easily from Facebook to Salesforce to Workday.

            1. Set up a predefined Facebook authentication provider, which allows Facebook to authenticate users for Salesforce.
            2. Configure Salesforce as a SAML identity provider to authenticate users for Workday.

            Salesforce provides several predefined authentication providers for third parties that implement custom protocols. You can also create a custom authentication provider with Apex. For more information, see Authentication Provider SSO.

             
            Loading
            Salesforce Help | Article