Add Functionality to an Authentication Provider
After you set up single sign-on (SSO) with an authentication provider, Salesforce generates several client configuration URLs, such as the Single Sign-On Initialization URL. These client configuration URLs support request parameters, which you can use to add functions to your authentication provider. For example, use these parameters to get customized permissions from the third party or direct users to a specific location after authenticating.
Required Editions
| Available in: Lightning Experience and Salesforce Classic |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Manage Auth. Providers |
Salesforce generates these client configuration URLs.
- Test-Only Initialization URL—Use this URL to test whether you set up the third party correctly. Open the URL and log in to the third party. Then, you’re redirected back to your Salesforce org with a map of attributes.
- Single Sign-On Initialization URL—Use this URL to direct users to perform SSO into your org from the third party. The user opens the URL and logs in to the third party. The third party creates or updates a user account and then logs the user into Salesforce with that account.
- Existing User Linking URL—Use this URL to link users in your org to an existing account in the third party. The user opens this URL, logs in to the third party, and logs in to Salesforce, creating a link between accounts.
- OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens after the user authenticates. This flow provides for third-party data access but not SSO.
- Callback URL— For each of the other client configuration URLs, the authentication provider sends information back to the callback URL.
Add request parameters to your client configuration URLs as needed. For example, you want to link users in your org to their existing Facebook account and then allow Facebook to request profile access. Add a scope parameter to the Existing User Linking URL. When users go to this URL, they log in to Facebook and your org and receive a request for Facebook to access their Salesforce profile information.
Note For Janrain providers, add request parameters to the appropriate callback
URL.
- (Salesforce authentication providers only) Authorization Endpoint—Sends the user to a specific endpoint for authorization, such as a custom domain.
- Experience Cloud—Sends the user to a specific site after authentication.
- Expid—Delivers different user experiences. For example, use the expid parameter to provide different registration processes for users based on what language they speak.
- Prompt—Specifies how the authorization server prompts the user for reauthentication and reapproval. For example, prompt a user to log in again after creating an account.
- Scope—Customizes what the third party is allowed to request from users. For example, allow the third party to request access to a user’s profile information.
- Site—Enables you to use the authentication provider with a site.
- Protected URL Redirect Parameters—Send the user to a specified location after authentication or after clicking the Back, Save, or Cancel buttons.
Configuration Help
- Dynamically Add Functionality to an Authentication Provider
For the most flexibility with authentication provider functionality, create your own URL parameter forwarding allowlist. With an allowlist, you can dynamically add allowlisted parameters to your client configuration URLs at runtime and forward them to the third-party provider. For example, forward the user's language preferences to the third-party provider so that the provider's login page displays in the user's desired language. - Control Where You Send Users for Authorization
When you set up a Salesforce authentication provider, use an authorization endpoint host request parameter to send users to a specific page to approve authorization requests. You can use this parameter only for Salesforce authentication providers. You can’t use it to send users to an authorization page outside of a Salesforce domain. - Direct Users to an Experience Cloud Site after Authentication
When you set up single sign-on (SSO) with an authentication provider, use the Experience Cloud site URL request parameter to send users to a specific site after authenticating. With the site parameter, you can determine whether a user logs in to your Salesforce org or in to an Experience Cloud site. This parameter can also change what type of user the registration handler creates. - Control Your Authentication Provider User Experience
When you set up single sign-on (SSO) with an authentication provider for your Salesforce Experience Cloud site, use the expid request parameter to deliver different experiences to users. - Prompt Users to Reauthenticate and Reauthorize
When you set up single sign-on (SSO) with an authentication provider, you can optionally add the prompt URL request parameter to client configuration URLs. This parameter specifies how the authorization server prompts the user to log in again and reapprove data access. For example, you can make a user log in again after signing up for an account. - Customize Relying Party Data Requests
When you set up single sign-on (SSO) with an authentication provider, use the scope parameter to customize data requests to a third party, like Facebook. For example, request access to the email address listed on a user’s Facebook profile. You can use this parameter with every authentication provider except Janrain. - Support Salesforce Sites for an Authentication Provider
When you set up single sign-on (SSO) with an authentication provider, use the site request parameter to log in users to a site. You can also link to a site user. - Redirect Users to Secure URLs
When you set up single sign-on (SSO) with an authentication provider, use protected URL redirect parameters to redirect users to *.force.com pages and prevent malicious redirects.
Did this article solve your issue?
Let us know so we can improve!
