Control Where You Send Users for Authorization
When you set up a Salesforce authentication provider, use an authorization endpoint host request parameter to send users to a specific page to approve authorization requests. You can use this parameter only for Salesforce authentication providers. You can’t use it to send users to an authorization page outside of a Salesforce domain.
Required Editions
| Available in: Lightning Experience and Salesforce Classic |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Manage Auth. Providers |
In an authentication provider single sign-on (SSO) flow, the relying party initiates authorization by redirecting the user to the authorization endpoint. To direct users to an authorization endpoint for a custom domain, such as a My Domain login URL, add an authorization endpoint host parameter to a Salesforce client configuration URL.
For example, you set up a Salesforce authentication provider and configure SSO with your custom Your Benefits connected app. You add an authorization endpoint host request parameter to your SSO client configuration URL to send users to a specific Salesforce domain for authorization. A user goes to the Your Benefits app to log in. The user is redirected to the authorization endpoint to provide their Salesforce credentials. At this endpoint, Salesforce asks the user to approve access to data in the Your Benefits app.
To direct your users to a specific Salesforce authorization endpoint, add the provAuthorizeEndpointHost request parameter to a client configuration URL with a valid HTTPS host. Query strings appended to the host URL are ignored. However, you can specify a site path.
Here’s an example of a provAuthorizeEndpointHost parameter added to the Single Sign-On Initialization URL to send users to a My Domain for authorization, where:
https://login.salesforce.com/services/auth/sso/orgID/
URLsuffix?provAuthorizeEndpointHost=https://MyDomainName.my.salesforce.com- orgID is your Salesforce Authentication Provider ID.
- URLsuffix is the value you specified when you set up your Salesforce authentication provider.
Here’s an example of the provAuthorizeEndpointHost parameter being used to direct users to a site URL for authorization.
https://login.salesforce.com/services/auth/sso/orgID/
URLsuffix?provAuthorizeEndpointHost=https://MyDomainName.my.site.com%2FbillingIf you don’t specify an authorization endpoint, Salesforce uses the default authorization endpoint for the Salesforce authentication provider. If no default is set for the authentication provider, Salesforce uses the endpoint for login.salesforce.com.
Changing the authorization endpoint doesn’t influence the token endpoint, which remains the configured or default host. For sandbox and production instances, it’s important for the authorization endpoint and token endpoint to match.
For example, your provider is set to use a production token endpoint. If you set the authorization endpoint to a sandbox instance, the flow fails because only the sandbox instance granted authorization. To fix this error, change the authorization endpoint to a production instance to match the token endpoint.
