Loading
Salesforce now sends email only from verified domains. Read More
Help Agent Performance DegradationRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Example: Configure an Amazon Authentication Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Example: Configure an Amazon Authentication Provider

            Configure Amazon as an authentication provider to allow users to log in to their Salesforce org using their Amazon credentials.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            Complete the steps that follow to configure Amazon as an authentication provider.

            • Set up a registration handler.
            • Set up an Amazon application.
            • Create an Amazon Auth. Provider in Salesforce
            • Update the Amazon application with the Salesforce callback URL.
            • Test the connection.
            • Test Salesforce SSO with Amazon.

            See Also

            Set Up a Registration Handler

            To use an authentication provider for single sign-on, you must create a registration handler. The registration handler creates users and updates existing users who access Salesforce via the identity provider. You can set up a registration handler with Apex or Flow Builder. For more information, see Create an Authentication Provider Registration Handler.

            Set Up an Amazon Application

            The Amazon application lets your users log in to a Salesforce org using their Amazon credentials.

            1. Go to https://login.amazon.com/manageApps and log in to your Amazon developer account.
            2. Click Register new application.
            3. Enter and save your application information.
              register a new application
            4. Expand Web Settings.
            5. Copy the Client ID and the Client Secret.
              copy the client IDcopy the client secret
            6. Leave Allowed Return URLs blank. Later, you populate this field with the Salesforce callback URL. This URL is the address your org uses to reply to the Amazon authorization service during a login.

            Create an Amazon Auth. Provider in Salesforce

            Configure your Salesforce org to recognize Amazon as the external authentication provider. This step tells your org to use Amazon credentials at login.

            1. From Setup, enter Auth. Providers in the Quick Find box, and select Auth. Providers | New.
            2. For the provider type, select Open ID Connect.
            3. Enter a name for your Auth. Provider, such as MyAmazon. Salesforce configures this name as the URL suffix in the callback URL, which is how the application responds to a Salesforce authentication request. For example, if the name and suffix combination is MyAmazon, your SSO URL is similar to https://mydomain_login_url or site_url/services/auth/sso/MyAmazon.
              configure an auth. provider
            4. For Consumer Key, enter the Client ID that you copied earlier.
            5. For Consumer Secret, enter the Client Secret.
            6. Enter the Amazon endpoints:
              • Authorize Endpoint URL—https://www.amazon.com/ap/oa
              • Token Endpoint URL—https://api.amazon.com/auth/o2/token
              • User Info Endpoint URL—https://api.amazon.com/user/profile
              • Default Scopes—profile

              To learn about endpoints, see Using the Authorization Endpoint Parameter.

            7. To use an Apex registration handler, take these steps.
              1. For Registration Handler Type, select Apex.
              2. For Registration Handler, select an existing Apex class that implements the Auth.RegistrationHandler interface. Or, to create an template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.
            8. To use a flow for your registration handler, take these steps.
              1. For Registration Handler Type, select Flow.
              2. For Registration Handler, select an existing flow of the Identity User Registration flow type.
              3. Select a default profile. A default profile is required to run the registration handler. If you don't specify a default profile here, set the default profile in the flow itself.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultProfileId variable.

              4. Select a default account. If you use your authentication provider for Experience Cloud sites, this account stores new internal users.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultAccountId variable.

            9. For Execute Registration As, select an execution user to run the Apex class or flow. The user must have the Manage Users permission.

              Execute Registration As provides the context in which the registration handler runs. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.

            10. Save the settings.

            Update Your Amazon Application with the Salesforce Callback URL

            1. On the Salesforce Auth. Provider page for Amazon, copy the callback URL.
              copy the callback URL
            2. On the Amazon application page, click Edit under Web Settings. For Allowed Return URLs, enter the Salesforce callback URL. Save the setting.
              enter the callback URL as the Allowed Return URL

            Test the SSO Connection

            The Auth. Provider page in Salesforce lists a Test-Only Initialization URL. You can use this URL to check that the configuration is set up correctly without logging in to the Salesforce org. When you open the URL in a browser and sign in to Amazon, you’re redirected back to Salesforce with a set of user attributes.

            1. In Salesforce, go to the detail page for the Amazon Auth. Provider.
            2. Copy the Test-Only Initialization URL.
            3. Open a browser and enter the test URL. You’re redirected to Amazon.
            4. Choose an account, log in, and approve access to the Amazon application.
            5. Click Okay. After successful login, you’re redirected to the callback registered with Amazon. Amazon returns information about the user and the application.

            the test returns information

            Test SSO with Amazon AD

            Now it’s time to test the end-to-end SSO configuration, including the registration handler, the authentication process, and log in to your Salesforce org.

            1. Test SSO into your Salesforce org.
              1. In Setup, on the My Domain page under Authentication Configuration, click Edit.
              2. Select your Amazon authentication service, and save the settings.
                select the authentication service
              3. Log out and go to your Salesforce org’s login page for your subdomain.
              4. Choose the Amazon authentication service, and enter your Amazon credentials.
            2. Test SSO into your Salesforce Experience Cloud site.
              1. If you haven’t done so already, create the Amazon authentication service account.
              2. Make sure that you have enough licenses for site users.
              3. From Setup, in the Quick Find box, enter Digital Experiences, and then select All Sites.
              4. Click Workspaces next to the site you’d like to edit.
              5. From the Experience Workspaces menu, select Administration and then select Login & Registration.
                configure login for the community
              6. Under Login, select the option to display the Amazon Auth. Provider, and save the settings.
              7. Log out, and go to the site login page.
              8. Choose the Amazon authentication service, and log in with your Amazon credentials.
                sample community login page
             
            Loading
            Salesforce Help | Article