Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Salesforce-Managed Authentication Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Salesforce-Managed Authentication Provider

            To simplify authentication provider setup for sandbox use cases, use Salesforce-managed third-party apps. This process saves you the time and effort of creating your own third-party app and managing its credentials. Salesforce provides third-party apps for several common providers, such as Google, Microsoft, and Slack.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            Salesforce-managed apps make single sign-on (SSO) setup fast and easy, but they can experience downtime that disrupts SSO service. For production use cases, always create your own third-party apps.

            Salesforce manages third-party apps for these providers.

            • Facebook
            • GitHub
            • Google
            • LinkedIn
            • Microsoft
            • Salesforce
            • Slack

            To use an authentication provider for single sign-on, you must create a registration handler. The registration handler creates users and updates existing users who access Salesforce via the identity provider. You can set up a registration handler with Apex or Flow Builder. For more information, see Create an Authentication Provider Registration Handler.

            1. From Setup, in the Quick Find box, enter Auth. Providers, select Auth. Providers, and then click New.
            2. Choose the type of authentication provider.
            3. Name your provider.
            4. Leave these fields blank so Salesforce can manage the values:
              • Consumer Key
              • Consumer Secret
              • Authorize Endpoint URL
              • Token Endpoint URL
              • User Info Endpoint URL
              • Default Scopes
              Note
              Note Specifying a value for any of these fields implies that you’re creating your own authentication provider. If you provide a value for one of these fields, you must also provide a value for the consumer key and consumer secret.
            5. If you enter a consumer key and consumer secret, the consumer secret is included in SOAP API responses by default. To hide the secret in SOAP API responses, deselect Include Consumer Secret in SOAP API Responses.
              Starting in November 2022, the secret is always replaced in Metadata API responses with a placeholder value. On deployment, replace the placeholder with your consumer secret as plain text, or modify the value later through the UI.
            6. To use an Apex registration handler, take these steps.
              1. For Registration Handler Type, select Apex.
              2. For Registration Handler, select an existing Apex class that implements the Auth.RegistrationHandler interface. Or, to create an template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.
            7. To use a flow for your registration handler, take these steps.
              1. For Registration Handler Type, select Flow.
              2. For Registration Handler, select an existing flow of the Identity User Registration flow type.
              3. Select a default profile. A default profile is required to run the registration handler. If you don't specify a default profile here, set the default profile in the flow itself.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultProfileId variable.

              4. Select a default account. If you use your authentication provider for Experience Cloud sites, this account stores new internal users.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultAccountId variable.

            8. For Execute Registration As, select an execution user to run the Apex class or flow. The user must have the Manage Users permission.

              Execute Registration As provides the context in which the registration handler runs. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.

            9. To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider.
              This setting triggers MFA only for users who have MFA applied to them directly. See Use Salesforce MFA for SSO.
            10. Save your work.
            Example
            Example

            Suppose that you want to set up single sign-on (SSO) for a sandbox using a LinkedIn authentication provider. On the Auth. Provider Setup page, leave the fields blank so Salesforce can manage these values. You can skip creating a LinkedIn app. Next, you define the LinkedIn authentication provider in your org and test the connection by using the procedure in Configure a LinkedIn Authentication Provider.

            After you configure an authentication provider, Salesforce generates these client configuration URLs.

            • Test-Only Initialization URL—Use this URL to test whether you set up the third party correctly. Open the URL, and log in to the third party. Then you’re redirected back to your Salesforce org with a map of attributes.
            • Single Sign-On Initialization URL—Use this URL to direct users to perform SSO into your org from the third party. The user opens the URL and logs in to the third party. The third party creates or updates a user account and then logs the user into Salesforce with that account.
            • Existing User Linking URL—Use this URL to link users in your org to an existing account in the third party. The user opens this URL, logs in to the third party, and logs in to Salesforce, creating a link between accounts.
            • OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens after the user authenticates. This flow provides for third-party data access but not SSO.
            • Callback URL— For each of the other client configuration URLs, the authentication provider sends information back to the callback URL.

            You can test your SSO connection by opening the Test-Only Initialization URL in a browser. The URL redirects you to your OpenID provider and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.

            Configure your login page to show the authentication provider as a login option. Depending on whether you’re configuring SSO for an org or for an Experience Cloud site, this step is different.

             
            Loading
            Salesforce Help | Article