Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure a Google Authentication Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure a Google Authentication Provider

            Configure Google as an authentication provider so your users can log in to Salesforce using their Google credentials.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            User Permissions Needed
            To view the settings: View Setup and Configuration
            To edit the settings:

            Customize Application

            AND

            Manage Auth. Providers

            To configure Google as an authentication provider, complete these steps.

            • Set up a registration handler.
            • Set up a Google app, making Salesforce the application domain.
            • Define a Google authentication provider in Salesforce.
            • Update your Google app to use the callback URL generated by Salesforce as the Google website site URL.
            • Test the connection.
            • Add the authentication provider to your login page.
            Note
            Note For sandbox use cases, you can skip some of these steps and use the Salesforce-managed Google app. For production use cases, always create your own Google app and use its credentials for your authentication provider. The Salesforce-managed app can experience downtime and isn't recommended for production.

            Set Up a Registration Handler

            To use an authentication provider for single sign-on, you must create a registration handler. The registration handler creates users and updates existing users who access Salesforce via the identity provider. You can set up a registration handler with Apex or Flow Builder. For more information, see Create an Authentication Provider Registration Handler.

            Set Up a Google App

            Before you define a Google authentication provider in Salesforce, set up an app in Google.

            1. Create a client in Google.
            2. Modify the app settings, and set the application domain to Salesforce.
            3. Note the client ID and client secret. You use them to create a Google provider in Salesforce.

            Define a Google Provider in Salesforce

            To set up a Google provider in Salesforce, you need the Google app ID and app secret.

            1. From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers | New.
            2. For the provider type, select Google.
            3. Enter a name for the provider.
            4. Enter the URL suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is MyGoogleProvider, your single sign-on (SSO) URL is similar to https://mydomain_url or site_url /services/auth/sso/MyGoogleProvider.
            5. For the Consumer Key, use the Google app ID.
            6. For the Consumer Secret, use the Google app secret.
            7. Optionally, set these fields:
              • Authorize Endpoint URL—Specify the base authorization URL from Google. For example, https://accounts.google.com/o/oauth2/authorize. The URL must start with https://accounts.google.com/o/oauth2.

                You can add query string parameters to the base URL, if necessary. For example, to get a refresh token from Google for offline access, use https://accounts.google.com/o/oauth2/auth?access_type=offline&approval_prompt=force. You need the approval_prompt parameter to ask the user to accept the refresh action so that Google continues to provide refresh tokens after the first one.

              • Token Endpoint URL—Specify the OAuth token URL from Google. For example, https://accounts.google.com/o/oauth2/accessToken. The URL must start with https://accounts.google.com/o/oauth2.
              • User Info Endpoint URL—Change the values requested from Google’s profile API. The URL must start with https://www.googleapis.com/oauth2/.
              • To automatically enable the OAuth 2.0 Proof Key for Code Exchange (PKCE) extension, which improves security, select Use Proof Key for Code Exchange (PKCE) Extension. For more information on how this setting helps secure your provider, see Proof Key for Code Exchange (PKCE) Extension.
              • Default Scopes—Enter the default scopes to send along with the request to the authorization endpoint. Otherwise, the hard-coded defaults for the provider type are used. For the defaults, see Google’s developer documentation.

                For more information, see Customize Relying Party Data Requests.

              • If you enter a consumer key and consumer secret, the consumer secret is included in SOAP API responses by default. To hide the secret in SOAP API responses, deselect Include Consumer Secret in SOAP API Responses. Starting in November 2022, the secret is always replaced in Metadata API responses with a placeholder value. On deployment, replace the placeholder with your consumer secret as plain text, or modify the value later through the UI.
              • Custom Error URL—Specify a URL for the provider to report errors.
              • For Icon URL, add a path to an icon to display as a button on the login page for a site. This icon applies to an Experience Cloud site only. It doesn’t appear on your Salesforce login page or My Domain login URL. Users click the button to log in with the associated authentication provider for the site. Specify a path to your own image, or copy the URL for one of our sample icons into the field.
              • To use a portal with your provider, select the portal from the Portal list.
            8. To use an Apex registration handler, take these steps.
              1. For Registration Handler Type, select Apex.
              2. For Registration Handler, select an existing Apex class that implements the Auth.RegistrationHandler interface. Or, to create an template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.
            9. To use a flow for your registration handler, take these steps.
              1. For Registration Handler Type, select Flow.
              2. For Registration Handler, select an existing flow of the Identity User Registration flow type.
              3. Select a default profile. A default profile is required to run the registration handler. If you don't specify a default profile here, set the default profile in the flow itself.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultProfileId variable.

              4. Select a default account. If you use your authentication provider for Experience Cloud sites, this account stores new internal users.

                If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultAccountId variable.

            10. For Execute Registration As, select an execution user to run the Apex class or flow. The user must have the Manage Users permission.

              Execute Registration As provides the context in which the registration handler runs. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.

            11. To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider. This setting triggers MFA only for users who have MFA applied to them directly. For more information, see Use Salesforce MFA for SSO.
            12. Save your work.

            After you define the provider, note the generated Auth. Provider ID value. You use it with the Auth.AuthToken Apex class. Salesforce also generates these client configuration URLs.

            • Test-Only Initialization URL—Admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected to Salesforce with a map of attributes.
            • Single Sign-On Initialization URL—Use this URL to perform SSO into Salesforce from a third party using its third-party credentials. The user opens this URL in a browser and signs in to the third party. The third party creates a user or updates an existing user. Then the third party signs the user into Salesforce as that user.
            • Existing User Linking URL—Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
            • OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
            • Callback URL—Use this URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider redirects to the callback URL with information for each client configuration URL.

            Client configuration URLs support other request parameters that enable you to direct users to log in to specific sites, obtain customized permissions from a third party, or go to a location after authenticating.

            Update Your Google App

            After defining the Google authentication provider in Salesforce, go back to your Google app. Update your app to use the callback URL as the Google website site URL.

            Test the SSO Connection

            In a browser, open the Test-Only Initialization URL on the Auth. Provider Setup page. It redirects you to Google and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.

            Add the Authentication Provider to Your Login Page

            Configure your login page to show the authentication provider as a login option. Depending on whether you’re configuring SSO for an org or Experience Cloud site, this step is different.

             
            Loading
            Salesforce Help | Article