Loading
Salesforce now sends email only from verified domains. Read More
Help Agent Performance DegradationRead More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Salesforce as Service Provider and Identity Provider for SSO

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Salesforce as Service Provider and Identity Provider for SSO

            Depending on your authentication needs, you can create an identity provider chain, configure SAML single sign-on (SSO) across multiple orgs or Experience Cloud sites, or use the predefined Salesforce authentication provider. If you want users to log in to Salesforce from a third-party identity provider and immediately have access to a client app, set up an identity provider chain. If you want users to access several orgs or sites with one set of credentials, set up SAML SSO between multiple orgs or sites. You can also set up SSO between two orgs with the Salesforce authentication provider, which authenticates users and authorizes access to protected data.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: all editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            Important
            Important Connected apps creation is restricted as of Spring ‘26. You can continue to use existing connected apps during and after Spring ‘26. However, we recommend using external client apps instead. If you must continue creating connected apps, contact Salesforce Support.

            See New connected apps can no longer be created in Spring ‘26 for more details.

            Create an Identity Provider Chain

            In an identity provider chain, Salesforce sits in the middle, linking a third-party identity provider with a client app. The third-party identity provider authenticates users for Salesforce, while Salesforce serves as the identity provider for the client app. Users can log in to the third-party identity provider and immediately access Salesforce and the client app. If they log in to the client app, they’re redirected via Salesforce to the third-party identity provider. You can chain identity providers with SAML or OpenID Connect exclusively. Or you can create a chain that implements two different authentication protocols.

            For example, you want your users to log in to Google and then directly access Salesforce and your mobile customer service app. To create a SAML-only chain, define your org as a SAML service provider with Google as the identity provider. Then configure Salesforce as a SAML identity provider for your mobile customer service app, which acts as the service provider.

            Configure SAML SSO Between Multiple Orgs or Experience Cloud Sites

            If your company deploys multiple Salesforce orgs or sites, you can configure an org or site as the identity provider for one or more service provider orgs or sites. With this SAML SSO solution, you save your users from managing multiple passwords.

            For example, you manage several Salesforce orgs. You want your users to move between orgs without reauthenticating each time. So you configure one org as a SAML identity provider and set up the other orgs as service providers. When your users log in to the identity provider, they’re automatically authenticated for the service providers. They can access all orgs with a single, strong password.

            Configure SSO Between Orgs with the Salesforce Authentication Provider

            Salesforce can act as an authentication provider for other orgs, so your users can log in to an org acting as the relying party with credentials from the authentication provider. With this configuration, the relying party also can access data in the authentication provider on behalf of the user. To set up this configuration, create a connected app in the authentication provider org. Then define the Salesforce authentication provider in the relying party org using information from the connected app.

            Note
            Note When you’re using authentication providers, the service provider is called the relying party. For more information, see Single Sign-On Terminology.

            For example, you want your users to log in to two orgs with a single set of credentials. You also want to share information between orgs to enrich user profiles. You create a connected app in the authentication provider org and define the authentication provider in the relying party org. When the user logs in to the relying party, they’re redirected to the authentication provider. The authentication provider verifies the user’s identity and asks for access to the connected app. If the user authorizes access, they’re logged in to the relying party. The relying party can then access Salesforce data from the authentication provider.

            See Configure a Salesforce Authentication Provider.

            Configuration Help

            • Create an Identity Provider Chain
              To simultaneously authenticate users for your Salesforce org and a third-party client app, create an identity provider chain. In this SSO configuration, a third party authenticates users for Salesforce, while Salesforce authenticates users for the client app. Users can log in to the third party and immediately access Salesforce and the client app. You can chain identity providers with SAML or OpenID Connect exclusively. Or, you can create a chain that implements two different authentication protocols.
            • Configure SAML SSO Between Salesforce Orgs or Experience Cloud Sites
              If your company deploys more than one Salesforce org or Experience Cloud site, set up SAML single sign-on (SSO) so users can easily move between them. In this SSO configuration, a single org or site acting as the identity provider authenticates users for one or more orgs or sites in the service provider role. Users can log in to all orgs or sites with a single set of credentials.
             
            Loading
            Salesforce Help | Article