Salesforce as an Identity Provider
Configure single sign-on (SSO) so users can log in to an external service provider or relying party with their Salesforce credentials. You can enable your Salesforce org as a SAML identity provider and integrate a service provider as a SAML external client app or connected app. You can also use OpenID Connect to integrate a relying party with your org.
Required Editions
| Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience |
Federated Authentication is available in: all editions Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions |
See New connected apps can no longer be created in Spring ‘26 for more details.
Integrate Service Providers with SAML 2.0
SAML is an open-standard authentication protocol that Salesforce uses for authentication with SSO. To set up SSO into a SAML service provider, enable your org as a SAML identity provider, and integrate the service provider as a SAML-enabled connected app or external client app. Your org can then authenticate users so that they can log in to the service provider.
For example, you build a custom Your Benefits web app that implements SAML for user authentication. You want your users to be able to log in to this app with their Salesforce credentials. To set up this SSO flow, enable your Salesforce org as an identity provider, and configure the Your Benefits web app as a connected app. Your users can now log in to the Your Benefits web app with their Salesforce credentials.
Integrate Service Providers with OpenID Connect
Salesforce also supports OpenID Connect as an open-standard authentication protocol for SSO. With OpenID Connect, it’s not necessary to enable Salesforce as an identity provider. You can integrate the service provider, or relying party, as a connected app with OpenID Connect. Your org can then authenticate users so they can log in to the relying party.
For example, you want your users to be able to log in to a custom app that implements OpenID Connect with their Salesforce credentials. So you integrate it as a connected app with OpenID Connect. Your users can now log in to the custom app with their Salesforce credentials.
See Integrate Service Providers as Connected Apps with OpenID Connect.
Configuration Help
-
Integrate Service Providers as Connected Apps
with OpenID Connect
To integrate a service provider with Salesforce, you can use a connected app that implements OpenID Connect for user authentication. To use this option, the service provider must accept OpenID Connect tokens. Configure a connected app with the OpenID Connect scope for your service provider. The OpenID Connect scope passes user information in an ID token. Users can then log in to the external app with their Salesforce or Experience Cloud site credentials.
- Salesforce as a SAML Identity Provider
Set up single sign-on (SSO) by using your Salesforce org or Experience Cloud site as a SAML identity provider for an external service provider, such as Google Apps. In this SSO configuration, users log in to the service provider with their Salesforce credentials. To set up this configuration, enable Salesforce as an identity provider and integrate your service provider using the external client apps framework or the connected apps framework. - Salesforce as an OpenID Connect Identity Provider
Unlike SAML single sign-on (SSO), when integrating service providers with OpenID Connect, or relying party,you don’t enable Salesforce as an identity provider. You can integrate the service provider, as a connected app with OpenID Connect. Your org can then authenticate users so that they can log in to the relying party.
