Loading
Salesforce now sends email only from verified domains. Read More
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Salesforce as a Service Provider

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Salesforce as a Service Provider

            Configure single sign-on (SSO) so users can log in to your Salesforce org with their credentials from an identity provider or authentication provider. For this use case, you can define an identity provider with Security Assertion Markup Language (SAML). You can also use a predefined authentication provider, configure an OpenID Connect authentication provider, or create a custom authentication provider.

            Required Editions

            Available in: both Salesforce Classic and Lightning Experience

            Federated Authentication is available in: All Editions

            Delegated Authentication is available in: Professional, Enterprise, Performance, Unlimited, Developer, and Database.com Editions

            Authentication Providers are available in: Professional, Enterprise, Performance, Unlimited, and Developer Editions
            Note
            Note Depending on which protocol you use, the application a user accesses —a Salesforce org in this case—is referred to as the service provider or the relying party. These terms are interchangeable. When using SAML, service provider is a more common term. When using protocols that support both SSO and third-party data access, like OpenID Connect, the service provider is typically called the relying party.

            Define an Identity Provider with SAML

            SAML is an open-standard authentication protocol that Salesforce uses for authentication with SSO. You can also use SAML to automatically create user accounts with Just-in-Time (JIT) provisioning. If your company already has an identity provider that uses SAML, you can configure Salesforce as the service provider. The identity provider then authenticates your org’s users.

            When you configure Salesforce as the service provider using SAML, authenticated users can flow from a third-party identity provider into Salesforce.

            For example, your company’s IT department uses Microsoft Active Directory (AD) as its identity provider. A user navigates to the org’s login page to log in. Behind the scenes, the org acting as the service provider sends the user to Microsoft AD with a SAML request. Microsoft AD returns a SAML response containing the SAML assertion that authenticates the user. The user is logged in and taken to the org’s home page.

            Use an Authentication Provider

            In addition to SSO, most authentication providers you can set up for your org also support authorization to access third-party data. Because many authentication providers are used for SSO from social networking apps, like Facebook, this SSO solution is also known across Salesforce as social sign-on. Salesforce offers three ways to use authentication providers:

            • Use a predefined authentication provider.
            • Set up an authentication provider that supports OpenID Connect.
            • Create a custom authentication provider for a third party that supports OAuth 2.0

            Salesforce provides several predefined authentication providers, which are already set up. Predefined authentication providers use their own authentication protocols, which are similar to OpenID Connect.

            You can also set up an authentication provider for a third party that supports OpenID Connect, such as Amazon or PayPal. OpenID Connect is an open-standard authentication protocol layered on top of the OAuth 2.0 authorization protocol.

            Or, you can implement Apex to create a custom authentication provider for any third party that uses OAuth 2.0 for authorization.

            Here’s an example of how you can use an authentication provider. You want users to log in to your org with their Google account credentials and then access their Google Drive. So you configure Google as an authentication provider for the org. When users navigate to the org’s login page, they can select the Google icon. They’re redirected to the Google login page, where they can enter their Google login credentials. After Google authenticates them, the users are asked to approve your org’s access to their Google Drive. After a successful authentication, users are redirected back to your org and logged in. From the org, they can view their Google Drive.

            The previous example uses a predefined authentication provider, but OpenID Connect and custom authentication providers work similarly.

            Configuration Help

            • SAML SSO with Salesforce as the Service Provider
              SAML is an open-standard authentication protocol that Salesforce uses for single sign-on (SSO) into a Salesforce org from a third-party identity provider. You can also use SAML to automatically create user accounts with Just-in-Time (JIT) user provisioning.
            • Authentication Provider SSO
              With authentication providers, your users can log in to your Salesforce org or Experience Cloud site with single sign-on (SSO) using credentials from a third party. Authentication providers also give your users access to protected third-party data. Salesforce offers several ways to configure authentication providers, such as with OpenID Connect or with a custom OAuth 2.0 configuration. Which protocol you can use depends on the third party.
             
            Loading
            Salesforce Help | Article