Use Experience Cloud Site Endpoints for SAML Single Sign-On with External Users

How to Locate Experience Cloud SSO Endpoints

To access your SAML Single Sign-On endpoints, navigate to Setup → Single Sign-On Settings and review the settings as described in View and Edit Single Sign-On Settings.

To view your Community-specific endpoints, expand the For Experience Cloud dropdown below Your Organization on the Single Sign-On Settings page. Endpoints listed use your Site's Primary URL https://help.salesforce.com/s/articleView?id=sf.custom_url_add.htm&type=5.

Configuring SSO for Multiple Custom Domains

If your organization has multiple custom URLs serving a single Experience Cloud site, select the SSO option for each domain separately via Force.com. Navigate to All Sites → Workspaces → Administration → Pages → Go to Force.com → Login Settings for the non-primary custom URL and adjust the login options for that URL.

Employee Access to Experience Cloud Sites

If your site has the permission "Allow employees to log in directly to an Experience Cloud site" enabled under Login and Registration in Workspaces, employees must also be directed to the site-specific Experience Cloud endpoint for SSO. If this permission is not enabled, employees can access Experience Cloud sites through the App Launcher.

SAML Assertion Endpoint Requirements

In a valid SAML assertion targeting an Experience Cloud site, the following XML attributes must both point to the Experience Cloud site login URL — not the internal org login URL:

• The Destination attribute in the saml2p:Response element
• The Recipient attribute in the saml2:SubjectConfirmationData element

For example, both attributes must use the format: https://<mydomainvalue>.my.site.com/login

Verify that your Identity Provider is configured to populate these attributes with the correct Experience Cloud endpoint for each site before going live.

View and Edit Single Sign-On Settings