Loading

Guidelines while switching From one External Identity Provider to another

Date de publication: Jul 25, 2025
Tâche

GOAL

What are the guidelines to follow when switching over to a new SSO (External Identity) provider?
Étapes
  1. Login as non-SSO organization administrator.
    • Note: In the case of GovCloud there is no concept of a non-SSO user the first user to login into the SSO account is the org owner who is also the org admin. 
    • Refer ADDITIONAL INFORMATION FOR GovCloud
  2. Double-check to ensure that the new identity provider is supported before starting your migration. Check to see which providers are supported
  3. Make sure you have a non-SSO user in Master Organization, who is an organization admin.
  4. Check that you are able to meet the prerequisites listed in the documentation.
  5. Test the migration/change
    • In a temporary trial account before making the change.
    • Or you can add one more IDP in Anypoint. This way when the user logs in using the organization login URL ref he is given the choice of which IDP to use.
  6. Back up your existing configuration values in a doc.
  7. The IdP you select is effective for the entire organization and all business groups.
  8. For a SAML-based IdP, work with the SSO IdP to check if the issuer + audience + username combination can be reused as per the SAML Based SSO IdP Migration/Changing Consideration and Guideline
  9. Use role mapping, instead of manually granting roles/permissions to federated users individually.
  10. If previous contract applications existed in your IdP, they will continue to exist in the new one. They should be still accessible by any user having API Manager permissions, but ownership to these contracts will need to be moved to the new users.
  11. You cannot pre-provision users. Users are created the moment they login from new IdP.
  12. Permissions using external role mapping will need to be configured again. If you need to map your role to the corresponding group on SSO side 

ADDITIONAL INFORMATION FOR GovCloud

  1. Let's say that you have IDP1 configured and migrating to IDP2
    1. The first person User1 to sign in using the original IDP1 gets assigned as the  Org Owner which is also an Org Admin. 
    2. User1 or any other organization admin can do the configuration for IDP2
  2. Sinc there are existing users, in the Anypoint org because of IDP1, the first user to login via IDP2 does not automatically become org owner. (this will only happen in for duplicate user scenario External identity migration - How to prevent duplicate users being created)
    • organization admin from IDP1 should make any user from IDP2 the org owner/admin. This step is needed if IDP1 is no longer in use. 

ADDITIONAL INFORMATION

Numéro d’article de la base de connaissances

001116317

 
Chargement
Salesforce Help | Article