Identity Providers and Service Providers

An identity provider is a trusted provider that enables a customer to use single sign-on to access other websites. A service provider is a website that hosts apps. Customers can enable Salesforce as an identity provider, then define one or more service providers, so their users can access other apps directly from Salesforce using single sign-on. This can be a great help to users: instead of having to remember many passwords, they only have to remember one.

Salesforce is automatically enabled as an identity provider when a domain is created. After a domain is deployed, admins can add or change identity providers and increase security for their organization by customizing their domain’s login policy.

Enabling Salesforce as an identity provider requires a Salesforce certificate and key pair that is signed by an external certificate authority (CA-signed) or self-signed. If customers haven’t generated a Salesforce certificate and key pair, one is automatically created for them when they enable Salesforce as an identity provider. They also have the option of picking an already generated certificate, or creating one.

Salesforce uses the SAML 2.0 standard for single sign-on and generates SAML assertions when configured as an identity provider.

See “About Identity Providers and Service Providers” for more information.