Define an Authentication Provider
To use an authentication provider for single sign-on (SSO), define an authentication provider in Setup by using configuration information from a third-party identity provider. Control security settings, customize the SSO experience with error and logout URLs, and configure registration handler settings. Most authentication providers support single sign-on (SSO) and third-party data access, with the exceptions of GitHub, Microsoft Access Control Service, and X (formerly Twitter).
Required Editions
| Available in: Lightning Experience and Salesforce Classic |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Manage Auth. Providers |
Salesforce supports several different ways to set up authentication providers. For common third parties, such as Google and Microsoft, Salesforce providers predefined authentication provider types that can simplify setup. For third parties that don't support OpenID Connect, you can use Apex to create a custom authentication provider. Custom authentication providers give you the most flexibility over your SSO implementation.
Predefined Authentication Provider Types
For these common providers, such as Google and Microsoft, Salesforce provides predefined authentication provider types that can simplify setup.
- Apple
- Bitbucket
- Concur
- GitHub
- Janrain
- Microsoft
- Microsoft Access Control Service
- MuleSoft
- OpenID Connect—this type supports any third party that uses the OpenID Connect protocol.
- Salesforce
- Slack
- X (formerly Twitter)
Custom Authentication Providers
For more flexibility with your SSO implementation, you can create a custom authentication provider with Apex. For example, use a custom authentication provider to set up SSO for a third party that doesn't support OpenID Connect. Custom authentication providers use the OAuth 2.0 protocol.
Authentication Provider Functionality
Here's a summary of provider types and what they support.
| Authentication Provider Type | Supports SSO | Supports Third-Party Data Access |
|---|---|---|
| Apple | Yes | Yes |
| Custom | Yes | Yes |
| Yes | Yes | |
| GitHub | No | Yes |
| Yes | Yes | |
| Janrain | Yes | Yes |
| Yes | Yes | |
| Microsoft | Yes | Yes |
| Microsoft Access Control Service | No | Yes |
| OpenID Connect | Yes | Yes |
| Salesforce | Yes | Yes |
| Slack | Yes | Yes |
| X (formerly known as Twitter) | Yes | No |
Configuration Resources
- Configure an Apple Authentication Provider
Configure Apple as an authentication provider to allow users to log in to Salesforce or Experience Cloud using their Apple ID. - Configure a Facebook Authentication Provider
Configure a Facebook authentication provider so your users can log in to Salesforce using their Facebook credentials. - Configure a Google Authentication Provider
Configure Google as an authentication provider so your users can log in to Salesforce using their Google credentials. - Configure a Janrain Authentication Provider
Configure Janrain as an authentication provider so your users can log in to Salesforce using their Janrain credentials. - Configure a LinkedIn Authentication Provider
Configure LinkedIn as an authentication provider so your users can log in to Salesforce using their LinkedIn credentials. - Configure a Microsoft Authentication Provider
Set up a Microsoft authentication provider so your users can log in to Salesforce with their Microsoft credentials. This provider supports authentication with all services provided by Microsoft Azure Active Directory (AD). - Configure a Microsoft® Access Control Service Authentication Provider
You can use Microsoft Access Control Service as an authentication provider using the OAuth protocol. Typically, a Microsoft Office 365 service like SharePoint® Online handles authorization. SSO authentication from a Microsoft authentication provider isn’t supported. - Configure a Salesforce Authentication Provider
To set up single sign-on (SSO) between two Salesforce orgs, configure a Salesforce authentication provider. Your users can log in to one org, the relying party, by using credentials from an identity provider org. - Configure a Slack Authentication Provider
Configure a Slack authentication provider so your users can log in to Salesforce using their Slack credentials. - Configure an X (Formerly Twitter) Authentication Provider
Configure an X (formerly known as Twitter) authentication provider so that your users can log in to Salesforce from their X account. - Configure an Authentication Provider Using OpenID Connect
To configure single sign-on (SSO) with Salesforce as the relying party for a third-party OpenID provider, set up an authentication provider that implements OpenID Connect. With this configuration, your users can log in to Salesforce from the OpenID provider and authorize Salesforce to access protected data. - Create a Custom External Authentication Provider
To configure single sign-on (SSO) from a third party that supports OAuth but not OpenID Connect, create a custom authentication provider. With a custom authentication provider, users can log in to your Salesforce org with third-party credentials. - Configure a Salesforce-Managed Authentication Provider
To simplify authentication provider setup for sandbox use cases, use Salesforce-managed third-party apps. This process saves you the time and effort of creating your own third-party app and managing its credentials. Salesforce provides third-party apps for several common providers, such as Google, Microsoft, and Slack.
