Ora

How to use auth provider in Salesforce?

Published in Salesforce Identity Management 7 mins read

To use an Auth Provider in Salesforce, you configure an external identity service (like Google, Facebook, or another Salesforce org) to authenticate users logging into your Salesforce instance, streamlining the login process and enhancing security.

What is an Auth Provider in Salesforce?

An Auth Provider, short for Authentication Provider, is a Salesforce feature that enables your users to log in to your Salesforce organization using credentials from a third-party authentication service. This allows for Single Sign-On (SSO) capabilities, making the login experience more convenient and secure by leveraging trusted external identity systems.

Essentially, an Auth Provider acts as a bridge, allowing Salesforce to delegate the authentication process to an external service. When a user tries to log in, Salesforce redirects them to the chosen authentication service, which verifies their identity. Upon successful verification, the user is redirected back to Salesforce and granted access.

Step-by-Step Guide: Setting Up an Auth Provider in Salesforce

Setting up an Auth Provider involves several key steps within Salesforce and often requires configuration in the external identity service as well.

1. Navigate to Setup

  1. Log in to your Salesforce org as an administrator.
  2. Click the Gear icon (⚙️) in the upper right corner and select Setup.

2. Find Auth. Providers

  1. In the Quick Find box on the left, type Auth. Providers.
  2. Under the Identity section, you will see and select Auth. Providers.

3. Create a New Auth Provider

  1. On the Auth. Providers page, click the New button.

  2. You will be prompted to select the Provider Type. This determines which external service you're integrating with. For instance, you could choose:

    • Salesforce: To allow users to log in using another Salesforce org's credentials.
    • Facebook: To allow users to log in with their Facebook accounts.
    • Google: To allow users to log in with their Google accounts.
    • Open ID Connect: For other services supporting the OpenID Connect standard.
    • LinkedIn, Microsoft Access Control Services, Twitter: Other popular options.

    For this example, let's choose Salesforce as the provider type.

4. Configure the Auth Provider

The configuration details vary significantly based on the Provider Type chosen.

Example: Setting up Salesforce as an Auth Provider

If you selected Salesforce as the provider type:

  1. Name: Enter a descriptive name for your Auth Provider (e.g., MyOtherSalesforceOrg).
  2. URL Suffix: This is automatically populated based on the name.
  3. Consumer Key: Obtain this from the external Salesforce org you're connecting to (the one acting as the identity provider). You'll typically find this by setting up a Connected App in that org.
  4. Consumer Secret: Also obtained from the Connected App in the external Salesforce org.
  5. Authorize Endpoint URL: The URL to which Salesforce redirects users to authorize access to the external Salesforce org. Default is usually https://login.salesforce.com/services/oauth2/authorize.
  6. Token Endpoint URL: The URL Salesforce uses to request access tokens from the external Salesforce org. Default is usually https://login.salesforce.com/services/oauth2/token.
  7. User Info Endpoint URL: (Optional) The URL to retrieve user profile information from the external Salesforce org. Default is usually https://login.salesforce.com/services/oauth2/userinfo.
  8. Default Scopes: Define the permissions (e.g., id, api, full) that Salesforce requests from the external org.
  9. Registration Handler: (Crucial for JIT provisioning) Select or create an Apex class that handles user creation and updates when they log in for the first time via this Auth Provider.
    • If you don't have one, Salesforce can generate a template.
    • This handler determines how new users are provisioned in your Salesforce org.
  10. Execute Registration As: Choose a user who has the necessary permissions to create or update users in Salesforce. This user will execute the Registration Handler.
  11. Icon URL: (Optional) Provide a URL for an icon to display on the login page.
  12. Click Save.

5. Generate Authentication Configuration URLs

After saving, Salesforce generates several URLs:

  • Test-Only Initialization URL: Use this to test your Auth Provider setup.
  • Single Sign-On Initialization URL: The URL to initiate SSO from an external application to your Salesforce org.
  • Existing User Link URL: Used to link existing Salesforce users to their external accounts.
  • OAuth Only Initialization URL: For specific OAuth flows.
  • Callback URL: The URL to which the external service redirects after authentication. You will provide this URL to the external identity provider during its setup.

6. Integrate with External Service (or Salesforce Org)

Take the Callback URL provided by Salesforce and configure it within your external identity service (e.g., the Connected App in your other Salesforce org, or the app settings in Google/Facebook). This tells the external service where to send users back after they've authenticated.

7. Test the Setup

  1. Copy the Test-Only Initialization URL generated by Salesforce.
  2. Paste it into a browser and press Enter.
  3. You should be redirected to the external service's login page.
  4. After successfully logging in with your external credentials, you should be redirected back to Salesforce. A confirmation page will show the authentication details and user information retrieved.
  5. If successful, the Auth Provider is ready to be used on your Salesforce login page or within custom applications.

Common Auth Provider Types

Salesforce supports a variety of Auth Provider types to cater to different integration needs:

Provider Type Description Common Use Case
Salesforce Authenticates users against another Salesforce organization. Enabling SSO between multiple Salesforce orgs (e.g., sandbox to production, or different business units).
Facebook Authenticates users using their Facebook credentials. Allowing community users or customers to log in using their social media accounts.
Google Authenticates users using their Google (Gmail) credentials. Similar to Facebook, providing a common, easy login for communities or customer portals.
Open ID Connect A flexible authentication layer on top of OAuth 2.0, supporting many identity providers. Integrating with corporate identity systems or other standard-compliant providers (e.g., Okta, Azure AD).
LinkedIn, Twitter Authenticates users using their respective social media credentials. Offering diverse social login options for customer-facing applications.
Microsoft Access Control Services For integration with Microsoft identity services. Enterprises utilizing Microsoft ecosystem for identity management.
Custom Allows you to define your own custom OAuth 2.0 provider if no standard type fits your needs. Integrating with proprietary or highly specialized identity management systems.

Key Considerations for Auth Providers

  • Registration Handlers (Apex Class): These are vital for automatically provisioning users who log in via the Auth Provider for the first time. The handler can:
    • Create new Salesforce users.
    • Update existing users.
    • Assign profiles, permission sets, or roles based on external identity data.
    • Link external user IDs to Salesforce contacts or accounts.
    • Ensure data consistency and security.
  • Custom Attributes: You can configure custom attributes to retrieve additional user information from the external provider, which can then be used by the Registration Handler.
  • JIT (Just-in-Time) Provisioning: With a well-configured Registration Handler, Salesforce can automatically create user accounts the first time a user logs in via the Auth Provider. This eliminates the need for manual user creation, saving administrative effort.
  • Security: Always use secure credentials (Consumer Key and Secret) and ensure your Callback URLs are correct. Test thoroughly before deploying to production.
  • Login Page Integration: Once configured, you can add the Auth Provider as a login option to your Salesforce organization's login page, experience sites, or communities. This is done through My Domain settings under Authentication Configuration.

By effectively utilizing Auth Providers, Salesforce administrators can greatly simplify user management and improve the login experience across various Salesforce environments and integrated applications.

← Previous Article
How does a nymph grow?
Next Article →
How do you see only followers on Instagram?