Salesforce Identity

Find resources on Salesforce Identity, discuss use cases/issues, and ask questions on Identity and Access Management (IAM) topics including login, 2-factor authentication, Active Directory integration, mobile authentication, single sign-on (SSO), social sign-on, App Launcher, user provisioning into Salesforce, and standards support of SAML, OAUTH, OpenID Connect.

Join the Conversation

Recent Posts

Jeffery Thomas

We have a community-based application where there are 2 group of users: one group is restricted only to the community app, while the other group uses both the community app and regular SF. We would like to use Okta as the IDP, and build two separate Okta apps - one for the community-only group, and one for the internal users + community group. We need separate apps because we need provisioning for the community-only group, but not for the internal users + community group. We are not having success with this configuration. It appears to be an "audience restriction" conflict because we have two SF SSO configurations with the same Entity ID. Is what we are thinking at all feasible? To make it more complicated, we also want another Okta app pointing to the SF org for the internal users - including provisioning. More

7 days ago · 2 comments · 2 likes

Jim Rae

Can anyone share any experiences / examples where they have implemented External Identity with Embedded Login, AND allow single sign on to multiple SPs? Basically, our use case is we have Salesforce External Identity setup as the IDP and we have multiple SPs that need to share the same login/authentication. The flow would be to launch the portal (non-salesforce) and login using "Embedded Login" (we have this working). Then, we need the user to click on a link that redirects them to a new SP site, authenticated with the same credentials as they already had. Similar to using the App Launcher, but without the end-user ever seeing the app launcher page. Thanks in advance! More

20 days ago · 15 comments · 2 likes

Joanna Iturbe

We have had SSO enabled for our internal Salesforce org for years, and we have student workers who use this to log in and do work for us. We just launched our first phase of Communities last week, which also leverages SSO; however, the few student workers who have internal logins for us cannot log into both with SSO. Is it possible to somehow allow them to be able to log into both the community and our internal org via SSO? If so, how? If not, what is best practice for them to be able to intuitively log into both? @Kelly Hamilton More

21 days ago · 6 comments · 1 likes

Michael Morgan

We are performing Chrome 80 testing of SameSite, which is breaking Salesforce SAML IdP redirects within an iframe. When testing single sign-on using a Connected App with Salesforce as the SAML identity provider, the request to `*{}&RelayState={}` is unable to write a cookie due to not specifying SameSite of `None; Secure`. As prescribed by Chrome, went to chrome://flags in Chrome 76+ and enabled “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments. Due to the above, it appears all Salesforce single sign-on using SAML within an iframe will fail once Chrome 80 with SameSite is released. Is anyone else experiencing this? If so, are there any known workarounds (other than Salesforce making changes to their cookies)? Thank you! More

24 days ago · 11 comments · 1 likes