The setup is sequential: create the Auth Provider in Salesforce, copy the callback URL to the IdP, configure the OAuth client at the IdP, copy the client ID and secret back to Salesforce, write or pick the Registration Handler, test. Each step depends on the previous; skipping a step produces an opaque failure at runtime.
- Pick the provider type
Setup, Auth. Providers, New. Pick from the pre-built list (Google, Facebook, Microsoft) or OpenID Connect for anything else. The choice pre-fills the authorization and token endpoints.
- Save the provider to get the callback URL
Save with placeholder client ID and secret. The Salesforce-generated callback URL appears in the saved record. Copy this URL.
- Register an OAuth client at the IdP using the callback URL
Open the IdP admin console (Google Cloud Console, Microsoft Entra, Okta admin, etc.). Create a new OAuth client. Paste the Salesforce callback URL as the authorized redirect URI.
- Copy the IdP client ID and client secret back to Salesforce
Edit the Salesforce Auth Provider record. Paste the IdP client ID and client secret. Configure the OAuth scopes you need.
- Write or pick the Registration Handler
Default Registration Handler creates Customer Community users for Experience Cloud. For internal users, write a custom handler that matches by email to existing users and rejects unknown emails.
- Test the flow in a sandbox or with a test user
Hit the Test-Only Initialization URL from the Auth Provider record. Walk the OAuth flow. Confirm the user is created or matched as expected.
- Expose the Login With button on Salesforce or Experience Cloud login
For internal Salesforce login: Setup, Identity, My Domain, Authentication Configuration. For Experience Cloud: site Login & Registration page settings. Toggle the Auth Provider as a login option.
Google, Facebook, LinkedIn, Microsoft, Apple, Twitter, GitHub, Slack, or OpenID Connect. Pick the named type when possible.
Credentials obtained from registering an OAuth client at the IdP. Stored encrypted in the Auth Provider record.
Apex class that decides user-create vs match vs reject for new logins. The most consequential configuration on the record.
OAuth permission strings Salesforce requests from the IdP. Request the minimum needed.
Whether the Auth Provider appears on internal Salesforce login, Experience Cloud login, or both.
- Sandbox callback URLs differ from production. Each environment needs its own OAuth client at the IdP; configuring only for production leaves sandbox flows broken.
- The Registration Handler is the single most consequential part of the setup. A handler that creates users without matching to existing ones produces duplicate users; a handler that rejects unknown emails locks out legitimate first-time logins.
- License consumption depends on what type of user the handler creates. Internal user creation consumes internal licenses; external user creation consumes External Identity or Community licenses. Plan accordingly.
- Over-requesting scopes is a security review red flag in B2B contexts. Request the minimum scopes the org actually uses.
- Auth Providers and SAML SSO are configured in different Setup areas. An org running both for different user populations must keep them documented separately.