Auth. Providers configure social login (Google, Facebook, Apple) or OpenID Connect login for Salesforce — letting external consumers log into Experience Cloud sites with their existing accounts. They're separate from SAML SSO Settings (which target enterprise IdPs).
- Pick the Provider Type and register a developer app on the provider
Google / Facebook / Apple / Twitter / LinkedIn / OpenID Connect / Custom. You'll need a Client ID + Client Secret from the provider's developer console.
- Open Setup → Auth. Providers → New
Setup gear → Quick Find: Auth. Providers → Auth. Providers.
- Pick the Provider Type
Drop-down. For non-listed providers, OpenID Connect is the generic option.
- Set Name, URL Suffix, Consumer Key, Consumer Secret
URL Suffix becomes part of the callback URL Salesforce gives you to register on the provider side. Pick a short, readable suffix.
- (For Custom / OpenID Connect) set Authorize Endpoint URL, Token Endpoint URL, User Info Endpoint URL, Default Scopes
The provider's docs will list each. Without these, the OIDC flow fails.
- (Optional) Set Registration Handler
An Apex class implementing Auth.RegistrationHandler that runs on first login — controls Just-in-Time user creation. Skip if users already exist.
- Save
Salesforce gives you the Salesforce-specific callback URL. Register that URL on the provider's developer console as the OAuth redirect URI.
- Test the login button
Add the provider to your Experience Cloud site's login page → click Login with [Provider] → complete the round-trip → verify user logs in.
Google / Facebook / Apple / Twitter / LinkedIn / OpenID Connect / Custom (Apex). OIDC is the generic option for any modern IdP.
From the provider's developer console. Required.
Becomes part of the callback URL. Convention: lowercase, hyphenated, descriptive.
OAuth scopes Salesforce requests from the provider. "profile email openid" is the OIDC standard.
Apex class for JIT user creation. Optional but powerful.
- The Salesforce-emitted callback URL (Initialization URL or Single Sign-On Initialization URL) must match exactly on the provider side — including HTTPS and trailing slash. Mismatch = silent auth failure with a generic error.
- Google / Facebook / Apple keep changing their OAuth requirements. If your auth was working a year ago and stopped, the provider updated their requirements and you need to refresh app config — not a Salesforce bug.
- Registration Handler runs every JIT login. A buggy handler blocks user creation entirely. Test the handler with a junk user before pushing to production.