Setting up Environment Hub takes coordination between the hub admin and each member org admin. The steps below cover the first-time enrollment process for a member org and the subsequent SSO testing.
- Enable Environment Hub in the hub org
Setup > Environment Hub > Enable Environment Hub. The hub org typically the Partner Business Org for ISVs or the main org for enterprises.
- Identify the member org
Gather the member org's My Domain URL or Org ID. The member org must be a Salesforce production, sandbox, or Developer Edition org; trial orgs may have restrictions.
- Initiate the connection from the hub
Setup > Environment Hub > Connect Org. Enter the member org URL or Org ID, choose Hub-Initiated SSO settings, and click Connect.
- Approve from the member org
A user with Modify All Data in the member org receives a notification or visits the OAuth Connected Apps page to approve the trust. Approval is one-time per hub-member pair.
- Verify the connection
Back in the hub, refresh the Environment Hub page. The member org should show Connected with no warnings. Investigate any warnings before proceeding.
- Test SSO with a known user
Log into the hub as a user who exists in both orgs with matching email. Click the member org from the Environment Hub page. The user should land in the member org without re-authentication.
- Grant Use Environment Hub permission
Permission Set with Use Environment Hub > assign to users who need cross-org navigation. Audit assignments quarterly to avoid permission drift.
User starts in the hub and clicks into the member org. The default mode; the simplest navigation flow.
User starts in the member org and authenticates through the hub. Useful for users who land in a member URL directly.
Default. Matches hub user to member user by email address. Works when emails are consistent.
Alternative. Matches by Federation ID field. Use when emails differ between orgs (different domain per business unit).
Create new member orgs directly from the hub. Partner-only feature for Partner Business Orgs.
- Users must exist in both the hub and the member org with matching email for SSO to work. Onboarding a new user means provisioning them in every relevant member org.
- Approval from the member org requires Modify All Data. A self-service enrollment is not possible; you need a cooperating admin on the member side.
- Use Environment Hub permission grants click-through to every connected member. Over-permissive assignment is the single largest security risk; audit quarterly.
- The hub does not federate identity, just navigation. Users still log into each member org as separate identities; permissions and field-level security are per-org.
- Some org types (Trial Orgs in specific regions, certain restricted editions) cannot be enrolled. Confirm enrollment eligibility before promising the workflow to stakeholders.