There is no New Home Organization button. You designate a home org by making it the identity provider that your other orgs trust. Do this work in the org you have chosen as home.
- Enable the home org as an identity provider
In the home org, from Setup, enter Identity Provider in Quick Find and select Identity Provider. Click Enable Identity Provider, pick a certificate, and save. Download the identity-provider metadata and certificate so each spoke org can import them.
- Set up each spoke org as a service provider
In every downstream org, go to Single Sign-On Settings, enable SAML, and create a configuration using the home org's metadata. Match users by Federation ID rather than username so the same value resolves the right person in each org.
- Populate the Federation ID on every User record
Set the Federation ID field on the User record in both the home org and the spoke orgs to the same stable value, such as a corporate email or employee number. The identity provider sends this value, and spoke orgs match on it.
- Test the login and plan certificate rotation
Sign in at a spoke org, confirm the redirect to the home org and a clean return, then add the SSO option to the spoke login page. Record the certificate expiry date and schedule renewal before it lapses.
The certificate the home org uses to sign assertions. Each spoke org imports its public half to validate logins, so rotation must be coordinated across all of them.
Tells each spoke org to match incoming assertions on the Federation ID field. Keep the case-insensitive default on to avoid near-duplicate identities.
A separate SAML Single Sign-On Setting in each downstream org that names the home org as its trusted identity source.
- An expired identity-provider certificate breaks every downstream login at once. Track the expiry date and rotate it on a schedule, updating each spoke org with the new public certificate.
- Federated sign-in does not merge licenses. A person with a real User record in a spoke org consumes a license there in addition to the home org.
- Reassigning the home org later is a major project. It means re-pointing trust and reworking every spoke configuration, so choose carefully at the start.