Designating a home organization is mostly an identity-architecture decision. The technical configuration follows after the architecture is settled.
- Pick the org
The largest user population usually wins. The home org should be the one most users would naturally log into first.
- Enable Identity Provider in the home org
Setup, Identity Provider, click Enable Identity Provider. Generate or upload a SAML certificate. Note the Salesforce Identity URL.
- Configure each downstream org as a Connected App
In the home org, create a Connected App for each spoke org with SAML enabled. Provide the spoke org''s Entity ID and ACS URL.
- Configure SAML SSO in each spoke org
In each spoke org, Setup, Single Sign-On Settings, create a SAML SSO config that trusts the home org as the IdP. Upload the home org''s certificate.
- Provision spoke-org user records
For each user, create a User record in each spoke org with Federation ID matching the home-org identifier. The Federation ID is the join key SAML uses to recognize the user across orgs.
- Test the SSO flow
Log into the home org, navigate to the spoke org SSO URL, confirm session is established without a second login.
- Federation ID must be unique per user and consistent across orgs. Mismatches result in failed SSO with cryptic error messages.
- Each spoke org consumes its own user license unless the deployment is purely SSO-and-no-record-creation. Plan license costs accordingly.
- Switching the home organization later is a major architectural change. Pick deliberately at project start.
- Audit data lives per-org. Cross-org incident investigation requires merging Login History from every org by Federation ID.