Skip to content
Salesforce Dictionary - Free Salesforce GlossarySalesforce Dictionary
Full Home Organization entry
How-to guide

Designate a home org by making it the identity provider

There is no New Home Organization button. You designate a home org by making it the identity provider that your other orgs trust. Do this work in the org you have chosen as home.

By Dipojjal Chakrabarti · Founder & Editor, Salesforce DictionaryLast updated Jun 16, 2026

There is no New Home Organization button. You designate a home org by making it the identity provider that your other orgs trust. Do this work in the org you have chosen as home.

  1. Enable the home org as an identity provider

    In the home org, from Setup, enter Identity Provider in Quick Find and select Identity Provider. Click Enable Identity Provider, pick a certificate, and save. Download the identity-provider metadata and certificate so each spoke org can import them.

  2. Set up each spoke org as a service provider

    In every downstream org, go to Single Sign-On Settings, enable SAML, and create a configuration using the home org's metadata. Match users by Federation ID rather than username so the same value resolves the right person in each org.

  3. Populate the Federation ID on every User record

    Set the Federation ID field on the User record in both the home org and the spoke orgs to the same stable value, such as a corporate email or employee number. The identity provider sends this value, and spoke orgs match on it.

  4. Test the login and plan certificate rotation

    Sign in at a spoke org, confirm the redirect to the home org and a clean return, then add the SSO option to the spoke login page. Record the certificate expiry date and schedule renewal before it lapses.

Identity provider certificateremember

The certificate the home org uses to sign assertions. Each spoke org imports its public half to validate logins, so rotation must be coordinated across all of them.

Federation ID matchingremember

Tells each spoke org to match incoming assertions on the Federation ID field. Keep the case-insensitive default on to avoid near-duplicate identities.

Service provider per spoke orgremember

A separate SAML Single Sign-On Setting in each downstream org that names the home org as its trusted identity source.

Gotchas
  • An expired identity-provider certificate breaks every downstream login at once. Track the expiry date and rotate it on a schedule, updating each spoke org with the new public certificate.
  • Federated sign-in does not merge licenses. A person with a real User record in a spoke org consumes a license there in addition to the home org.
  • Reassigning the home org later is a major project. It means re-pointing trust and reworking every spoke configuration, so choose carefully at the start.

See the full Home Organization entry

Home Organization includes the definition, worked example, deep dive, related terms, and a quiz.