Environment Hub
Environment Hub is the Salesforce Setup feature that lets a Salesforce ISV or large customer enroll multiple connected Salesforce orgs under a single hub org, providing single sign-on across them, a unified view of org status, and centralized management of sandboxes, packaging orgs, and partner-managed orgs.
Definition
Environment Hub is the Salesforce Setup feature that lets a Salesforce ISV or large customer enroll multiple connected Salesforce orgs under a single hub org, providing single sign-on across them, a unified view of org status, and centralized management of sandboxes, packaging orgs, and partner-managed orgs. The hub is intended for partners who maintain dozens of orgs (Partner Business Org, packaging org, test orgs, customer-facing demo orgs) and need a way to switch between them without separate logins. It is also used by large customers running multiple production orgs across business units or geographies.
The hub org sits at the center; member orgs connect through OAuth and trust the hub for SSO. Once connected, a user authenticated in the hub can click through to any member org without re-entering credentials. Environment Hub also provides links for org creation, deletion, and basic provisioning. The feature is free with the Partner Developer Edition that ISVs receive when they enroll in the Partner Program, and available with extra licensing for non-partner enterprises.
How Environment Hub connects orgs
Hub and Spoke architecture
Environment Hub uses a one-to-many topology. The Hub Org is the central org where the feature is enabled; Member Orgs are spokes connected to it through an OAuth trust relationship. Each member org sees the hub in its OAuth Connected Apps; the hub sees each member in its Environment Hub Setup page. There is no peer-to-peer connection between member orgs; SSO always flows through the hub.
Single sign-on between connected orgs
Once an org is connected, users with the Use Environment Hub permission can navigate from the hub to the member org through a simple click. The hub does not transfer the user's hub identity to the member org; instead, it matches a hub user to a member-org user by email address (the default) or by a configured mapping. A user must exist in both orgs with matching email to use SSO; users in the hub without a matching member-org user cannot SSO into that org.
Member org enrollment
Connecting a member org happens in two phases. The hub admin enters the member org's My Domain or Org ID in the hub Setup page and initiates the connection. The member org receives the OAuth request and a user with Modify All Data must approve it. After approval, the connection is active and SSO works. The two-phase approval ensures the member org explicitly trusts the hub; you cannot enroll an org without its consent.
Partner Business Org and ISV use case
For Salesforce ISVs, the Environment Hub is the standard way to manage the suite of orgs needed for the AppExchange process: the Partner Business Org (where the company runs Salesforce internally), the packaging org (where managed packages are built), test orgs, and customer-facing demo orgs. Without Environment Hub, the ISV's developers would manage dozens of separate logins; with it, they click through from the Partner Business Org to whichever spoke they need.
Org creation and provisioning
The hub can provision certain types of orgs directly. From the hub, an admin can click Create Org and generate a new Partner Developer Edition or Trial Org, with the new org automatically enrolled as a member. This is mainly a partner workflow; enterprise customers typically create orgs through their account team and then enroll the existing org. The provisioning options depend on the hub org type: a Partner Business Org has the broadest options.
Limitations and scope
Environment Hub does not federate user identity beyond SSO clicks. There is no shared user directory; users must still exist independently in each member org. There is no consolidated reporting across orgs; the hub does not pull data from members. There is no centralized governance or policy enforcement; each member org retains its own admin controls. The hub is purely a navigation and provisioning convenience; do not promise it as an enterprise SSO solution or as a data-consolidation tool.
Security considerations
The Use Environment Hub permission grants the ability to navigate to any connected member org. If a member org contains sensitive data and the hub admin has not vetted who has the permission, the SSO path becomes a security weakness. Audit the permission set assignments periodically, especially after team changes. Also note that connection between hub and member is a trust grant; a compromised hub can attempt to escalate access in member orgs. Treat the hub as a high-value target.
Enroll a member org in Environment Hub
Setting up Environment Hub takes coordination between the hub admin and each member org admin. The steps below cover the first-time enrollment process for a member org and the subsequent SSO testing.
- Enable Environment Hub in the hub org
Setup > Environment Hub > Enable Environment Hub. The hub org typically the Partner Business Org for ISVs or the main org for enterprises.
- Identify the member org
Gather the member org's My Domain URL or Org ID. The member org must be a Salesforce production, sandbox, or Developer Edition org; trial orgs may have restrictions.
- Initiate the connection from the hub
Setup > Environment Hub > Connect Org. Enter the member org URL or Org ID, choose Hub-Initiated SSO settings, and click Connect.
- Approve from the member org
A user with Modify All Data in the member org receives a notification or visits the OAuth Connected Apps page to approve the trust. Approval is one-time per hub-member pair.
- Verify the connection
Back in the hub, refresh the Environment Hub page. The member org should show Connected with no warnings. Investigate any warnings before proceeding.
- Test SSO with a known user
Log into the hub as a user who exists in both orgs with matching email. Click the member org from the Environment Hub page. The user should land in the member org without re-authentication.
- Grant Use Environment Hub permission
Permission Set with Use Environment Hub > assign to users who need cross-org navigation. Audit assignments quarterly to avoid permission drift.
User starts in the hub and clicks into the member org. The default mode; the simplest navigation flow.
User starts in the member org and authenticates through the hub. Useful for users who land in a member URL directly.
Default. Matches hub user to member user by email address. Works when emails are consistent.
Alternative. Matches by Federation ID field. Use when emails differ between orgs (different domain per business unit).
Create new member orgs directly from the hub. Partner-only feature for Partner Business Orgs.
- Users must exist in both the hub and the member org with matching email for SSO to work. Onboarding a new user means provisioning them in every relevant member org.
- Approval from the member org requires Modify All Data. A self-service enrollment is not possible; you need a cooperating admin on the member side.
- Use Environment Hub permission grants click-through to every connected member. Over-permissive assignment is the single largest security risk; audit quarterly.
- The hub does not federate identity, just navigation. Users still log into each member org as separate identities; permissions and field-level security are per-org.
- Some org types (Trial Orgs in specific regions, certain restricted editions) cannot be enrolled. Confirm enrollment eligibility before promising the workflow to stakeholders.
Trust & references
Straight from the source - Salesforce's reference material on Environment Hub.
- Environment HubSalesforce Help
- Get Started with the Environment HubSalesforce Help
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. What is Environment Hub?
Q2. Who benefits most from Environment Hub?
Q3. What does Environment Hub eliminate?
Discussion
Loading discussion…