What is the most important tip for working with Home Organization?

Quick Fact: A user has exactly one Home Organization. License consumption, password policy, and the SAML identity all anchor here, while every spoke org adds its own User record keyed by Federation ID.

PlatformBeginner

Home Organization

Q: What is the Home Organization in Environment Hub?

The Home Organization is the central production org running Environment Hub for managing all related orgs.

Q: What's typically the Home Organization?

Most organizations use their main production org; ISV partners may use a dedicated DE org instead.

Q: What does the Home Organization let you do?

From the Home Organization, you access the Environment Hub for centralized multi-org management.

Hear it

§ 01

Definition

Home Organization is the Salesforce term for the primary org a user belongs to in a multi-org enterprise setup, particularly in Salesforce-to-Salesforce, Org-Wide Federation, and Identity Connect scenarios. It is the org where the user record lives natively, where their credentials are stored, where their license is assigned, and where their default identity is anchored. Other orgs the user accesses (through single sign-on, federated identity, or cross-org sharing) treat the home organization as the source of truth for that identity.

The term shows up in three concrete contexts. In Salesforce Identity, a user authenticating into a downstream org via federated SSO presents credentials issued by their Home Organization. In Org-Wide Federation, where many Salesforce orgs share users through SAML-based or Auth Provider-based trust, the Home Organization is the SAML identity provider. In multi-org sharing patterns, sharing rules and queues identify users by their home-organization user ID; without it, the cross-org reference is ambiguous.

§ 02

How the Home Organization anchors a user across multiple Salesforce orgs

The Home Org as identity source

Every Salesforce user has exactly one home organization where their User record is created. License consumption, profile assignment, password policy, and audit history all anchor to this org. Federated identity sessions presented to other orgs trace back to the home organization via SAML or OAuth tokens that include the home org ID.

Identity Provider configuration

When the home organization acts as a SAML Identity Provider for downstream orgs, Setup, Identity Provider lets admins enable the org as an IdP. The downstream org configures the home org as a SAML SSO trust. End users hitting the downstream org get redirected to the home org for authentication, log in once, and gain access to both. The session-state across orgs uses the home-org token.

Multi-org strategies that depend on Home Org

Three multi-org patterns rely on Home Organization concepts: hub-and-spoke (one central business org plus regional subsidiary orgs), federation (multiple peer orgs sharing some users), and acquisition-merger (post-M&A integration where users span both orgs temporarily). In every pattern, the home org defines whose credentials are authoritative.

Cross-org sharing via Salesforce-to-Salesforce

Salesforce-to-Salesforce (S2S) is the older record-sharing feature where two orgs publish and subscribe to specific objects. Users in the receiving org see records sourced from the publishing org. The home organization of the original record owner is preserved as metadata; reporting and audit can trace back to the source org.

Identity Connect for Active Directory

Salesforce Identity Connect synchronizes user identities between Active Directory and Salesforce. When an enterprise runs multiple Salesforce orgs, Identity Connect designates one org as the primary or home org for each AD user. The home org receives the synchronized user; other orgs grant access via federation or auxiliary user accounts.

User license implications

The user consumes a license in their home organization. Other orgs accessed via federated identity may require their own auxiliary user records (especially when the orgs are not federated) and therefore additional license consumption. Cost models for multi-org enterprises need to account for whether a single user requires one license (federated) or many (auxiliary users in every spoke).

Audit and compliance across orgs

Audit trails (Setup Audit Trail, Login History, Real-Time Event Monitoring) live per-org. A cross-org user appears in multiple audit streams. Compliance teams stitch the streams together using the home-org user ID as the join key, since that is the only identifier guaranteed to persist across orgs.

§ 03

Configure a Home Organization for federated multi-org access

Designating a home organization is mostly an identity-architecture decision. The technical configuration follows after the architecture is settled.

Pick the org
The largest user population usually wins. The home org should be the one most users would naturally log into first.
Enable Identity Provider in the home org
Setup, Identity Provider, click Enable Identity Provider. Generate or upload a SAML certificate. Note the Salesforce Identity URL.
Configure each downstream org as a Connected App
In the home org, create a Connected App for each spoke org with SAML enabled. Provide the spoke org''s Entity ID and ACS URL.
Configure SAML SSO in each spoke org
In each spoke org, Setup, Single Sign-On Settings, create a SAML SSO config that trusts the home org as the IdP. Upload the home org''s certificate.
Provision spoke-org user records
For each user, create a User record in each spoke org with Federation ID matching the home-org identifier. The Federation ID is the join key SAML uses to recognize the user across orgs.
Test the SSO flow
Log into the home org, navigate to the spoke org SSO URL, confirm session is established without a second login.

Gotchas

Federation ID must be unique per user and consistent across orgs. Mismatches result in failed SSO with cryptic error messages.
Each spoke org consumes its own user license unless the deployment is purely SSO-and-no-record-creation. Plan license costs accordingly.
Switching the home organization later is a major architectural change. Pick deliberately at project start.
Audit data lives per-org. Cross-org incident investigation requires merging Login History from every org by Federation ID.

Trust & references

Sources

Cross-checked against the following references.

Identity ProviderSalesforce Help
Single Sign-On OverviewSalesforce Help

Official documentation

Straight from the source - Salesforce's reference material on Home Organization.

Salesforce Identity OverviewSalesforce Help

Keep learning

Hands-on resources to go deeper on Home Organization.

Identity BasicsResource ·

Was this entry helpful?

Help us write better definitions. Quick reactions or detailed edit suggestions.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.

Test your knowledge

Q1. What is the Home Organization in Environment Hub?

Q2. What's typically the Home Organization?

Q3. What does the Home Organization let you do?

Discussion

Loading…

Loading discussion…

Back to Dictionary