How To
ForgeRock Identity Cloud

Salesforce SSO integration with Identity Cloud for social authentication/registration

Last updated Jan 17, 2023

The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Salesforce® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).

1 reader recommends this article


This article describes how to configure Identity Cloud to use Salesforce as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Salesforce social authentication and registration based on OIDC standards. 

Steps involved:

  1. Configure Salesforce 
  2. Configure the Social Identity Provider in Identity Cloud
  3. Create the end user journey
  4. Test the end user experience


  • You have a working Identity Cloud tenant.
  • You have a Salesforce developer edition account. See Salesforce Developers for further information

Configuring Salesforce


ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

Create a connected app for Identity Cloud

Refer to the Salesforce documentation for guidance on how to create a connected app.

Use the following configuration for Identity Cloud:

  • Basic Information:
    • Connected App Name: Enter the app name, for example, ForgeRock.
    • API Name: The API Name defaults to the Connected App Name.
    • Contact Email: Enter a contact email.
  • API (Enable Auth Settings):
    • Enable OAuth Settings: Select the checkbox to enable OAuth settings.
    • Callback URL: Enter the URL that a user's browser is redirected to after successful authentication. This must match the Redirect URL that you will configure in Identity Cloud, for example, https://<tenant-env-fqdn>/login.
    • Selected OAuth Scopes: Add the following scopes:
      • Manage user data via APIs (api)
      • Access the identity URL service (id, profile, email, address, phone)
      • Perform requests at any time (refresh_token, offline_access)
      • Manage user data via Web browsers (web)

Note that the connected app may take a few minutes to become available.

Once the connected app is available, click Manage Consumer Details and make a copy of the Consumer Key and Consumer Secret. You'll use this information when you configure Salesforce as a social identity provider in Identity Cloud.

Configuring the Social Identity Provider in Identity Cloud

  1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Services > Social Identity Provider Service.
  2. Choose Secondary Configurations, click Add a Secondary Configuration, and select the Client configuration for Salesforce option.
  3. Complete the following configuration:
    • Name: Enter a name for the social identity provider, for example, Salesforce.
    • Client ID: Enter the Consumer Key from the connected app you configured in Salesforce.
    • Redirect URL: Enter your Identity Cloud tenant login URL. This must match the value that you entered for the Callback URL in Salesforce, for example, https://<tenant-env-fqdn>/login.
    • Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
  1. Click Create.

The full configuration for the new Salesforce social identity provider is displayed.

  1. In the Client Secret field, enter the Consumer Secret from the connected app you configured in Salesforce.
  2. Check the rest of the default settings are correct. In particular, check the following fields:
    • Enabled: Ensure the configuration is enabled.
    • Transform Script: Ensure that Salesforce Profile Normalization is entered. This script transforms Salesforce credential data into a normalized form.
  1. Click Save Changes.

Creating the end user journey

You can create custom end user journeys for social registration and login. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.

See How do I create end user journeys for social registration and login in Identity Cloud? for further information.

Testing the end user experience

  1. In the Identity Cloud admin UI, go to Journeys.
  2. Click the journey that you want to test.
  3. Copy the Preview URL.
  4. Paste the preview URL into a browser using Incognito or Browsing mode.
  5. Follow the sign in and/or registration steps to test your journey.

For example, if Salesforce is configured as a social identity provider for social sign in, users are asked if they want to authenticate with Salesforce, similar to the screenshot below.

See Also

How do I create end user journeys for social registration and login in Identity Cloud?

Does the ForgeRock solution support social authentication?

Single Sign-On Integrations for Identity Cloud

Identity Cloud documentation:

Other social integrations:

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.