I have created Auth. Provider for Google and LinkedIn. We want community user to login/register via Google or LinkedIn. It is working correctly for community users but from community URL internal user can't able to login. we are getting this exception "NO_ACCESS: User was an internal user for the community". In Community setting we already allow internal users to login and System Adminimstrator profile is added in Members.
For checking Internal Users we added Gmail and Linkedin In My Domain. we found below strange cases:
1. Internal user can login via username and password as well as gmail and linked but only from my domain url.
2. Internal user can login via username and password to community.
3. Internal user can’t login to community via LinkedIn or Gmail.
Best Answer
It's a bit of a hack, but it's an answer...
I got around the issue by leveraging the
startURL
parameter. The Authentication Provider endpoints all support a series of parameters to assist in directing the user to where they need to go. Specifically thestartURL
parameter allows you to direct the user to a specific path within the app.It's possible to direct the user to an apex page which redirects the user to the community. For instance, I've appended
startURL=apex/app
to the endpoint. When I hit the endpoint, I login, then I'm directed to my domain/apex/app which re-directs to the community domain.The downsides to this:
I do plan on using this as these are internal users and we are ok sacrificing some experience in order for it to work and we only support a single authentication provider. It still baffles me that Salesforce support internal users logging into a community via SAML but not OIDC, but as long as it's acknowledged as an idea to implement then there's progress.
Edit 1: providing clarity on URLs and process
Salesforce Documentation on Google Auth Provider configuration
Salesforce Domain URL: https://login.salesforce.com/services/auth/sso/{{org-id}}/{{auth provider API name}}
You may want a different auth provider URL. I am showing the SSO URL here; these can be found in your Auth provider setup page in Salesforce. The domain will change when myDomain is enabled as well.
Login URL: https://{{id-provider domain}}/auth
This can vary by id-provider.
Callback URL: https://login.salesforce.com/services/authcallback/{{org-id}}/{{auth provider API name}}
Same as above, domain may change if myDomain is enabled.
startURL
parameter appended.startURL
is passed through to the login URL as theRelayState
parameter.startURL
parameter.startURL
.For example: I want to login and land on the native reports page. My login URL would be
https://login.salesforce.com/services/auth/sso/{{org-id}}/{{auth provider api name}}?startURL=00O/o