[SalesForce] Auth. Provider is not working from Communities for Internal User

I have created Auth. Provider for Google and LinkedIn. We want community user to login/register via Google or LinkedIn. It is working correctly for community users but from community URL internal user can't able to login. we are getting this exception "NO_ACCESS: User was an internal user for the community". In Community setting we already allow internal users to login and System Adminimstrator profile is added in Members.

For checking Internal Users we added Gmail and Linkedin In My Domain. we found below strange cases:
1. Internal user can login via username and password as well as gmail and linked but only from my domain url.
2. Internal user can login via username and password to community.
3. Internal user can’t login to community via LinkedIn or Gmail.

Best Answer

It's a bit of a hack, but it's an answer...

I got around the issue by leveraging the startURL parameter. The Authentication Provider endpoints all support a series of parameters to assist in directing the user to where they need to go. Specifically the startURL parameter allows you to direct the user to a specific path within the app.

It's possible to direct the user to an apex page which redirects the user to the community. For instance, I've appended startURL=apex/app to the endpoint. When I hit the endpoint, I login, then I'm directed to my domain/apex/app which re-directs to the community domain.

The downsides to this:

  • I don't see how to append the startURL parameter to the native Salesforce community login page. Therefore, you may need to provide a separate endpoint to redirect users specifically to the authentication provider which more or less defeats the purpose of allowing them to select how they want to login.
  • Personally, I don't like the idea of bouncing the user around once they are in the app.

I do plan on using this as these are internal users and we are ok sacrificing some experience in order for it to work and we only support a single authentication provider. It still baffles me that Salesforce support internal users logging into a community via SAML but not OIDC, but as long as it's acknowledged as an idea to implement then there's progress.

Edit 1: providing clarity on URLs and process

Salesforce Documentation on Google Auth Provider configuration

Salesforce Domain URL: https://login.salesforce.com/services/auth/sso/{{org-id}}/{{auth provider API name}}
You may want a different auth provider URL. I am showing the SSO URL here; these can be found in your Auth provider setup page in Salesforce. The domain will change when myDomain is enabled as well.

Login URL: https://{{id-provider domain}}/auth
This can vary by id-provider.

Callback URL: https://login.salesforce.com/services/authcallback/{{org-id}}/{{auth provider API name}}
Same as above, domain may change if myDomain is enabled.

  1. User goes to Salesforce domain URL with startURL parameter appended.
  2. Depending on domain configuration, user is presented login page with all possible authentication providers available.
  3. User selects the auth provider they want to use to login; if domain is configured for a single auth provider, Salesforce will redirect the user to that auth provider login url at step 2. In this step, the startURL is passed through to the login URL as the RelayState parameter.
  4. User authenticates successfully and is directed back to callbackURI with the startURL parameter.
  5. User is authenticated and directed to the path referenced in the startURL.

For example: I want to login and land on the native reports page. My login URL would be https://login.salesforce.com/services/auth/sso/{{org-id}}/{{auth provider api name}}?startURL=00O/o

Related Topic