[SalesForce] SSO setting while migrating from Partner Portal to communities

We are planning to migrate from partner portal to community. In the current functionality users are able to login from an internal portal to salesforce as the SSO is configured. I read thru the communities documentation and they say that the login url for the community needs to be changed communityUrl + '/login'.

1) Does this mean that this communityUrl + '/login' will be part of the relayState of the SAML?

2) if not , then will we have to change the Salesforce endpoint in the SAML assertion to this communityUrl+'/login'? If we do this then the current functionality gets impacted, right?

3) Or Do we need to set up multiple SSO configs in Salesforce and then provided one for internal user and the other for community?

Please advise.

Best Answer

  1. No
  2. Yes, you have to change the URL if you're migrating to the community. If this is what you mean by 'impacted', then yes. You should be using an identity provider that does not expose this URL to end users.
  3. Maybe, see below

Internal users can login to the community via the same Assertion Consumer Service (ACS) endpoint @ /login/blah used by community users. You don't need multiple connections on the identity provider side.

With communities it is now much easier to segregate audiences vis-a-vis the baseline org. For example, we have customers where internal users (full Salesforce license) login to the baseline org and external users login to the community. They use two different ACS endpoints on two different identity providers. Or you could have a single identity provider with two connections, one for each user segment. This depends on the sophistication of your identity provider.

Related Topic