For a customer I was looking into Single-Sign-On (SSO) between multiple Salesforce Communities using a custom domain for each. Consider a customer with two communities (Community 1 at comm1.example.com and Community 2 at comm2.example.com) – these could be different customer communities, a customer community and a partner community etc. The issue we encountered was that when using custom domains (i.e. comm1.example.com and comm2.example.com) the built in session ID cookie support will not suffice as the cookie will be bound to the exact domain. This means the cookie is not sent along when accessing the second community and hence no SSO.
Now the solution to all this is using SAML with is baked into the Salesforce platform and included in the license. There is a bit more stuff to configure with SAML but once set up you get SSO for non-Salesforce Community properties as well such as a property on Heroku as well.
All in all I think it’s worth the additional configuration.
Before I list what I configured let me say that it may feel a bit convoluted as the Salesforce org is both the Identity Provider (IdP) and the Service Provider (SP) in SAML-speak. Usually Salesforce is either the one or the other but but not both.
Please note: Below I assume a certain level of knowledge about Salesforce Communities around controlling access to communities using Profiles, activating Communities and mapping to custom domains. All is well documented in the documentation but understand you cannot simply do the below steps and be done…
What I ended up configuring was the following:
- A community (“SSO”) used for Single-Sign-On and self-service (password reset etc.) where I style and brand the SSO experience at
sso.example.com. The community has a CA signed SSL certificate and a custom domain setup via the Domains setup. - A community (“Community 1”) for customers at
comm1.example.com. The community has a CA signed SSL certificate and a custom domain setup via the Domains setup. - A community (“Community 2”) for customers at
comm2.example.com. The community has a CA signed SSL certificate and a custom domain setup via the Domains setup. - A Customer Community profile with the SSO community as the default community. This profile I use to control access to the communities in Members.
- I next configured the Salesforce as an Identity Provider using a self-signed certificate. This will allow the org to act as an IdP in a SAML authentication flow.
- Next I created 2 Single-Sign-On configurations (under “Single-Sign-On Settings” in Setup). One for
comm1.example.comand one forcomm2.example.comwith separate, unique, entity IDs and mapping each to the appropriate community as the only login configuration under Workspaces/Administration/Login & Registration. I used “Federation ID” for the SAML Identity Type. Ensure you use the SAML configuration from the SSO community. - Next configure the SSO community to only use “Username & Password” under Workspaces/Administration/Login & Registration. This ensures the customers actually are able to login using their Salesforce credentials.
- Under “App Manager” in Setup create a Connected App for each community configuring SAML and using the appropriate entity ID remembering to also set these to use Federation ID.
- Allow the community user profile to use the Connected Apps (both of them) and ensure user records have a federation ID set.
The result is that I can access all 3 communities on my custom domains. Accessing sso.example.com simply allows me to logon with username and password and do self-service incl. password reset etc. Accessing either comm1.example.com or comm2.example.com will redirect me to sso.example.com for authentication if not authenticated already. If already authenticated to sso.example.com it will simply bounce me via that and authenticate the user to the community transparently.
YMMV!
lekkimworld.com 
Hi Mikkel, definitely useful to understand how multiple community access can be setup on a single org. Question I have is how would you restrict access for some community users to one of the many communities on that org?
LikeLike
Well this approach really doesn’t change anything when it comes to access control. The user – once authenticated and a user record location – still have a profile etc and that may be used to control access to communities. Where is the user is authenticated doesn’t matter. Makes sense?
LikeLike
Hi Mikkel,
interesting arcticle!
Is there any reason why this would not work with TLDs rather than subdomains? So, with http://www.community1.com, http://www.community2.domain2.com , and http://www.sso.com?
LikeLike
Nope. That would be the same and the approach here applicable as well.
LikeLike
Thanks a lot for the quick reply Mikkel! Going to try it out for sure 🙂
LikeLike
Mikkel, interesting post.
This might be a silly question but how you ended up with multiple communities with different domains in the same org. So far what Ive seen is multiple communities under the same domain (i do not have extensive experience with communities, but this post look interested and even decided to give it a try in a dev org).
Can you shed some light here? thanks!!!
LikeLike
Sorry for the late response. There is a way to use a DNS CNAME to point to your Experience Cloud Site and hence effectively create an alias for it. Here is a good place if you wanna learn more: https://help.salesforce.com/articleView?id=networks_custom_domain.htm&type=0
LikeLike
Hi Mikkel, thank you for this great post.
I have a use case where two Digital Experiences (Communities) will need to allow users to just use a single set of credentials.
Will this approach mean that:
A.- We will have a single user that will be able to log in to the two experiences (and the additional experience created as the helper) using a single set of credentials AND a single User record in Salesforce?
Or
B.- Will this mean that the user will use a single set of credentials but 3 different user records? Each one with their Profile/Role that responds to the Digital Experience?
In terms of visibility (roles) and profiles, how would it work in those cases A or B?
Thank you so much for the great information.
LikeLike
So that would be answer A. The user can access both (or all 3 actually) using a single set of credentials (1 User record). As to visibility that is controlled by the users profile and sharing rules as normal inside the org. Nothing special there.
LikeLike
This is incredible helpful. Thank you so much Mikkel, appreciate the quick response.
LikeLike
Hi Mikkel,
I have similar setup as your described. It works fine when I started from the SSO site. However, when I initiated from the other community sites, I keep getting /_nc_external/identity/saml/SamlError. Do you have any idea what I did wrong?
LikeLike
Sounds like the Service Provider side of the authentication is not correctly configured. I would get a SAML plugin and track the login process – normally that reveals what’s going on.
LikeLike
Thank you for your response Mikkel,
It seems to work fine when I login as system administrator user. it redirect to the SP site correctly, but for the customer user, it returns error. I check the SAML, it seems to return success response, just could redirect back to the SP siste.
LikeLike
Hi lekim.
I did as your instruction but when Firstly I access
Com1.example.com then redirected to sso.example.com
Next I login into sso.example.com then redirect back to com1.example..com
However next I open new tab on same browser to access to sso.example.com I was kicked out to login page
How can I keep session of first SSO?
Thank and regards
LikeLike
You were kicked out like in when you tried to access sso.example.com standalone you were not logged in or you were sent to a login page? My guess is that there is some problem with the community at sso.example.com that disallows “direct usage”.
LikeLike
Hi Mikkel
My SSO site would be logout after I login com1 or com2 through Saml to SSO
I want keep login state of SSO at itself site
LikeLike
Thank for your reply.
Actually I used Admin profile user for testing but I dont check option:
“ Separate Experience Cloud site and Salesforce login authentication for employees.” in admin profile session section
So i was kicked out of sso after authenticated at there.
That’s solved. Anyway thank you so much
LikeLike
Hi Mikkel
Very interesting article.
I’m struggling to set SSO slightly differently. I have two communities comm1 and comm2 on the same Org. Now the challenge is that for example Mr. A has two users for these two communities user123@comm1.com and user123@comm2.com. Is it possible to set it up in a way that if Mr. A is logged in to comm1, he can click on a link and log in to comm2 as well without being challenged to enter credentials for comm2?
LikeLike
Well not OOTB as that is two separate identities. You could however do it with a bit of code combing the JWT flow and using frontdoor.jsp similar to how the Salesforce CLI does it. Probably have to be on two separate domains though.
LikeLike
Hi Mikkel,
Thank you so much for this article. I’ve been banging my head trying to solve this multiple communities issue. Below is what I’ve configured, but still running into a small problem. I’d love any feedback you could offer.
Communities:
SSO community: sso.ex.com with login username/password only
App community: app.ex.com with sso only
Single Sign-On Setting:
Issuer: My salesforce instance
Entity ID: https://app.ex.com
Service Provider Initiated Request Binding: HTTP Redirect
Identity Provider Login URL: https://sso.ex.com/idp/endpoint/HttpRedirect
Connected App:
Entity ID: https://app.ex.com
ACS URL: https://sso.ex.com
Issuer: My salesforce instance
Both communities have CA signed ssl certificates.
My salesforce instance has been configured as an IDP.
Both SSO setting and Connected App use the Federation ID.
When I access app.ex.com, it appears to be doing everything right (i.e. no permission errors), it takes me to the sso.ex.com community login, but once I login, it doesn’t redirect me to the app.ex.com community. I’ve tried setting the startURL in the connected app, but it seems to get overwritten…the RelayState and retURL end up being ‘/s/‘.
Any idea what I have misconfigured here?
Thanks in advance,
Neil
LikeLike
Hi Lekkim,
I posted a question earlier this week, but ended up finding the answer. I didn’t have the ACS URL set correctly. I had it set to the sso community instead of the app community. Anyways, thanks again for the article…it was really helpful!
LikeLike
Hi Lekkim,
Thanks for the article!
What about a scenario where “Community 1” and “Community 2” which are supposed to be the SPs have the same domains (For Ex. https://comm.com/community1 and https://comm.com/community2), but the “SSO” community which is supposed to be the IdP has a different domain (For Ex. https://sso.org) ?
It won’t let me set up different Single Sign-On Settings for both of them because the entity ID is the same for the Identity provider. However, if I try using the same Single Sign-On Setting for both the communities, it keeps redirecting between communities during login.
Thanks again,
Humaid
LikeLike
To be honest I do not know as I haven’t set that up myself.
LikeLike
Hi Lekkim,
Do you have any documented steps for the above post. If you have could you please share. Thanks
LikeLike
thanks Lekkim, this is a good approach!, but this would only work if your sites are private, moment you change it to public access i.e. guest users can login without sign in, the auto initiation of the SSO won’t work. 😦
Do you know how can we make this auto SSO triggered for sites with public access even.
As an example pls look at trailhead, this is public & private depending on if you have accessed it before and auto triggers sso for existing user., ? I am wondering if we can do the same for public access sites with head javascript injection in sites header
LikeLike