<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Connect Salesforce with Okta using OpenID Connect
Apr 17, 2026
API Access Management
Okta Classic Engine
Overview

This article describes how to connect Salesforce with Okta using OpenID Connect.

Applies To
  • Salesforce
  • OpenID Connect
  • Okta Classic Engine
Solution

In order to successfully Single Sign-On to the Salesforce tenant using OpenID Connect, make sure that:

  • The Salesforce tenant has one of the following editions:

    • Enterprise

    • Performance

    • Unlimited

    • Developer

  • The Salesforce account has the following permissions:

    • To view the following settings:

      • View Setup and Configuration

    • To edit the following settings:

      • Customize Applications

      • Manage Auth. Providers

 

Once the requirements are confirmed, take the following steps to configure Okta as an OpenID Connect Identity Provider for Salesforce:

  1. Log in to the Okta org and navigate to Admin.

  2. If using the Developer Console interface:

    1. Navigate to Applications > Add Application.

    2. From the window opened, select Web as the platform for creating the application and click Next.

    3. Configure the application settings as follows:

      1. Name: Salesforce OpenID Connect SSO

      2. Base URIs: remove the content by selecting X.

      3. Sign-in redirect URIs: http://placeholder

      4. Group assignments: leave Everyone if everyone should be able to access Salesforce or change it to the groups of people who will have access to Single Sign-On in Salesforce.

      5. Grant type allowed: leave Authorization Code as this is the flow that Salesforce will use to get users authorized.

    4. Click Done. There will be a redirect to the OpenID application configuration.

  3. If using the Classic UI interface:

    1. Navigate to Applications, Add Application, and then Create New App.

    2. Select the following configuration:

      1. Platform: Web.

      2. Sign on method: OpenID Connect.

    3. Configure the application settings as follows:

      1. Name: Salesforce OpenID Connect SSO.

      2. Application logo: leave empty.

      3. Sign-in redirect URIs: http://placeholder

      4. Sign-out redirect URIs: leave unconfigured.

    4. Click Save. There will be a redirect to the OpenID application configuration.

    5. Navigate to the Assignments tab and assign the users or groups of users that will have access to the application.

  4. Under the General tab, scroll down to the Client Credentials and copy the Client ID and Client Secret.

  5. Log in to the Salesforce tenant and access the administrator interface.

  6. Navigate to Identity > Auth. Provider and select New.

  7. In Provider Type, select Open ID Connect and fill the form as follows, replacing <oktaorg>.okta.com with the URL of the Okta organization (for example, <company>.okta.com, <company>.oktapreview.com, <company>.okta-emea.com):

    1. Name: Okta.

    2. URL Suffix: Okta.

    3. Consumer Key: paste here the Client ID copied earlier from Okta at step 4.

    4. Consumer Secret: paste here the Client Secret copied earlier from Okta at step 4.

    5. Authorize Endpoint URLhttps://<oktaorg>.okta.com/oauth2/v1/authorize

    6. Token Endpoint URLhttps://<oktaorg>.okta.com/oauth2/v1/token

    7. User Info Endpoint URLhttps://<oktaorg>.okta.com/oauth2/v1/userinfo

    8. Token Issuer: leave empty.

    9. Default scopes: openid.

    10. Send access token in header: checked.

    11. Send client credentials in header: unchecked.

    12. Custom Error URL: leave empty.

    13. Custom Logout URL: leave empty.

    14. Registration Handler: configure registration handler wanting users to be created just in time when they access Salesforce for the first time.

    15. Execute Registration As: who should execute the registration.

    16. Portal: none.

    17. Icon URL: leave empty.

  8. After finishing the configuration, click Save, and there will be a redirect to the Auth. Provider configuration in Salesforce.

  9. From Salesforce Configuration, copy the Callback URL and OAuth-Only Initialization URL.

  10. In the Okta Admin Console navigate to Applications > Applications > Salesforce OpenID Connect SSO.

  11. Under General tab > General Settings > click Edit.

  12. Paste the Callback URL copied at step 9 in Login redirect URIs section and click Save.

  13. Log out from Salesforce and access the OAuth-Only Initialization URL copied at step 9.

 


Related References

Recommended content

Still looking for help?
Loading
How to Connect Salesforce with Okta using OpenID Connect