salesforce Dreamforce On-Demand
Contact Us 1-800-596-4880
  1. Homepage
  2. Access Management
  3. Identity Providers

  4. External Identity Configurations

Manage Identity Providers

Configure up to 25 external identity providers (IdPs) to enable single sign-on (SSO) for users in your organization. Anypoint Platform currently supports SAML 2.0 and OpenID Connect (OIDC) configurations for SSO providers.

If you are using the Access Management API, note the following:

  • The old endpoints that are not scoped to new IdPs are replaced with new endpoints.

  • IdPs created prior to October 31, 2021 are backwards compatible with old endpoints.

  • If a legacy IdP is deleted, then old endpoints are no longer supported, even if the legacy IdP is readded.

Managing User Identities with Anypoint Platform

By default, an organization manages user identities and credentials using Anypoint Platform. You can disable this functionality after you add one or more external identity providers.

Organizations that use Anypoint Platform to manage user identities control whether new users are added to the organization using either Access Management settings or an external identity provider. Organizations that do not require multi-factor authentication (MFA) for their user accounts choose to enable or disable MFA and exempt accounts. If an organization requires MFA, administrators manage exempt accounts in the Identity Providers section using the Anypoint settings.

Before You Begin

Before getting started, ensure that you have:

  • The Organization Administrator permission

  • An OpenID Connect or SAML 2.0 identity provider

Managing Identity Providers

Access your list of identity providers, configure settings, and add additional identity providers.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Identity Providers.

A list of identity providers appears.

Adding Identity Providers

Click Add Identity Provider, and then select the identity provider type you want to add. Choose one of the following:

Deleting Identity Providers

If you have more than one identity provider configured, delete external identity providers that you no longer need.

Before deleting an IdP, ensure that your users' credentials and permissions structures are configured with a different IdP, such as the native Anypoint Platform IdP or an external IdP.

When you delete an IdP:

  • Users can no longer use this IdP to log in to Anypoint Platform.

  • Any external team or role group mappings associated with this IdP are deleted.

  • The Access Management API endpoints associated with this IdP are no longer supported.

To delete an identity provider:

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Identity Providers.

  4. Next to the identity provider you want to delete, click the …​ menu.

  5. Click Delete…​

  6. In the API Update window, click Continue.

  7. Enter the name of your identity provider.

  8. Click Delete.

Enabling Users to Link Anypoint Platform Profiles

As an organization administrator, you can enable users to link multiple Anypoint Platform profiles that use the same email address to log in.

Anypoint Platform supports:

  • Linking an SSO login to a local profile by using credentials (login managed by Anypoint IdP)

  • Linking an SSO login to another SSO login that uses a different IdP

  • Linking an SSO login to multiple other profiles that use different IdPs

Anypoint Platform does not support linking multiple profiles that use the same IdP. Only OpenID Connect (OIDC) IdPs are supported.

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Identity Providers.

  4. In the Link Multiple SSO Profiles section, click Enabled.

  5. Click Save Changes.

    Users in your organization can now link their SSO logins with other IdP profiles that share the same email address.

Remove a Linked Profile From a User Account

Organization administrators can remove a linked profile from a user account by making a DELETE call to /accounts/api/organizations/:orgId/users/:userId/identityProviderProfiles. For details, refer to the Access Management API documentation.

Enable or Disable Account Creation

If your organization has single sign-on (SSO) using an external identity provider enabled, you can prevent users from creating accounts that do not use SSO.

To modify account creation parameters:

  1. Log in to Anypoint Platform using an account that has the Organization Administrator permission.

  2. In the navigation bar or the main Anypoint Platform page, click Access Management.

  3. In the Access Management navigation menu, click Identity Providers.

  4. Click Anypoint.

  5. Select one of the following:

    1. Allow account creation: Organization administrators can invite new users using the Users tab. Accounts created using this feature belong to the Anypoint identity provider and log in using their credentials rather than SSO.

    2. Disable account creation: New accounts must join the organization using an external identity provider and log in using SSO. Existing accounts are unaffected and can continue to log in using their credentials.

  6. Click Save Changes.