Log in as a customer in Salesforce

When you sign in as a customer, you can do anything they can do, such as place orders, change payment details, check out, etc.

This feature uses SAML single sign-on — Salesforce authenticates you (the staff member) and passes a signed assertion to the store. The customer’s password is not required and is never checked.

Follow these steps to set this up, and to ensure the correct access and permissions are configured, and watch the video demo.

Step 1: Create certificate and enable identity provider

1. From the Salesforce Setup, search for Certificate and Key Management.

2. Click Create a Self-Signed Certificate.

   

3. Give the key a Label and Unique name.
4. Set the Key Size to 2048.
5. Select Save.

6. In the Salesforce Setup, search for Identity Provider.

   

7. Click Enable Identity Provider.
8. Select the certificate you just created.
9. Click Save.

Step 2: Create an external client app

:::warning Do not use Migrate to External Client App on an existing Connected App. Best practice is to create a new External Client App from scratch using the steps below. :::

1. In Salesforce Setup, search for External Client App Manager.
2. Select New External Client App.
3. Configure the app basic information:
   • External Client App Name - StoreConnect Log In as Contact
   • API Name - StoreConnect_Log_In_as_Contact
   • Contact Email - Enter the contact email for Salesforce to use in case they want to contact you or your support team
   • Distribution State - Leave as Default
   • Contact Phone - Enter the contact phone for Salesforce to use in case they want to contact you or your support team
   • Info URL - https://support.storeconnect.com/article/log-in-from-salesforce
   • Logo Image URL - https://res.cloudinary.com/hzkr6fi81/image/upload/v1779181620/media/StoreConnect_Icon_Logo-100x100.png
   • Icon URL - https://res.cloudinary.com/hzkr6fi81/image/upload/v1779181620/media/StoreConnect_Icon_Logo-100x100.png
   • Description - Allows users to log into store accounts from Salesforce

   

4. Skip the API (Enable OAuth Settings) section.
5. In the Web App (Enable SAML Settings) section:
   • Enable SAML - True
   • Entity Id - https://{your-stores-domain.com}/auth/saml/metadata
   • ACS URL - https://{your-stores-domain.com}/auth/saml/auth
   • Issuer - https://{your-stores-domain.com}/auth/saml/metadata
   • Name ID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   • Signing Algorithm for SAML Messages - SHA1
   • IdP Certificate - Choose the self-signed certificate you created in the first step.

   

:::note If your store uses a URL path for region or scope (for example /au, /us, /b2b, /b2c, /wholesale, /trade — a path can be any segment after your store domain), include the full path before the SAML route segment in the Entity Id, ACS URL, and Issuer fields:

• Entity Id: https://{your-store-domain}/{your-path}/auth/saml/metadata

• ACS URL: https://{your-store-domain}/{your-path}/auth/saml/auth

• Issuer: https://{your-store-domain}/{your-path}/auth/saml/metadata

Without the path, the AuthnRequest Issuer the store sends will not match the External Client App’s Entity Id and Salesforce returns idpError=1605 Unable to resolve request into a service provider. Each store with a different path needs its own External Client App. :::

1. Save the changes.

Step 3: Set app policies

Next, you need to give access to the external client app by adding it to a profile, permission set or both.

1. Edit the app.
2. Add a Custom start page.
3. Enter the Custom Start URL: https://{your-stores-domain.com}/

4. Select Profiles and Permissions Set.

   

5. Select any profiles you want to give broad access to, or for tighter control, create a permission set and assign that only to users who should have access to login as a contact from Salesforce.
6. Save.

7. Scroll down to the SAML Policies section, go to SAML Login Info and copy the Metadata Discovery Endpoint.

   

Step 4: Set store variables

You need the Metadata Discovery Endpoint you copied at step 8, above.

1. Open your Store in StoreConnect.
2. In the Store Variables section, select New.
3. Call the variable Log in as contact metadata.
4. Enter this Key: auth.as_customer_saml_metadata_url
5. Value field: Paste the Metadata discovery endpoint you copied in the previous step.

6. Save.

   

Step 5: Create a log-in link

For ease of access, create a log-in link for the contact page.

1. Open the Contact object in Salesforce.
2. Create a custom field.
3. Enter the Data Type as Formula.
4. Enter Log into store as the Label.
5. For the Formula Return Type, choose Text.
6. In the Formula field, enter this code, but using your own store’s domain.

HYPERLINK( "https://{your-stores-domain.com}/auth/saml/sign_in?sfid=" + CASESAFEID(Id), "Click here to log in as " + FirstName + " " + LastName )

Make sure the field is visible to the profiles that will use it by adding the field to the page layout. The feature will now work for those staff who are authorised and have access to the link.

Step 6: set up multiple stores with login capability

To set more stores, repeat from Step 2: Create an External Client App for each unique store domain or path.

Update an expiring or expired certificate

To update a certificate, you need to replace all instances of where the certificate is used. Note that you won’t be able to log in as a contact until all steps are updated.

There are two locations where the new certificate will need to be updated: Identity Provider (In Salesforce Setup) and External Client App (IdP Certificate).

1. Go to Setup > Identity Provider.

2. Click Create a new certificate.

   

3. Give it a name (e.g. You can make it StoreConnect Log In [Month])
4. Click Save.
5. Next, update the External Client App’s IdP Certificate.
6. Test logging in as a contact to verify it is now working with the new certificate.

Troubleshooting

• Confirm the Contact has a Username. This confirms the contact has an account created on the store. If it does not have a username, send an invitation — this will email an invite and create a user on the website (if the field is missing from the page layout, add it). The contact does not need to have accepted the invitation or set a password; having a username is sufficient for this feature to work.
• Ensure the External StoreConnect ID is populated. (If it is empty, click the Lightning button labeled “Sync to SC” to populate the ID.) See Sync records with StoreConnect IDs
• Check for duplicate Contacts.
• Ensure the Contact email is unique and not shared with another contact.
• Review the Sync Error tool for references to affected records and get them to sync.
• If login fails with a SAML error (such as idpError=1605 Unable to resolve request into a service provider or Authentication Failed), check the Identity Provider Event Log in Salesforce Setup. It records each inbound SAML AuthnRequest with the resolved service provider, the Issuer, the requesting user, and the success or failure outcome. Entries showing the service provider as unknown indicate the External Client App is not resolving SAML requests. Start by verifying the Entity Id, ACS URL, and Issuer match the URLs your store sends. If the configuration looks correct but the error persists, the app is likely in a broken state, recreate it from scratch to see if the issue resolves.