Skip to content
Log in

Use Experience Cloud login as single sign-on for your store customers (SSO)

On this page

Experience Cloud allows you to create customised sites within Salesforce for external users. This can be used to create partner portals or support forums, among other uses. To allow seamless integration between Experience Cloud and StoreConnect, you can configure Single Sign-on which allows users to log in to a StoreConnect store using their Experience Cloud credentials.

Account and contact creation

When using Experience Cloud Single Sign-On, Account and Contact records need to be created before the user attempts to log in to the store, and time given to allow the records to synchronize with the store. These can be Account and Contact records created by StoreConnect’s checkout process or records created in Salesforce, provided they are compatible with records created by StoreConnect. For example, you could send an email to customers who have completed a purchase inviting them to set a username/password for Experience Cloud login. This is not part of the StoreConnect package and will need to be tailored to your organization and use case.

Note that Experience Cloud self-registration is not supported as it relates all new Contact records to a single Account which is not compatible with how StoreConnect uses the Account-Contact relationship.

Configuration

Assuming you have an Experience Cloud site set up, here are the steps to configure Single Sign-On in StoreConnect:

Create certificate and enable identity provider

  1. From Salesforce Setup, search for Certificate and Key Management.

  2. Click Create a Self-Signed Certificate.

    Create a self-signed certificate

  3. Give the key a Label and Unique name.
  4. Set the Key Size to 2048.
  5. Click Save.

  6. In Salesforce Setup, search for Identity Provider.

    Enable Identity Provider

  7. Click Enable Identity Provider.
  8. Select the certificate you just created.
  9. Click Save.

Create an external client app

:::note Salesforce no longer allows creating new connected apps. External client apps are the replacement and provide the same SAML functionality for this configuration. :::

:::warning Do not use Migrate to External Client App on an existing Connected App. Best practice is to create a new External Client App from scratch using the steps below. :::

  1. In Salesforce Setup, search for External Client App Manager.
  2. Select New External Client App.
  3. Configure the basic information:
    • External Client App Name: StoreConnect Customer Single Sign-On
    • API Name: StoreConnect_Customer_Single_SignOn
    • Contact Email: Enter the contact email for Salesforce to use in case they want to contact you or your support team
    • Distribution State: Leave as Default
    • Contact Phone: Enter the contact phone for Salesforce to use in case they want to contact you or your support team
    • Info URL: https://support.storeconnect.com/article/experience-cloud-login
    • Logo Image URL: https://res.cloudinary.com/hzkr6fi81/image/upload/v1779181620/media/StoreConnect_Icon_Logo-100x100.png
    • Icon URL: https://res.cloudinary.com/hzkr6fi81/image/upload/v1779181620/media/StoreConnect_Icon_Logo-100x100.png
    • Description: Allows users to log in to store accounts with an Experience Cloud account
  4. Skip the API (Enable OAuth Settings) section.
  5. In the Web App (Enable SAML Settings) section, configure the following:
    • Enable SAML: True
    • Entity Id: https://{your-stores-domain.com}/logins/auth/experience_cloud/metadata
    • ACS URL: https://{your-stores-domain.com}/logins/auth/experience_cloud/auth
    • Issuer: https://{your-stores-domain.com}/logins/auth/experience_cloud/metadata
    • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • Signing Algorithm for SAML Messages: SHA1
    • IdP Certificate: Choose the self-signed certificate you created in the first step.

:::note If your store uses a URL path for region or scope (for example /au, /us, /b2b, /b2c — a path can be any segment after your store domain), include the full path before the SAML route segment in the Entity Id, ACS URL, and Issuer fields:

  • Entity Id: https://{your-store-domain}/{your-path}/logins/auth/experience_cloud/metadata

  • ACS URL: https://{your-store-domain}/{your-path}/logins/auth/experience_cloud/auth

  • Issuer: https://{your-store-domain}/{your-path}/logins/auth/experience_cloud/metadata

Without the path, the AuthnRequest Issuer the store sends will not match the External Client App’s Entity Id and Salesforce returns idpError=1605 Unable to resolve request into a service provider.

Each store with a different path needs its own External Client App. :::

  1. Save the changes.

Set app policies

  1. Edit the app.
  2. Add a Custom start page.
  3. Enter the Custom Start URL: https://{your-stores-domain.com}/
  4. Under Profiles and Permission Sets, add the profiles or permission sets for Experience Cloud users who should be able to log in to the store.
  5. Save.
  6. Scroll down to the SAML Policies section, go to SAML Login Info and copy the Metadata Discovery Endpoint — you will need this when creating the authentication provider.

Create authentication provider

  1. Go to your store and find the Authentication Providers related list.
  2. Select New.

  3. Enter the following values:

    StoreConnect field Value
    Provider Experience Cloud
    Authorised Domains Optional
    Client Id  
    Client Secret (leave blank)
    Provider URL Metadata Discovery Endpoint from the previous step
    Reset Password URL Optional
  4. If you have a custom domain for your Experience Cloud site, enter it in the Authorised domains field. The Provider URL is automatically authorized, so you only need to add additional domains here. This field supports multiple domains separated by a semi-colon (;).
  5. Leave the Client Secret blank. When Client Secret is empty and a Provider URL is set, StoreConnect fetches the current IdP certificate directly from the SAML metadata URL. This keeps the certificate automatically up to date and eliminates the need to manually generate or maintain a certificate fingerprint.
  6. Save the record.

Reset password URL

Due to security limitations, StoreConnect is not able to initiate a password reset for an Experience Cloud account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link.

Customers without an Experience Cloud license

If you wish to allow some users to login using Experience Cloud but others to login using a different method (either username/password or another provider) you will need to create additional Authentication Providers. See Authentication providers and single sign-on (SSO) for details.

Troubleshooting

Diagnosing SAML errors with the Identity Provider Event Log

If login fails with a SAML error (such as idpError=1605 Unable to resolve request into a service provider or Authentication Failed), check the Identity Provider Event Log in Salesforce Setup. It records each inbound SAML AuthnRequest with the resolved service provider, the Issuer, the requesting user, and the success or failure outcome.

Entries showing the service provider as unknown indicate the External Client App is not resolving SAML requests. Start by verifying the Entity Id, ACS URL, and Issuer match the URLs your store sends. If the configuration looks correct but the error persists, the app is likely in a broken state, recreate it from scratch to see if the issue resolves.

Related articles

Documentation Redirect behavior and the default store Documentation Get started with StoreConnect Documentation Granting support access to your Salesforce org

Was this article helpful?

Was this article helpful?