Authentication providers and single sign-on (SSO)
On this page
StoreConnect supports a number of login methods for store users. By default a username+password login is provided, to provide alternative login options you will need to create an Authentication Provider.
Supported authentication options:
- StoreConnect
- Azure Active Directory (AD) B2C
- Experience Cloud
- Microsoft Entra ID
Configure authentication providers
Authentication Providers can be created from the store’s Authentication Providers related list.
StoreConnect (username + password)
If no active Authentication Providers exist for a store, then a username/password login will be available by default.
If you wish to allow multiple login options and still provide username/password login, you will need to create a StoreConnect Authentication Provider for the store. Other than Provider and Active, all fields can be left blank.
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | StoreConnect |
| Authorised Domains | |
| Client Id | |
| Client Secret | |
| Provider URL | |
| Reset Password URL |
Azure Active Directory B2C
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | Azure |
| Authorised Domains | |
| Client Id | Azure Client ID |
| Client Secret | |
| Provider URL | Azure Base URL |
| Reset Password URL |
The Base URL here is the URL of your Azure login page, it may be similar to: https://<tenant>.b2clogin.com/<tenant>.onmicrosoft.com/B2C_1A_signup_signin
To test if your URL is correct you should be able to add /discovery/keys to the end of the URL and visit it in a browser. If the URL is correct you should see a JSON response similar to:
json
{ "keys": [ {"kid":"EU323HFCv3ZRmOgTOGLXcFsjlnq0RzRhzKsSGFXLDyk3","use":"sig","kty":"RSA","e":"AQAB","n":"..."} ] }
Callback URL
In your Active Directory configuration you will need to add the callback URL to the list of permitted URLs:
https://your-store-domain/logins/auth/azure/callback
Reset Password URL
Due to security limitations, StoreConnect is not able to initiate a password reset for an Active Directory account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link.
Azure AD payload mapping
When StoreConnect receives a token from Azure AD, it maps the payload fields to Contact fields as follows:
| Azure AD payload field | Salesforce Contact field |
|---|---|
sub |
sso_uid |
| (StoreConnect AuthenticationProvider sfid) | sso_provider_id |
email || signInName || signInNames.emailAddress || upn || preferred_username |
email, username |
given_name |
first_name |
family_name |
last_name |
phone_number || Phone Number |
phone |
name |
Account name |
|| indicates priority order — the first present value is used.
| StoreConnect Field | Local Provider Value |
|---|---|
| Provider | |
| Authorised Domains | |
| Client Id | Google OAuth Client ID |
| Client Secret | Google OAuth Client Secret |
| Provider URL | |
| Reset Password URL |
To generate your credentials, follow these instructions from Google: OAuth Access
Reset Password URL
Due to security limitations, StoreConnect is not able to initiate a password reset for a Google account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link. For Google, use https://support.google.com/mail/answer/41078 as the password reset URL to direct users to Google’s own support page.
Details on a new Contact
When a new website account is created using an SSO provider, these values are saved on the new Contact record:
| SSO Provider field | Salesforce Contact field |
|---|---|
| First Name | First Name |
| Last Name | Last Name |
| Username | |
| Phone | Phone |
How StoreConnect links SSO identities to Contacts
When a customer authenticates via SSO, StoreConnect links their identity provider account to a Salesforce Contact record. Understanding this flow helps with troubleshooting linking issues and designing the right login UX for your store.
The redirect flow
- Customer clicks the login button on the store.
- StoreConnect redirects to the identity provider (e.g. Azure AD), passing a
provider_idthat identifies which Authentication Provider record to use. - The customer authenticates with the identity provider.
- The identity provider redirects back to StoreConnect’s callback URL.
- StoreConnect validates the identity and links it to a Contact.
What StoreConnect captures: email, first name, last name, phone, and the provider’s unique user ID. These are stored on the Contact and Login records.
What StoreConnect cannot capture: if a customer creates an identity provider account independently — outside of the StoreConnect login redirect flow — StoreConnect has no way to link it to a Contact. The link is only established when the customer authenticates through StoreConnect’s redirect flow.
How StoreConnect matches returning users to Contacts
When a customer returns through the SSO redirect, StoreConnect attempts to match them to an existing Contact in this order:
- Post-checkout session — if the customer just completed checkout in the same browser session, StoreConnect uses the Contact created at checkout directly. Most reliable.
- Previously linked SSO identity — if the customer has logged in via SSO before, StoreConnect matches by their stored provider user ID.
- Email address — StoreConnect performs a case-insensitive email match against existing Contacts, returning the most recently created match.
If no match is found, StoreConnect creates a new Contact.
Post-checkout SSO account creation
A common scenario in B2B stores: a customer completes checkout as a guest (creating a Contact in Salesforce) but hasn’t yet created or linked their SSO account. When they later try to log in, StoreConnect needs to link their SSO identity to the Contact created at checkout.
There are two approaches:
Option 1: Auto-redirect after checkout (recommended)
Redirect customers to StoreConnect’s SSO login URL immediately after checkout completes. Because the customer is still in the same browser session, StoreConnect links their SSO identity directly to the Contact just created — no ambiguity.
The redirect URL is:
/auth/azure?provider_id=<AUTHENTICATION_PROVIDER_SFID>
Where AUTHENTICATION_PROVIDER_SFID is the Salesforce ID of the store’s Authentication Provider record. This initiates the full Azure → StoreConnect redirect flow.
Implement this by redirecting to this URL from the checkout confirmation page — either automatically or via a prominent “Set up your account” button.
Option 2: SSO link in the order confirmation email
If the customer has already left the checkout session, include an SSO login link in their order confirmation email. When clicked, StoreConnect initiates the redirect flow, the customer signs in (or signs up) with Azure, and StoreConnect matches them to their existing Contact by email address.
The link must point to StoreConnect’s login URL — not directly to Azure — so StoreConnect can initiate the flow and capture the identity:
https://your-store-domain/auth/azure?provider_id=<AUTHENTICATION_PROVIDER_SFID>
This link is the same for all customers. No per-user token is needed. StoreConnect matches by the email address returned from Azure against the Contact created at checkout.
Note: email matching returns the most recently created Contact with that email address. If a customer has duplicate Contact records in Salesforce, StoreConnect may link to the wrong one. Resolve duplicate Contacts before relying on this approach.
Experience Cloud
To allow login from Experience Cloud requires more configuration in Salesforce than other Authentication Providers, please follow the dedicated Experience Cloud login as SSO guide.
Was this article helpful?
Thanks for your feedback! It helps us improve our docs.