Log in as a customer in Salesforce

When you sign in as a customer, you can do anything they can do, such as place orders, change payment details, check out, etc.

Follow these steps to set this up, and to ensure the correct access and permissions are configured, and watch the video demo.

Step 1: create certificate and enable identity provider

1. From the Salesforce Setup, search for Certificate and Key Management.
2. Click Create a Self-Signed Certificate.
3. Give the key a Label and Unique name.
4. Set the Key Size to 2048.
5. Select Save.
6. In the Salesforce Setup, search for Identity Provider.
7. Click Enable Identity Provider.
8. Select the certificate you just created.
9. Click Save.

Step 2: create an external client app

1. In Salesforce Setup, search for External Client App Manager.
2. Select New External Client App.
3. Configure the app basic information:
   • • External Client App Name - StoreConnect Log In as Contact
     • API Name - StoreConnect_Log_In_as_Contact
     • Contact Email - Enter the contact email for Salesforce to use in case they want to contact you or your support team
     • Distribution State - Leave as Default
     • Contact Phone - Enter the contact phone for Salesforce to use in case they want to contact you or your support team
     • Info URL - https://support.storeconnect.com/article/log-in-from-salesforce
     • Logo Image URL - https://res.cloudinary.com/dwxallkfp/image/upload/v1771547748/documentation-media/log-in-as-contact/StoreConnect_Icon_Logo-100x100.png
     • Icon URL - https://res.cloudinary.com/dwxallkfp/image/upload/v1771547748/documentation-media/log-in-as-contact/StoreConnect_Icon_Logo-100x100.png
     • Description - Allows users to log into store accounts from Salesforce
     • For example:
4. Skip the API (Enable OAuth Settings) section.
5. In the Web App (Enable SAML Settings) section:
   • Enable SAML - True
   • Entity Id - https://{your-stores-domain.com}/auth/saml/metadata
   • ACS USR - https://{your-stores-domain.com}/auth/saml/auth
   • Issuer - https://{your-stores-domain.com}/auth/saml/metadata
   • Name ID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   • Signing Algorithm for SAML Messages - SHA1
   • IdP Certificate - Choose the self-signed certificate you created in the first step.
6. Save the changes.

Step 3: set app policies

Next, you need to give access to the external client app by adding it to a profile, permission set or both.

1. Edit the app.
2. Add a Custom start page.
3. Enter the Custom Start URL: https://{your-stores-domain.com}/
4. Select Profiles and Permissions Set.
5. Select any profiles you want to give broad access to, or for tighter control, create a permission set and assign that only to users who should have access to login as a contact from Salesforce.
6. Save.
7. Scroll down to the SAML Policies section, go to SAML Login Info and copy the Metadata Discovery Endpoint.

Step 4: set store variables

You need the Metadata Discovery Endpoint you copied at step 8, above.

1. Open your Store in StoreConnect.
2. In the Store Variables section, select New.
3. Call the variable Log in as contact metadata.
4. Enter this Key: auth.as_customer_saml_metadata_url
5. Value field: Paste the Metadata discovery endpoint you copied in the previous step.
6. Save.

Step 5: create a log-in link

For ease of access, create a log-in link for the contact page.

1. Open the Contact object in Salesforce.
2. Create a custom field.
3. Enter the Data Type as Formula.
4. Enter Log into store as the Label.
5. For the Formula Return Type, choose Text.
6. In the Formula field, enter this code, but using your own store’s domain.

HYPERLINK( "https://{your-stores-domain.com}/auth/saml/sign_in?sfid=" + CASESAFEID(Id), "Click here to log in as " + FirstName + " " + LastName )

• Make sure the field is visible to the profiles that will use it by adding the field to the page layout. The feature will now work for those staff who are authorised and have access to the link.

Step 6: set up multiple stores with login capability

To set more stores, repeat from Step 2: Create an External Client App using the unique store domain.

Update an expiring or expired certificate

To update a certificate, you need to replace all instances of where the certificate is used. Note that you won’t be able to log in as a contact until all steps are updated.

There are two locations where the new certificate will need to be updated: Identity Provider (In Salesforce Setup) and External Client App (IdP Certificate).

1. Go to Setup > Identity Provider.
2. Click Create a new certificate.
3. Give it a name (e.g. You can make it StoreConnect Log In [Month])
4. Click Save.
5. Next, update the External Client App’s IdP Certificate.
6. Test logging in as a contact to verify it is now working with the new certificate.

Troubleshooting steps

1. Confirm the Contact has a Username. This confirms the contact has an account created on the store. If it does not have a username, send an invitation. This will email an invite and create a user on the website (if the fields are missing, add it to your page layout).
2. Ensure the External StoreConnect ID is populated. (If it is empty, click the Lightning button labeled “Sync to SC” to populate the ID.) See how to add this field here.
3. Check for duplicate Contacts.
4. Ensure the Contact email is unique and not shared with another contact.
5. Review your Sync Error Log for references to affected records and get them to sync.