Implementation Details and Options

Besides the basic communication details, certain standard scenarios apply to most identity provider setups.

You can also design your IdP app to allow customers to use it, rather than the SP app, as the start point for authentication. In this case, your IdP app sends the following information to the SP app.


A value providing a handle to a user reference. The SP App can use this hint to verify the customer's existence. If the user account is not found, the SP app uses this value to invoke the IdP App. The IdP app then obtains an authorization code as in (A). On the other hand, if the user account is available in the SP app, the SP app simply switches to that user.


The selected login host that was used for the auth request (A).


The URL to navigate to once the user is selected.

Use the SP app's custom scheme on iOS, or launch an intent with a bundle containing the key-value pairs on Android. For example, on iOS:

Once the selected user has logged in and passed any other security requirements, your IdP app obtains an authorization code from Salesforce. How you retrieve this code depends on your identity service implementation. If the connected app policy requires permission to access the customer's data, your IdP app must also display the Salesforce permission screen.

For example, Mobile SDK launches a web view that calls a JSP server app. This server page accesses the Salesforce authorization endpoint, obtains the authorization code, and displays the access permission screen.

For protection from rogue SP apps, an IdP app can do the following.

  1. Extract the calling app's bundle identifier.
  2. Compare this identifier with the redirect_uri. If the two values don't match, return an authentication error.

By definition, the IdP app isn't expected to have prior knowledge of SP apps. However, an IdP app can choose to maintain a "white list" of apps that it intends to support.

For user selection, the IdP app presents one of the following screens.

User selection screen—Presented if one or more users are present in the Account Manager, but none of them match the user_hint.

Login screen—Presented in either of the following cases:

  • If no user has logged in to the IdP app.
  • If the specified user has never logged in.

Your IdP app intercepts requests that match the oauth_redirect_uri and calls the SP app using the provided scheme or bundle ID.

The following related links on configuring Salesforce as an identity provider are provided for general background knowledge. Most of this information is not used in configuring a mobile app as a Salesforce IdP or SP.