Configure a Facebook Authentication Provider

Configure a Facebook authentication provider so your users can log in to Salesforce using their Facebook credentials.

Required Editions
Available in: Lightning Experience and Salesforce Classic
Available in: Enterprise, Performance, Unlimited, and Developer Editions
User Permissions Needed
To view the settings:View Setup and Configuration
To edit the settings:Customize Application AND Manage Auth. Providers

To configure Facebook as an authentication provider, complete these steps.

  1. Set up a Facebook app, making Salesforce the app domain.
  2. Define a Facebook authentication provider in Salesforce.
  3. Update your Facebook app to use the callback URL generated by Salesforce as the Facebook website URL.
  4. Test the connection.
  5. Add the Facebook provider to your login page.

Before you can configure Facebook for Salesforce, you must set up an app in Facebook.

You can skip this step by allowing Salesforce to use its own default app. For more information, see Use Salesforce Managed Authentication Providers.
  1. Go to the Facebook website and create an app.
  2. Modify the app settings, and set the Application Domain to Salesforce.
  3. Note the app ID and the app secret.

To set up a Facebook provider, you need the Facebook app ID and app secret.

Note the generated Auth. Provider ID value. You use it with the Auth.AuthToken Apex class.

You can skip this step by allowing Salesforce to manage the values for you. For more information, see Use Salesforce Managed Authentication Providers.

  1. From Setup, in the Quick Find box, enter Auth. Providers, and then select Auth. Providers | New.

  2. For the provider type, select Facebook.

  3. Enter a name for the provider.

  4. Enter the URL suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is MyFacebookProvider, your single sign-on (SSO) URL is similar to https://_mydomain_url or site_url_/services/auth/sso/MyFacebookProvider.

  5. For Consumer Key, use the Facebook app ID.

  6. For Consumer Secret, use the Facebook app secret.

  7. Optionally, set these fields.

    1. For Authorize Endpoint URL, enter the base URL from Facebook. For example, https://www.facebook.com/v2.2/dialog/oauth. If you leave this field blank, Salesforce uses the version of the Facebook API that your app uses.

      You can add query string parameters to the base URL, if necessary. For example, to get a refresh token from Facebook for offline access, use https://accounts.facebook.com/o/oauth2/auth?access_type=offline&approval_prompt=force. You need the approval_prompt parameter to ask the user to accept the refresh action so that Facebook continues to provide refresh tokens after the first one.

    2. For Token Endpoint URL, enter the URL from Facebook. For example, https://www.facebook.com/v2.2/dialog/oauth. If you leave this field blank, Salesforce uses the version of the Facebook API that your app uses.

    3. To change the values requested from Facebook’s profile API, enter the User Info Endpoint URL. For more information, see https://developers.facebook.com/docs/facebook-login/permissions/v2.0#reference-public_profile. The requested fields must correspond to the requested scopes. If you leave this field blank, Salesforce uses the version of the Facebook API that your app uses.

    4. To automatically enable the OAuth 2.0 Proof Key for Code Exchange (PKCE) extension, which improves security, select Use Proof Key for Code Exchange (PKCE) Extension. For more information on how this setting helps secure your provider, see Proof Key for Code Exchange (PKCE) Extension.

    5. For Default Scopes, enter the scopes to send along with the request to the authorization endpoint. Otherwise, the hard-coded defaults for the provider type are used. See Facebook’s developer documentation for these defaults.

      For more information, see Use the Scope URL Parameter.

    6. If you enter a consumer key and consumer secret, the consumer secret is included in SOAP API responses by default. To hide the secret in SOAP API responses, deselect Include Consumer Secret in SOAP API Responses. Starting in November 2022, the secret is always replaced in Metadata API responses with a placeholder value. On deployment, replace the placeholder with your consumer secret as plain text, or modify the value later through the UI.

    7. For Custom Error URL, enter the URL for the provider to use to report any errors.

    8. For Custom Logout URL, enter a URL to provide a specific destination for users after they log out, if they authenticated using the SSO flow. Use this field to direct users to a branded logout page or destination other than the default Salesforce logout page. The URL must be fully qualified with an http or https prefix, such as https://acme.my.salesforce.com.

      Configure single logout (SLO) to automatically log out a user from Salesforce and the identity provider. As the relying party, Salesforce supports OpenID Connect SLO when the user logs out from the identity provider or Salesforce.

    9. Select an existing Apex class as the Registration Handler class. Or to create an Apex class template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.

      A Registration Handler class is required for Salesforce to generate the SSO initialization URL.

    10. For Execute Registration As, select the user that runs the Apex handler class.

      Execute Registration As provides the context in which the registration handler runs. Select a user regardless of whether you’re specifying an existing registration handler class or creating one from the template. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.

    11. To use a portal with your provider, select the portal from the Portal dropdown list.

    12. For Icon URL, add a path to an icon to display as a button on the login page for a site. This icon applies to an Experience Cloud site only. It doesn’t appear on your Salesforce login page or My Domain login URL. Users click the button to log in with the associated authentication provider for the site.

      Specify a path to your own image, or copy the URL for one of our sample icons into the field.

    13. To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider. This setting triggers MFA only for users who have MFA applied to them directly. For more information, see Use Salesforce MFA for SSO.

  8. Save your work.

Several client configuration URLs are generated after defining the authentication provider.

  • Test-Only Initialization URL—Salesforce admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected to Salesforce with a map of attributes.
  • Single Sign-On Initialization URL—Use this URL to perform SSO into Salesforce from a third party using its third-party credentials. The user opens this URL in a browser and logs in to the third party. The third party creates a user or updates an existing user. Then the third party signs the user into Salesforce as that user.
  • Existing User Linking URL—Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
  • OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
  • Callback URL—Use this URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider must redirect to the callback URL with information for each client configuration URL.

Client configuration URLs support additional request parameters that enable you to direct users to log in to specific sites, obtain customized permissions from the third party, or go to a specific location after authenticating.

After defining the Facebook authentication provider in Salesforce, go back to Facebook and update your app to use the callback URL as the Facebook Website Site URL.

In a browser, open the Test-Only Initialization URL on the Auth. Provider detail page. It redirects you to Facebook and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.

Configure your login page to show the authentication provider as a login option. Depending on whether you’re configuring SSO for an org or Experience Cloud site, this step is different.