+ Start a Discussion

Using SAML to tie multiple dev orgs together with a single user repository?

We're an ISV developing multiple applications for delivery through the AppExchange, each as a distinct managed package.  Each team member has a dev org per application.  Because of the global uniqueness of user IDs, this means that each team member has to "name mangle" their user IDs in the various orgs to be, for example, <username>-<appname>@<domain> or <username>@<appname>.<domain>.


I had hoped that the platform's inherent support for SAML as both an IdP and an SP would help alleviate this.  I created a shared dev org for all of Product Engineering, registered a domain for it and my own dev orgs, and following these instructions to set up SSO across multiple organizations:




Unfortunately the all-important Step 7 in that documentation isn't clear about whether user IDs must still be unique across orgs joined through this type of SSO.  It's VERY clear that the Federation IDs must match for the respective users in the two orgs, but the following is ambiguous about whether this lightens the username uniqueness constraint:


  1. Create a test user in your Identity Provider Org, and set their Federation ID to a unique value. Make sure you assign the user a Profile which was granted access to your Service Provider in step 6.
  2. Create a test user in your Service Provider Org, and set their Federation ID to the same value as your test user in the Identity Provider. This will effectively bind the two accounts together.

Interestingly the VERY first time I tried to implement this, for some reason it did let me create the same user with the same ID in both orgs, but I suspect that's because I'd just updated the username for an existing user and, during that lull between making the change and the change becoming effective, I created the same user in the other org.  Needless to say, this left me in a pretty bad state for a bit, but I've recovered from that now!


So, as far as I can tell, this feature allows us to log into one org as a valid user in that org, then access any others orgs in which there are users (with usernames that are all distinct from one another) which are federated together with the user from the first org, but it doesn't allow us to do what I really want, namely to have a centralized user repository for all of our dev orgs.  I'm assuming I'll need to switch to delegated authentication to get that, and that means I'll need to implement the SOAP callout for delegated authentication in our shared org.  I'm about to start down that path, but I figured I'd post here for feedback as I'm doing so in the hopes that someone will respond with, "Hey, actually that will work if you just do this, this, and this!!!"


Thanks in advance for any help here!


I have recently seen information on this but could not (or did not have time to) locate the tip. The tip indicated that on a refresh if a username collision occurs, Salesforce will append (or prepend) a unique string to the username it coud not create, and then send an email out to alert the user/admin of this fact. We are using an Identity Provider service that is outside of Salesforce (i.e. in our 'business' domain). For me the Federation ID is the same in all environments, but the usernames are all different, and we are using our email address with a suffix of '...dev1', '...dev2', '...full'. From what I have seen I do not think there is any way around this.