Single Sign On from Production to Sandbox

Make it oh-so-easy for users to test changes in a sandbox by seamlessly logging in from production!

With this approach, your users can login to a sandbox directly from the app launcher in production. This requires no code, just clicks, and you can control exactly which users can use this option via profiles or permission sets.

Here is a gif to show how simple this is for users, in case you have never clicked on an app in the app launcher before.


The Technical Details:
This approach uses production as the identity provider and a sandbox as a service provider. Authentication is managed using an identity-provider initiated oauth flow.

This implementation is a variation on the approach described in this H&T article. The approach in the article requires users to navigate to the sandbox my domain in their browser, where they can click on a button that authenticates against production using Single Sign On. The main difference in my approach is that users can initiate the authentication directly from the app launcher in production. This approach is easier for users as there is no need to remember or bookmark a sandbox mydomain link. And its much easier than the default setup where admins must reset user emails and passwords, and users must login from

The Ingredients:
Your production org is the identity provider which validates that a user is in fact who they say they are

Your sandbox is the service provider which is the system your users want to access.

A connected app will be created in production and will be added to the app launcher. You cannot deploy connected apps from a sandbox - they have to be created in prod.

The Recipe:
Setup Salesforce Identity Provider

Setup the Salesforce Service Provider

Create new connected app (based on this documentation)

Give yourself access to the connected app for testing

Enable Connected app in app launcher

Test from app launcher

Adding Encryption
Once your tests are successful, encrypt the assertion to make it more secure



Test it out again - with encryption!

Give Access to Users
Give access to users via profile or perm set as required. See this trail for details.



EPILOGUE: Sandbox Refresh Details
After refreshing sandbox, these steps should re-establish the connection
in prod



Now read this

buried killer lightning feature in winter 17

Buried deep on p 359 in the winter 17 release notes, lies this understated gem of a feature Assign a Custom Record Page to Lightning Apps, or Make It the Default for All 3 sentences of description and zero screenshots later, and its... Continue →