Single Sign On from Production to Sandbox

Make it oh-so-easy for users to test changes in a sandbox by seamlessly logging in from production!

Summary:
With this approach, your users can login to a sandbox directly from the app launcher in production. This requires no code, just clicks, and you can control exactly which users can use this option via profiles or permission sets.

Here is a gif to show how simple this is for users, in case you have never clicked on an app in the app launcher before.

ssodemo.gif

The Technical Details:
This approach uses production as the identity provider and a sandbox as a service provider. Authentication is managed using an identity-provider initiated oauth flow.

This implementation is a variation on the approach described in this H&T article. The approach in the article requires users to navigate to the sandbox my domain in their browser, where they can click on a button that authenticates against production using Single Sign On. The main difference in my approach is that users can initiate the authentication directly from the app launcher in production. This approach is easier for users as there is no need to remember or bookmark a sandbox mydomain link. And its much easier than the default setup where admins must reset user emails and passwords, and users must login from test.salesforce.com.

The Ingredients:
Your production org is the identity provider which validates that a user is in fact who they say they are

Your sandbox is the service provider which is the system your users want to access.

A connected app will be created in production and will be added to the app launcher. You cannot deploy connected apps from a sandbox - they have to be created in prod.

The Recipe:
Production
Setup Salesforce Identity Provider

Sandbox
Setup the Salesforce Service Provider

Production
Create new connected app (based on this documentation)

Give yourself access to the connected app for testing

Enable Connected app in app launcher

Test from app launcher

Adding Encryption
Once your tests are successful, encrypt the assertion to make it more secure

Sandbox:

Production:

Test it out again - with encryption!

Give Access to Users
Give access to users via profile or perm set as required. See this trail for details.

THE END!

Notes

EPILOGUE: Sandbox Refresh Details
After refreshing sandbox, these steps should re-establish the connection
in prod

sandbox

 
21
Kudos
 
21
Kudos

Now read this

Evaluating isSandbox in flow

In Summer 14, Salesforce added the isSandbox boolean field to the Organization object that can be easily queried in apex. In flow, process builder, and workflow rules, you can access the $organization global variable via a formula field,... Continue →