SSO from prod to sandbox using ECA

This is the Winter26 Update for this article/how i solved this session re sandbox SSO magic: https://goravseth.com/single-sign-on-from-production-to-sandbox

Connected Apps were voted off the island, and now we have external client apps, which are great. It is possible to do the same SSO magic with an ECA, but there is currently a bug (that for some reason they will not create a KI for) that requires a funny workaround

The bug: If you set the start URL -> custom in the ECA, the app ignores whatever permissions you apply for who can access the app, and it shows up in the app menu for everyone. Those without access are currently redirected to classic and shown an ugly error…

Support acknowledged this is a bug and said its actively being worked on 2 months ago, so keep holding your breath…

The workaround: click enable oauth, set start URL to oauth, and enter the URL there. The rest of the oauth settings dont matter, as we are not using it. This causes the app to respect permissions, and only show for the people who should have it…

The rest of the steps are basically the same as for the connected app. Click enable SAML in the ECA and do the needful.

Will add some more details in the glorious future.

 
1
Kudos
 
1
Kudos

Now read this

Creating a Global Picklist with custom API values

Global picklists are great. As is the ability to customize the API names separately from the label. But while you can create picklist values via copy/paste, you have to update the API values individually. For small picklists its not that... Continue →