Use Experience Cloud login as Single Sign-On for your Store Customers (SSO)

This article is intended for advanced users and our partners as it requires advanced web development or Salesforce admin or programming knowledge. While the functionality is part of StoreConnect, we do not provide end user assistance to implement it beyond our help documentation. If you need help or are unsure on how to do this, you can hire one of our StoreConnect partners.

Experience Cloud allows you to create customised sites within Salesforce for external users. This can be used to create partner portals or support forums, among other uses. To allow seamless integration between Experience Cloud and StoreConnect, you can configure Single Sign-on which allows users to log in to a StoreConnect store using their Experience Cloud credentials.

Account and Contact Creation

When using Experience Cloud Single Sign-On, Account and Contact records need to be created before the user attempts to log in to the store, and time given to allow the records to synchronize with the store. These can be Account and Contact records created by StoreConnect’s checkout process or records created in Salesforce, provided they are compatible with records created by StoreConnect. For example, you could send an email to customers who have completed a purchase inviting them to set a username/password for Experience Cloud login. This is not part of the StoreConnect package and will need to be tailored to your organisation and use case.

Note that Experience Cloud self-registration is not supported as it relates all new Contact records to a single Account which is not compatible with how StoreConnect uses the Account-Contact relationship.

Configuration

Assuming you have an Experience Cloud site set up, here are the steps to configure Single Sign-On in StoreConnect:

Enable Identity Provider

From Salesforce Setup, search for Certificate and Key Management
Click ‘Create a Self-Signed Certificate’
Give it a name
Click ‘Save’
From Salesforce Setup, search for Identity Provider
Click ‘Enable Identity Provider’
Select your Certificate
Click ‘Save’

create a self signed certificate

What page looks like after enabling Identity Provider for StoreConnect

Generate a Fingerprint from the Certificate

To complete this step you will need OpenSSL installed on your computer.

From Identity Provider, click ‘Download Certificate’ to download the certificate to your hard drive
Open a terminal window on your computer
Run the following command in your terminal to generate your fingerprint (Keep this for the next step)

openssl x509 -fingerprint -in {path/to/certificate.crt} -sha1

SSO fingerprint for StoreConnect

Create a Connected App

From Salesforce Setup, search for App Manager
Click ‘New Connected App’
Populate the fields as follows

Basic Information

Connected App Name - StoreConnect Customer Single Sign-On
API Name - StoreConnect_Customer_Single_SignOn
Contact Email - Enter the contact email for Salesforce to use in case they want to contact you or your support team
Logo Image URL - https://res.cloudinary.com/hzkr6fi81/image/upload/v1652399370/media/StoreConnect-S-100x100.png
Icon URL - https://res.cloudinary.com/hzkr6fi81/image/upload/v1652399370/media/StoreConnect-S-100x100.png
Info URL - https://help.getstoreconnect.com/documentation/login-from-salesforce
Description - Allows users to log in to Store accounts with an Experience Cloud account

Web App Settings

Start URL - https://{your-stores-domain.com}/
Enable SAML - True
Entity Id - https://{your-stores-domain.com}/logins/auth/experience_cloud/metadata
ACS USR - https://{your-stores-domain.com}/logins/auth/experience_cloud/auth
Name ID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Issuer - https://{your-stores-domain.com}/logins/auth/experience_cloud/metadata
IdP Certificate - Select the certificate you created earlier

Leave all other fields as is
Click ‘Save’

Assign Permission to Users

To be able to log into your store all users will need to have access to this connected app by adding it to relevant profiles, permission sets or both.

Manage the Connected App to add permissions to already existing profiles or permission sets or add the connected app directly from each profile or permission set.

Product Information

Create Authentication Provider

We now need to create an Authentication Provider for the store you want to allow Experience Cloud users to login to, this can be created from the store’s Authentication Providers related list.

StoreConnect Field	Local Provider Value
Provider	Experience Cloud
Authorised Domains	Optional
Client Id
Client Secret	Certificate Fingerprint
Provider URL	Experience Site URL
Reset Password URL	Optional

Authorised Domains

If you have a custom domain for your Experience Cloud site you can enter it here to allow user redirection to work correctly. The Provider URL is automatically authorised, so you only need to add additional domains here. This field supports multiple domains separated by a semi-colon (;).

Provider URL

The Provider URL is the path of your Experience Cloud site. To ensure this is correct you can check Salesforce Setup > Identity Provider, under SAML Metadata Discovery Endpoints:

Salesforce Identity Provider Setup

The Provider URL will be everything to the left of .well-known. I.e. for the example image above the Provider URL would be https://sc-demos.my.site.com.

Reset Password URL

Due to security limitations, StoreConnect is not able to initiate a password reset for an Experience Cloud account. To support password reset, the ‘reset password’ flow on the store will redirect the user to the Reset Password URL if it is present. If left blank, the store will not show a ‘reset password’ link.

Customers without an Experience Cloud Licence

If you wish to allow some users to login using Experience Cloud but others to login using a different method (either username/password or another provider) you will need to create additional Authentication Providers. See the Authentication Provider documentation documentation.

Back to Documentation