Configuring Single Sign-on (SSO) using Authorization Code + PKCE for Salesforce

Single Sign-on (SSO) enables you to configure your tenancy so that Advance automatically signs in users.

Configuring Single Sign-on requires that you both configure your tenancy to use Single Sign-on and register Advance with your Single Sign-on provider.


  • Salesforce account

To configure Single Sign-on

1. Create Connected App in Salesforce

Create a new connected App in Salesforce. Make sure to enable the “API (Enable OAuth Settings).” setting.

1.1 Setting the Callback URL

The redirect URI IS the URI for the Advance auth application for your tenancy, appended with /.oidc/callback. For example:

The URI is case sensitive and must be lower case.

1.2 Enable the following scopes

  • Access your basic information (id, profile, email, address, phone)
  • Allow access to your unique identifier (openid)

1.3 Allow ID Token

Check “Configure ID Token” and select “Include Standard Claims”.

1.4 Authorization Code with PKCE flow

Uncheck the “Require Secret for Web Server Flow” box, this isn’t required when using PKCE.

2. Update your tenancy SSO configuration

Take a note of the “Consumer Key” for your new Connected App. This is the “Client Identifier” in standard OpenID Connect terminology.

To configure SSO for your tenancy

  1. Log in to the Advance Auth Application.
  2. Click the SSO Configuration link in the page header.
  3. Click the Create button.
  4. Enter the following information into the fields:
    • Metadata Endpoint – “”
    • Client Identifier – the “Consumer Key” for the Salesforce Connected App
    • Client Secret – enter any dummy value here.
    • IsActive – select the IsActive checkbox to immediately activate SSO on your tenancy; if you leave the checkbox empty, you can still activate SSO later
    • IdentityProviderFlow - AuthCodePkce
  5. Click the Save button; Advance redirects you to the SSO Configuration page.
  6. On the SSO configuration page, there is a highlighted URI next to the text The value to provide is. For example, Check that this matches the Redirect URI you set when creating the Connected App.

Your tenancy is now configured to use Single Sign-on.