experience-cloud-authentication
Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.
Best use case
experience-cloud-authentication is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.
Teams using experience-cloud-authentication should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/experience-cloud-authentication/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How experience-cloud-authentication Compares
| Feature / Agent | experience-cloud-authentication | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Experience Cloud Authentication Use this skill when designing or building custom authentication flows for Experience Cloud sites: social SSO via OIDC or SAML auth providers, self-registration with custom Apex handlers, passwordless OTP login (standard or headless), and custom login pages for Aura or LWR sites. --- ## Before Starting Gather this context before working on anything in this domain: - **Site type (Aura vs LWR):** This controls whether a custom login page must be a Visualforce page (Aura) or an LWC (LWR). Mixing them is a silent failure — LWR ignores VF login pages. - **Authentication mode (standard, headless, or passwordless):** Headless and passwordless flows require distinct Apex handler interfaces (`HeadlessUserDiscoveryHandler`, `HeadlessSelfRegistrationHandler`) that are separate from the standard `Auth.RegistrationHandler` used for non-headless flows. - **Who the user population is:** External guest users, community members, or partner users each have different license and profile constraints that affect what auth flows are permissible. - **Sandbox-first constraint:** Auth providers require an external identity provider that must be pre-configured in sandbox before production. Skipping sandbox causes mismatched callback URLs and production incidents. --- ## Core Concepts ### Auth Providers (OIDC/SAML) for Social Login An auth provider is a Salesforce-managed connector to an external identity provider. When a site visitor clicks "Sign in with Google," Salesforce redirects them to the IdP, receives an OAuth token or SAML assertion, and then maps the returned identity to a Salesforce user via a Registration Handler Apex class. - **OIDC providers** (Google, Okta, custom) are configured under Setup > Auth. Providers with provider type "OpenID Connect". You supply the consumer key, secret, and authorize/token/userinfo endpoints. - **SAML providers** configured as auth providers (distinct from SAML SSO settings) require the issuer, entity ID, and certificate. The Start SSO URL must include the `?community=<site-url>` query parameter to route the assertion back to the correct site rather than the internal org login. - **Federation ID** is the primary matching key. The value returned in the IdP's subject or a custom attribute must match `User.FederationIdentifier`. OIDC can also match on email, but Federation ID is more reliable for long-lived accounts. ### Registration Handlers: Standard vs Headless Two distinct Apex interfaces govern how Salesforce creates or matches users after an external identity is verified: | Interface | Used When | Key Methods | |---|---|---| | `Auth.RegistrationHandler` | Standard (non-headless) social login via auth provider | `createUser()`, `updateUser()` | | `Auth.ConfigurableSelfRegHandler` | Standard self-registration with fine-grained control | `getUserAttributes()`, `createUser()`, `postRegister()` | | `HeadlessUserDiscoveryHandler` | Headless passwordless — discover existing user by identifier | `discover()` | | `HeadlessSelfRegistrationHandler` | Headless passwordless — register new user via headless flow | `createUser()`, `autoConfirm()` | The `HeadlessUserDiscoveryHandler` and `HeadlessSelfRegistrationHandler` interfaces live in the headless identity API surface and are **not** the same as `Auth.RegistrationHandler`. Using the wrong interface compiles successfully but the headless flow will fail at runtime because Salesforce cannot locate the handler. ### Passwordless Login and the HeadlessPasswordlessLogin API Passwordless login sends a one-time passcode (OTP) to the user's email or phone without a password. Two modes: - **Standard passwordless** — Salesforce manages the OTP prompt within the site's login page. Enable under Digital Experience > Administration > Login & Registration > Allow passwordless login. - **Headless passwordless** — Your custom front end (mobile app, React, custom LWC) calls the `HeadlessPasswordlessLogin` REST resource directly. The API issues an OTP; your UI collects it and exchanges it for a session. Requires headless identity to be enabled in the org and the site must be configured for headless flows. Headless flows require `HeadlessUserDiscoveryHandler` to locate an existing user and `HeadlessSelfRegistrationHandler` to create new users. Both classes are assigned in the Headless Identity settings for the site. ### Custom Login Pages: VF for Aura, LWC for LWR - **Aura sites** use a Visualforce page as the custom login page. Assign it under Administration > Login & Registration > Login Page Type = Visualforce Page. - **LWR sites** use an LWC-based login page. Build the component extending `lwc/loginForm` or composing the `c/selfRegisterLwc` pattern, then assign it under the same Administration panel. Setting a VF page on an LWR site has no effect — the default login page renders silently. - Login page LWCs must be deployed before they appear in the Administration drop-down. Deploy them as metadata-type `LightningComponentBundle` with `isExposed: true` and `targets` including `lightningCommunity__Page`. --- ## Common Patterns ### Pattern 1: Social Login with OIDC Auth Provider **When to use:** Site users should be able to authenticate with Google, Okta, LinkedIn, or any OIDC-compatible IdP instead of creating a Salesforce community account with a password. **How it works:** 1. Create an Auth Provider in Setup under the provider type (e.g., "Google", "OpenID Connect"). Supply client ID, client secret, authorize endpoint, token endpoint, and userinfo endpoint. 2. Set the Callback URL in your IdP application to `https://<myDomain>.my.site.com/services/authcallback/<ProviderName>`. 3. Write an `Auth.RegistrationHandler` Apex class. In `createUser()`, look up an existing `User` by `FederationIdentifier` or email. If found, return the existing user. If not, create a new external user with the appropriate profile and community. 4. Assign the Registration Handler on the Auth Provider setup page. 5. On the Experience Cloud site, go to Administration > Login & Registration > Login Page Branding, enable the auth provider as a social sign-on option. 6. For Aura sites, the login button is rendered automatically. For LWR sites with a custom login LWC, call the standard `authprovider` navigation target or use `window.location` redirect to the Start SSO URL. **Why not redirect directly to the IdP:** Bypassing the auth provider Start SSO URL loses the `community` parameter routing and the registration handler. Users authenticate but land on the internal org login, not the community. ### Pattern 2: Headless Passwordless OTP for Mobile App **When to use:** A mobile or SPA front end needs to authenticate community users without showing a Salesforce-hosted login page — typically a branded mobile app using Experience Cloud as the identity layer. **How it works:** 1. Enable Headless Identity in Setup > Digital Experiences > Settings. 2. Create a `HeadlessUserDiscoveryHandler` Apex class implementing `Auth.HeadlessUserDiscoveryHandler`. The `discover()` method receives the identifier (email or phone) and returns a `Auth.UserDiscoveryResult` indicating whether to challenge the existing user or route to registration. 3. Create a `HeadlessSelfRegistrationHandler` Apex class implementing `Auth.HeadlessSelfRegistrationHandler`. The `createUser()` method provisions a new external user; `autoConfirm()` controls whether email verification is skipped. 4. Assign both handlers in the Headless Identity settings for the Experience Cloud site. 5. From the mobile app, POST to `<siteUrl>/services/auth/headless/init/passwordless/login` with the user's email or phone. Salesforce returns an OTP via email/SMS. 6. User enters the OTP; the app POSTs to the verification endpoint. On success, Salesforce returns an access token. **Why not use standard passwordless:** Standard passwordless requires a Salesforce-hosted page. Headless gives full front-end control and works in native mobile contexts where a webview cannot be used. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | Social SSO with external IdP (Google, Okta) | Auth Provider + `Auth.RegistrationHandler` | Standard pattern; Salesforce manages OAuth handshake | | Self-registration with custom validation | `Auth.ConfigurableSelfRegHandler` | More lifecycle hooks than standard RegistrationHandler | | Passwordless login on Salesforce-hosted page | Enable passwordless in Administration > Login & Registration | Simplest; no custom code needed | | Passwordless login from mobile/SPA (no hosted page) | Headless Passwordless API + `HeadlessUserDiscoveryHandler` + `HeadlessSelfRegistrationHandler` | Headless flow is required when you control the UI | | Custom login page on Aura site | Visualforce page assigned in site Administration | Aura requires VF for custom login | | Custom login page on LWR site | LWC with `lightningCommunity__Page` target | LWR ignores VF login pages; LWC is required | | Matching returning social login users | Federation ID (`User.FederationIdentifier`) | More stable than email matching across IdP re-registrations | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner working on this task: 1. **Identify site type and auth mode** — Confirm whether the target site is Aura or LWR. Confirm whether the flow is standard social SSO, self-registration, standard passwordless, or headless passwordless. This determines which interfaces and page types are required. 2. **Configure the auth provider or headless settings** — For social SSO, create the Auth Provider in Setup and register the Callback URL with the IdP. For headless flows, enable Headless Identity in Digital Experiences settings before writing any Apex. 3. **Implement the correct Apex handler** — For social SSO, implement `Auth.RegistrationHandler`. For headless passwordless, implement both `HeadlessUserDiscoveryHandler` and `HeadlessSelfRegistrationHandler`. Never substitute one interface for the other. 4. **Build the login page component** — For Aura, create a VF page and assign it in Administration > Login & Registration. For LWR, build an LWC with `lightningCommunity__Page` in its target metadata and deploy it before assigning. 5. **Verify user matching and license** — Confirm Federation ID is populated correctly for social login users. Confirm the profile and license assigned in `createUser()` are valid for the site's member configuration. 6. **Test in sandbox end-to-end** — Auth providers use callback URLs that must match exactly. Test the full login round-trip in a sandbox with the real IdP before promoting to production. --- ## Review Checklist Run through these before marking work in this area complete: - [ ] Auth provider callback URL registered with IdP matches `services/authcallback/<ProviderName>` on the correct domain - [ ] Registration handler implements the correct interface for the flow type (standard vs headless) - [ ] Custom login page type matches site engine (VF for Aura, LWC for LWR) - [ ] LWC login page has `lightningCommunity__Page` in targets metadata and is deployed - [ ] Federation ID populated and matches across both IdP and Salesforce user records - [ ] Headless Identity enabled in org settings if using any headless or headless passwordless flow - [ ] Sandbox end-to-end login test completed before production deployment --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **Start SSO URL missing `community` parameter** — When constructing the social login redirect URL, the `community` parameter (`?community=<encoded-site-url>`) tells Salesforce which site to return the user to after the IdP handshake. Omitting it causes the user to be redirected to the internal org login page instead of the community, with no error message. 2. **VF login page silently ignored on LWR sites** — Assigning a Visualforce page as the custom login page on an LWR site produces no error in Setup, but the site continues to render the default login page. The fix is to create an LWC with the `lightningCommunity__Page` target and assign it instead. 3. **`HeadlessSelfRegistrationHandler` is a different interface than `Auth.RegistrationHandler`** — The two interfaces share a `createUser()` method name but are entirely different Apex types. A class that implements `Auth.RegistrationHandler` cannot be assigned in the Headless Identity settings; doing so causes a runtime error. Implement `Auth.HeadlessSelfRegistrationHandler` for headless flows. --- ## Output Artifacts | Artifact | Description | |---|---| | Auth Provider configuration | Setup record connecting Salesforce to external IdP | | Registration Handler Apex class | Apex class implementing the correct handler interface for user creation/matching | | Custom login page component | VF page (Aura) or LWC bundle (LWR) handling the login UI | | Headless Identity handler classes | `HeadlessUserDiscoveryHandler` and `HeadlessSelfRegistrationHandler` implementations for headless flows | | Federation ID mapping | Documentation of how IdP subject maps to `User.FederationIdentifier` | --- ## Related Skills - security/ip-range-and-login-flow-strategy — Post-authentication login flows that run after Experience Cloud SSO completes; use when you need MFA enforcement or custom verification steps on top of social login
Related Skills
experience-cloud-security
Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).
headless-experience-cloud
Use when building custom frontends (React, Vue, mobile, static sites) that consume Salesforce CMS content via the Connect REST API headless delivery endpoint. Triggers: 'headless Salesforce CMS', 'deliver CMS content to external frontend', 'React app Salesforce content API', 'custom frontend Experience Cloud data', 'CMS delivery channel API'. NOT for standard Experience Builder site development. NOT for CMS Connect (3rd-party CMS federation into Experience Builder). NOT for Experience Cloud LWC components rendered inside a site.
experience-cloud-search-customization
Use this skill when configuring or extending search on an Experience Cloud site — covering Search Manager scope configuration, LWR vs Aura search component selection, federated search setup, guest user search access, and custom search result components. NOT for SOSL/SOQL query development. NOT for internal Salesforce global search or Einstein Search for agents.
experience-cloud-multi-idp-sso
Use this skill when configuring multiple identity providers (OIDC and/or SAML) on a single Experience Cloud site or across tenant-specific portals in the same org — covering auth provider registration, Start SSO URL routing, Federation ID mapping, RegistrationHandler implementation, and simultaneous SP+IdP topology. Trigger keywords: multiple identity providers Experience Cloud, multi-tenant SSO community portal, vendor and citizen portal same site, OIDC SAML both on login page, tenant-specific login routing community. NOT for internal Salesforce employee SSO configuration. NOT for single auth provider setups — see experience-cloud-authentication for basic SSO.
experience-cloud-lwc-components
Use when building custom LWC components for Experience Cloud (Experience Builder sites, LWR portals, Aura-based communities). Covers community context imports, guest user Apex access patterns, navigation API differences between LWR and Aura, and JS-meta.xml target configuration for Experience Builder exposure. NOT for internal LWC components deployed to Lightning App Builder or standard record pages (see lwc/lwc-development). NOT for Aura community components. Trigger keywords: build LWC for Experience Cloud, custom component community portal LWC, guest user LWC component, community context import salesforce, lightningCommunity target, @salesforce/community, guest Apex.
experience-cloud-api-access
Use this skill when configuring or troubleshooting API access for Experience Cloud external users and guest users: guest user Apex data access, Customer Community Plus or Partner Community REST/SOAP API access, external user OAuth scopes, and sharing enforcement on API responses. Trigger keywords: Experience Cloud API access external user, community user REST API, guest user API limits, Customer Community API permissions, external user OAuth. NOT for internal Salesforce API authentication, non-community OAuth flows, or internal user API security.
net-zero-cloud-setup
Use this skill when configuring Salesforce Net Zero Cloud — including Scope 1/2/3 emission source modeling via the StnryAssetCrbnFtprnt / VehicleAssetCrbnFtprnt / Scope3CrbnFtprnt object families, emission factor library setup (EmssnFctr / EmssnFctrSet), DPE-driven carbon calculation jobs, supplier engagement scoring, and CSRD / ESRS / TCFD disclosure pack mapping. Triggers on: Net Zero Cloud setup, Sustainability Cloud carbon accounting, Scope 1 2 3 emissions Salesforce, emission factor library, supplier engagement Net Zero, ESG disclosure pack mapping. NOT for ESG content scoring (use Marketing Cloud), NOT for general financial reporting (use Accounting Subledger), NOT for energy-only utility billing (use Energy & Utilities Cloud).
manufacturing-cloud-setup
Use this skill when configuring Salesforce Manufacturing Cloud — including Sales Agreement setup, Account-Based Forecasting (ABF) recalc jobs, run-rate management, Rebate Management programs, channel inventory tracking via Channel Revenue Management, and Group Membership / OrderItem-to-SalesAgreement reconciliation. Triggers on: Manufacturing Cloud setup, Sales Agreement Salesforce, account-based forecast recalculation, run rate manufacturing, rebate program setup, channel revenue management. NOT for general Sales Cloud opportunity-to-order flow (use standard Opportunity / Order), NOT for Field Service install-base management (use FSL skills), NOT for Automotive Cloud dealer modeling (use automotive-cloud-setup).
data-cloud-zero-copy-federation
Use this skill when configuring or troubleshooting Data Cloud Zero Copy / Lakehouse Federation against Snowflake, Databricks, BigQuery, or Redshift — including external Data Lake Object setup, query semantics through federation, refresh and cache behavior, and choosing federation versus physical ingestion. Triggers on: Data Cloud federated DLO setup, query latency against external warehouse, Snowflake/Databricks/BigQuery integration with Data Cloud, federation vs ingestion decision. NOT for physical Ingestion API streaming/bulk patterns (use data-cloud-integration-strategy), not for CRM Analytics external connectors (use analytics-external-data), not for outbound Data Cloud activation to external systems (use data-cloud-activation-development).
data-cloud-query-api
Use this skill when querying unified profile data, calculated insights, or Data Lake Objects from Data Cloud using ANSI SQL via the Query V2 or Query Connect APIs. Triggers on: SQL queries against Data Cloud, querying unified individuals, querying DMOs via API, paginating large Data Cloud result sets. NOT for SOQL queries against standard Salesforce objects, not for Data Cloud segment filtering in the UI, not for vector/semantic search (use data-cloud-vector-search-dev).
data-cloud-integration-strategy
Use this skill when designing or troubleshooting the data pipeline strategy for connecting source systems to Data Cloud — including ingestion API pattern selection (streaming vs. batch), connector type decisions, DSO-to-DLO-to-DMO pipeline lag, and lakehouse federation patterns. Triggers on: Data Cloud ingestion API setup, streaming vs batch connector decision, Data Cloud connector types, MuleSoft Direct for Data Cloud, data pipeline lag for segmentation. NOT for standard Salesforce integration patterns (use integration-patterns skill), not for querying Data Cloud once data is ingested (use data-cloud-query-api), not for configuring standard admin connectors through the UI only.
data-cloud-ingestion-api
Use when implementing or troubleshooting the Salesforce Data Cloud Ingestion API — covers streaming ingestion (near-real-time micro-batches), bulk ingestion (CSV-based full-replace jobs), schema management in OpenAPI 3.0.x YAML, Connected App setup with cdp_ingest_api scope, and error handling for both modes. NOT for standard Salesforce Bulk API, CRM Analytics data import, or Data Cloud data streams from CRM objects.