experience-cloud-member-management

Use this skill when adding external users to an Experience Cloud site, configuring self-registration, managing external user licenses, or customising the login and registration pages. Trigger keywords: add members to community, external user license, self-registration, customer portal login, partner user onboarding, ConfigurableSelfRegHandler. NOT for internal (Employee) user management, internal profile or permission-set assignments, or Experience Cloud page-layout / component design.

Best use case

experience-cloud-member-management is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use this skill when adding external users to an Experience Cloud site, configuring self-registration, managing external user licenses, or customising the login and registration pages. Trigger keywords: add members to community, external user license, self-registration, customer portal login, partner user onboarding, ConfigurableSelfRegHandler. NOT for internal (Employee) user management, internal profile or permission-set assignments, or Experience Cloud page-layout / component design.

Teams using experience-cloud-member-management should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/experience-cloud-member-management/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/admin/experience-cloud-member-management/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/experience-cloud-member-management/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How experience-cloud-member-management Compares

Feature / Agentexperience-cloud-member-managementStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use this skill when adding external users to an Experience Cloud site, configuring self-registration, managing external user licenses, or customising the login and registration pages. Trigger keywords: add members to community, external user license, self-registration, customer portal login, partner user onboarding, ConfigurableSelfRegHandler. NOT for internal (Employee) user management, internal profile or permission-set assignments, or Experience Cloud page-layout / component design.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Experience Cloud Member Management

This skill activates when work involves granting external users access to an Experience Cloud site — including choosing the right license, setting up self-registration, adding members manually or by profile, and customising the login/registration experience. It covers only external (outside the company) user access; internal user provisioning and site content/component design are out of scope.

---

## Before Starting

Gather this context before working on anything in this domain:

- Which Experience Cloud license type is required: Customer Community, Customer Community Plus, Partner Community, or External Identity? The answer determines which profiles are available and constrains every subsequent decision.
- Is self-registration needed, or will admins add users manually (or through automation)? Self-registration requires a default account and default profile — confirm both exist before enabling the feature.
- What are the current license counts? Deactivated external users continue to consume a license seat; check Setup > Company Information > Licenses before promising capacity.
- Has the site been activated? Unapproved/inactive sites do not process registration or login flows.

---

## Core Concepts

### External User License Types and Profile Binding

Salesforce Experience Cloud supports four main external-user license types:

| License | Typical Use Case | Object Access |
|---|---|---|
| **Customer Community** | B2C portals, basic case deflection | Accounts, Contacts, Cases, limited custom objects |
| **Customer Community Plus** | More sophisticated B2C, roles, sharing rules | Broader custom object access, reports |
| **Partner Community** | Partner relationship management, channel sales | Leads, Opportunities, full CRM access |
| **External Identity** | Identity-only / SSO scenarios, low cost | Minimal CRM access |

A profile is permanently tied to one license type at creation time. You cannot reassign a profile to a different license type after the fact, and you cannot assign a user whose profile belongs to License A to a site that requires License B. This binding is enforced at the user record level, not the site level.

### Site Membership: Manual Addition vs Profile-Based Access

There are two ways external users gain access to a site:

1. **Profile-based membership** — Add the external profile to the site's Members settings (Setup > Digital Experiences > [site] > Administration > Members). Every active user with that profile automatically becomes a site member. This is the most common approach for managed portals.
2. **Manual member addition** — Individual contacts are converted to portal users (enable portal user on the Contact record), assigned a profile and a license, and granted access. Useful when rollout is controlled and the user population is small.

Self-registration is a third path — the user creates their own account through the site's registration page. This requires additional configuration (see below).

### Self-Registration Configuration

Self-registration lets anonymous visitors register as site members without an admin manually creating each user. The key requirements are:

- **Default Account** — Every self-registered user must be associated with an account. Configure a "catch-all" account in Setup > Digital Experiences > [site] > Administration > Registration > Default New User Account. Without this, self-registration silently fails.
- **Default Profile** — The profile assigned to new self-registered users. Must be an external profile tied to the correct license. Set in the same Registration settings panel.
- **Handler** — Either the declarative "Configurable Self-Registration" page (preferred for most orgs on LWR or Aura sites using the standard page) or a custom Apex class implementing `Auth.ConfigurableSelfRegHandler`. The legacy `Auth.RegistrationHandler` interface is older and requires writing a `createUser` and `updateUser` method; `ConfigurableSelfRegHandler` is the current interface and provides a single `registerUser` method with a richer context object.

### Login Page Branding

The login and registration pages are managed inside Experience Builder under the Login & Registration settings panel. Admins can:
- Replace the default Salesforce login page with a branded page built in Experience Builder.
- Configure password reset, self-registration, and forgot-username flows.
- Enable or disable social sign-on (SSO) buttons.

Changes to the login page do not require a site re-publish if you are only adjusting styling, but structural component changes (adding/removing components) do require publishing.

---

## Common Patterns

### Pattern: Customer Portal Self-Registration

**When to use:** B2C scenario where customers should be able to sign up without admin intervention. The site uses a Customer Community or Customer Community Plus license.

**How it works:**
1. Create a dedicated "catch-all" Account (e.g., "Customer Community Users") that will own self-registered contacts.
2. Create or confirm an external profile tied to the Customer Community license.
3. In Experience Builder > Login & Registration, enable self-registration, set the Default New User Account to the catch-all account, and set the Default Profile to the external profile.
4. Choose the handler: for standard registration pages, leave it as Configurable Self-Registration (no code needed). For custom flows, implement `Auth.ConfigurableSelfRegHandler` in Apex and reference the class name in the Registration settings.
5. Test by navigating to the site's login URL as a guest and clicking Register.

**Why not the alternative:** Using the legacy `Auth.RegistrationHandler` interface requires writing more boilerplate Apex and does not receive new platform improvements. Prefer `Auth.ConfigurableSelfRegHandler` on all new implementations.

### Pattern: Partner User Onboarding via Manual Addition

**When to use:** Partner onboarding where each partner user must be vetted by an admin before gaining access. Low volume, high-trust scenario.

**How it works:**
1. Ensure the partner's Account record exists and is of record type "Partner Account" (or equivalent).
2. Open the partner's Contact record. Click **Enable Partner User** (or **Enable Customer User** depending on the license).
3. A new User record is created. Set the Profile to a Partner Community profile, set the Username and Email.
4. Confirm the site's Members settings include this profile (or add the user directly via the site's All Members list in Administration).
5. Save and notify the partner — they will receive a welcome email with login instructions.

**Why not the alternative:** Profile-based mass membership is unsuitable here because it immediately grants access to everyone with that profile, bypassing the per-user vetting step.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Large B2C portal, users self-onboard | Self-registration with Configurable Self-Reg page or `Auth.ConfigurableSelfRegHandler` | Scales without admin touch; declarative option requires no code for standard flows |
| Small partner network, each partner vetted | Manual user creation / Enable Partner User on Contact | Per-user control without granting broad profile membership |
| Existing internal profile needs to access portal | Create a new external profile tied to the external license | You cannot reuse internal profiles for external users; license binding prevents it |
| Need custom post-registration logic (e.g., assign to correct account dynamically) | Custom `Auth.ConfigurableSelfRegHandler` Apex class | Provides `registerUser` hook where account, profile, and user fields can be set programmatically |
| Login page must match brand guidelines | Experience Builder Login & Registration settings | No code required; publish after structural changes |

---

## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner working on this task:

1. **Confirm license type and profile** — Identify which Experience Cloud license the users will need. Verify that an external profile tied to that license already exists (Setup > Profiles > filter by User License). If not, create the profile before proceeding.
2. **Check license capacity** — Navigate to Setup > Company Information and confirm there are enough available seats for the external license. Remember that deactivated users still consume seats; deactivate and free them if needed before adding new users.
3. **Configure site membership method** — In Setup > Digital Experiences > [site] > Administration > Members, add the external profile(s) for profile-based access. For manual addition, enable the portal user on the Contact record and assign the correct profile. For self-registration, proceed to step 4.
4. **Set up self-registration (if required)** — Enable self-registration in the site's Registration settings. Set the Default New User Account (catch-all account) and Default Profile. Optionally, specify a custom `Auth.ConfigurableSelfRegHandler` Apex class for advanced logic. Test the registration flow as a guest user.
5. **Customise and validate login page branding** — In Experience Builder, open Login & Registration, apply branding (logo, colours, background), enable or disable self-reg/forgot-password links, then publish the site. Confirm the login URL resolves and registration/login completes end-to-end in a browser.

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] External profile is tied to the correct license type (Customer Community, CC Plus, Partner Community, or External Identity)
- [ ] License seat count confirmed — enough available seats for planned user volume
- [ ] Site membership method configured (profile-based, manual, or self-registration)
- [ ] If self-registration: Default New User Account and Default Profile are set; registration handler (declarative or Apex) is selected and tested
- [ ] Login page branding applied and site published after any structural component change
- [ ] End-to-end login and (if applicable) self-registration tested in a browser as a guest user
- [ ] No internal profiles were used in place of external profiles

---

## Salesforce-Specific Gotchas

Non-obvious platform behaviors that cause real production problems:

1. **Deactivated users still consume license seats** — Deactivating an external user does not free the license. You must deactivate the user AND then go to Setup > Company Information to confirm the count drops. If license seats are exhausted, new user creation fails silently or with a generic error. Audit inactive external users regularly.
2. **Profile-license binding is permanent** — A profile created for the Customer Community license can never be reassigned to the Partner Community license or any other license. Attempting to change the license on an existing profile throws an error. If you chose the wrong license, you must create a new profile and migrate users.
3. **`Auth.ConfigurableSelfRegHandler` vs legacy `Auth.RegistrationHandler`** — The legacy interface requires implementing `createUser(portalId, userId, registrationAttributes, password)` and `updateUser(...)`. The current interface (`Auth.ConfigurableSelfRegHandler`) uses a single `registerUser(context)` method with a richer `Auth.SelfRegistrationContext` object. LLMs trained on older material often generate the legacy signature; always verify which interface is expected in the Registration settings panel.
4. **Self-registration fails silently without a Default Account** — If the Default New User Account is not set in the Registration settings, self-registration POST requests return a generic error page with no useful debug output. This is the single most common self-reg setup mistake. Confirm the account is set and is not a Person Account (standard accounts only for the catch-all).
5. **Login page changes require a publish to take effect for structural changes** — Style-only changes (CSS, background colour) may propagate without a full publish in some scenarios, but adding or removing components on the login page always requires clicking Publish in Experience Builder before external users see the change.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| Site membership configuration | Profile(s) added to the site's Members list in Administration |
| Self-registration settings | Default account, default profile, and optional handler class set in Registration panel |
| Login/registration page | Branded login page published in Experience Builder |
| External user record | User record tied to a Contact with the correct external profile and license |

---

## Related Skills

- flow/flow-for-experience-cloud — when a screen flow or guided process needs to be surfaced on the Experience Cloud site for self-registered or authenticated users
- security/experience-cloud-security — for deeper CORS, CSP, guest user access, and sharing-model security configuration on Experience Cloud sites

Related Skills

session-management-and-timeout

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring session timeout values, concurrent session limits, session IP locking, or logout behavior in Salesforce. Covers org-wide session settings, profile-level overrides, Connected App session policies, and Metadata API SecuritySettings deployment. NOT for OAuth token refresh flows, login IP ranges, or MFA/identity-provider configuration.

oauth-token-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when work depends on how Salesforce OAuth access and refresh tokens are issued, refreshed, rotated, revoked, or introspected for a Connected App or API client—including unexpected logouts, invalid_grant after refresh, or designing token incident response. NOT for choosing which OAuth grant or Connected App flow to implement (use integration/oauth-flows-and-connected-apps), Named Credential packaging (use integration/named-credentials-setup), or broad Connected App IP and PKCE policy hardening without a token-lifecycle angle (use security/connected-app-security-policies).

experience-cloud-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

certificate-and-key-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when creating, uploading, or rotating certificates in Salesforce, configuring mutual TLS (mTLS) client authentication, managing the Java KeyStore for CA-signed certificates, diagnosing certificate expiry in JWT OAuth flows, or understanding which certificate types Salesforce supports and how to migrate them between orgs. NOT for Named Credential configuration (use named-credentials-setup skill), NOT for Shield Platform Encryption key management. Trigger keywords: Certificate and Key Management, self-signed certificate, CA-signed certificate, mutual TLS, mTLS, keystore, JKS, PKCS12, certificate rotation, certificate expiry, JWT certificate.

flexcard-state-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing FlexCard actions, conditional visibility, and state that must survive navigation, refresh, or parent/child card transitions. Triggers: 'flexcard state', 'flexcard conditional visibility', 'flexcard actions', 'flexcard refresh', 'child flexcard state'. NOT for raw LWC state or for OmniScript step state.

lwc-state-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Share state across LWCs using pub/sub, Lightning Message Service, @wire, and reactive stores. NOT for in-component reactivity.

lwc-focus-management

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building LWCs that need to manage focus explicitly — modal dialogs, wizard flows, dynamic inserts, list updates, error summaries, and focus after async work. Covers focus restoration, focus traps, programmatic focus across shadow DOM, and patterns for announcing changes to assistive tech. Does NOT cover general LWC a11y audit (see lwc-accessibility).

headless-experience-cloud

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom frontends (React, Vue, mobile, static sites) that consume Salesforce CMS content via the Connect REST API headless delivery endpoint. Triggers: 'headless Salesforce CMS', 'deliver CMS content to external frontend', 'React app Salesforce content API', 'custom frontend Experience Cloud data', 'CMS delivery channel API'. NOT for standard Experience Builder site development. NOT for CMS Connect (3rd-party CMS federation into Experience Builder). NOT for Experience Cloud LWC components rendered inside a site.

experience-cloud-search-customization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring or extending search on an Experience Cloud site — covering Search Manager scope configuration, LWR vs Aura search component selection, federated search setup, guest user search access, and custom search result components. NOT for SOSL/SOQL query development. NOT for internal Salesforce global search or Einstein Search for agents.

experience-cloud-multi-idp-sso

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring multiple identity providers (OIDC and/or SAML) on a single Experience Cloud site or across tenant-specific portals in the same org — covering auth provider registration, Start SSO URL routing, Federation ID mapping, RegistrationHandler implementation, and simultaneous SP+IdP topology. Trigger keywords: multiple identity providers Experience Cloud, multi-tenant SSO community portal, vendor and citizen portal same site, OIDC SAML both on login page, tenant-specific login routing community. NOT for internal Salesforce employee SSO configuration. NOT for single auth provider setups — see experience-cloud-authentication for basic SSO.

experience-cloud-lwc-components

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom LWC components for Experience Cloud (Experience Builder sites, LWR portals, Aura-based communities). Covers community context imports, guest user Apex access patterns, navigation API differences between LWR and Aura, and JS-meta.xml target configuration for Experience Builder exposure. NOT for internal LWC components deployed to Lightning App Builder or standard record pages (see lwc/lwc-development). NOT for Aura community components. Trigger keywords: build LWC for Experience Cloud, custom component community portal LWC, guest user LWC component, community context import salesforce, lightningCommunity target, @salesforce/community, guest Apex.

experience-cloud-authentication

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.