SSO from prod to sandbox using ECA
Summary
This explains how to enable single sign-on (SSO) from a Salesforce production org to a sandbox using an External Connected App (ECA) despite a current bug. The article describes a workaround involving setting the start URL to OAuth instead of custom so that app permissions are correctly respected. It walks through using OAuth settings and enabling SAML on the ECA to achieve the sandbox SSO functionality. Useful for Salesforce professionals needing to securely share sessions between production and sandbox environments without exposing apps to unauthorized users.
Takeaways
- Use External Connected Apps (ECA) for production-to-sandbox SSO after Connected Apps deprecation.
- Avoid setting start URL to custom in ECA due to a permissions bug.
- Workaround by enabling OAuth and setting start URL to OAuth with the target URL entered.
- Enable SAML in the ECA to complete the SSO setup.
- This approach ensures app permissions are respected and prevents unauthorized user access.
This is the Winter26 Update for this article/how i solved this session re sandbox SSO magic: https://goravseth.com/single-sign-on-from-production-to-sandbox Connected Apps were voted off the island, and now we have external client apps, which are great. It is possible to do the same SSO magic with an ECA, but there is currently a bug (that for some reason they will not create a KI for) that requires a funny workaround The bug: If you set the start URL -> custom in the ECA, the app ignores whatever permissions you apply for who can access the app, and it shows up in the app menu for everyone. Those without access are currently redirected to classic and shown an ugly error… Support acknowledged this is a bug and said its actively being worked on 2 months ago, so keep holding your breath… The workaround: click enable oauth, set start URL to oauth, and enter the URL there. The rest of the oauth settings dont matter, as we are not using it.