Currently, Salesforce is supported both as a social connection and also as an enterprise connection using the SAMLP Identity Provider; see (https://auth0.com/docs/protocols/saml/identity-providers/salesforce) for a step-by-step guide in configuring a Salesforce-based SAML enterprise connection.
The reason I’m pointing you to the enterprise connections is that currently we support Home Realm Discovery (HRD) for those type of connections. This means that if you’re making use of Lock (used by default in the hosted login page) you could leverage its built-in support for HRD in enterprise connections and take the following approach.
- Configure a SAML enterprise connection for each customer with a custom Salesforce domain; when configuring the connection you would use the Email Domains field to associate this connection with users owning an email at a particular domain.
- Enable those connections for the client application in question in addition to the general social connection.
- When using Lock within the client application or hosted page the Lock UI is shown with the possibility for users to login with the Salesforce social connection (for customers without a custom domain) or to input their company email address in a input field.
Assuming you configured two SAML connections, one for Fabrikam company with an email domain of
@fabrikam.com and another for Contoso company with an email domain of
@contoso.com, when a user goes to your application and inputs their company email address in Lock they would be asked to authenticate through the corresponding Salesforce SAML connection for their company.
For example, if John from Fabrikam inputs the email
firstname.lastname@example.org, Lock would do the domain matching and automatically allow John to continue the login through the SAMLP Salesforce connection you configured for Fabrikam.
For more information about solving the HRD issue using Lock email domains logic check: https://auth0.com/docs/libraries/lock/v10/selecting-the-connection-for-multiple-logins#option-2-using-email-domains-with-lock