Salesforce Auth Provider with Facebook SSO

It sounds like you already have your Facebook user linked to a Salesforce Community (= Portal) user, and now you're trying to log him in as an internal user. A given FB user cannot be both.

To fix this, and test SSO as an internal user, you can break that user's link from FB to Salesforce. Log into the org as an admin, then go to that user's record, scroll down to Third-Party Account Links and hit Revoke against the Facebook link. Now your user should be able to login as an internal user.

enter image description here


Metadaddy is on the right track here. It's a bit nuanced, but here we go:

When logging into Salesforce you can really have multiple contexts. The default is logging into the Org. You do this from login.salesforce.com, your My Domain, or perhaps from an enterprise single sign-on service. Here's where you access apps like Sales, Service, or custom apps on Force.com

You can also invite external users into your org. Historically we called this a Portal - these days you do this through a Community. It's a space that external users (customers, partners, etc) can login to and collaborate and be delivered applications, but can have separate authentication and authorization config from the core Org, which is sort of...employee only.

The Auth Provider URL you're using is setup, by default, to target the internal org. So, when you use the SSO url on that page, it is trying to login to the Org, but since your Reg Handler creates a portal style user, they are blocked from logging in.

You can, of course, configure your Community to accept the Auth Provider. This is a simple checkbox on the login configuration for the community, and it will automatically put a button on your Community login page, handle StartUrls, etc.

If you need to build the Auth Provider URL yourself to test manually, it's pretty easy...you just need a special param. Here's an example:

https://login.salesforce.com/services/auth/sso/00D30000000000FOO/Facebook?community=http%3A%2F%2Fcustomerdemo.force.com&startURL=

You just need to add that community param with your URL, plus an optional start url. This will target the authentication to your community, instead of your org.

And once again, the Community login page does this for you automatically.

Hope that helps!