IDM 7.4.1

Salesforce social identity provider

Social authentication is deprecated and will be removed in a future release of IDM. For more information, refer to Deprecation.

When you configure a Salesforce app, look for a Consumer Key and a Consumer Secret. IDM uses this information as a clientId and clientSecret, respectively.

For reference, read through the following Salesforce documentation: Connected Apps Overview.

Set up Salesforce

These instructions were written with the Winter '19 Release of the Salesforce API. The menu items might differ slightly if you are working with a different version of the API.

  1. To set up Salesforce as a social identity provider, you will need a Salesforce developer account. Log in to the Salesforce Developers Page with your developer account credentials and create a new Connected App.

  2. Under App Setup, select Create > Apps > Connected Apps > New. You will need to add the following information:

    • Connected App Name

    • API Name (defaults to the Connected App Name)

    • Contact Email

    • Activate Enable OAuth Settings

    • Callback URL (also known as the Redirect URI for other providers), for example https://localhost:8443.

      The Callback URL must correspond to the log-in URL for the IDM admin UI.

  3. Add the following OAuth scopes:

    • Access and Manage your data (api)

    • Access your basic information (id, profile, email, address, phone)

    • Perform requests on your behalf at any time (refresh_token, offline_access)

    • Provide access to your data via the Web (web)

      You must add these scopes even if you are planning to use the full OAuth scope.
  4. After you have saved the Connected App, it might take a few minutes for the new app to appear under Administration Setup > Manage Apps > Connected Apps.

  5. Select the new Connected App then locate the Consumer Key and Consumer Secret (under the API list). You’ll use that information as shown here:

    • Salesforce Consumer Key = IDM Client ID

    • Salesforce Consumer Secret = IDM Client Secret

Configure a Salesforce social identity provider

To configure a Salesforce social identity provider using the admin UI:

  1. From the navigation bar, click Configure > Social ID Providers.

  2. On the Social Identity Providers page, enable Salesforce.

  3. In the Salesforce Provider window, enter applicable values in the fields, and click Save. For a complete list of fields, refer to Salesforce Social Identity Provider Configuration Details.

After you save the social identity provider configuration, IDM generates a conf/identityProvider-salesforce.json file:

    "provider" : "salesforce",
    "authorizationEndpoint" : "",
    "tokenEndpoint" : "",
    "userInfoEndpoint" : "",
    "clientId" : "<someUUID>",
    "clientSecret" : {
       "$crypto" : {
           "type" : "x-simple-encryption",
           "value" : {
               "cipher" : "AES/CBC/PKCS5Padding",
               "stableId" : "openidm-sym-default",
               "salt" : "<hashValue>",
               "data" : "<encryptedValue>",
               "keySize" : 16,
               "purpose" : "idm.config.encryption",
               "iv" : "<encryptedValue>",
               "mac" : "<hashValue>"
    "scope" : [

The file includes schema information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the admin UI. When you’ve registered a user with a Salesforce social identity, you can verify this by selecting Manage > Salesforce, and then selecting a user.

Another part of the file includes a propertyMap, which maps user information entries between the source (social identity provider) and the target (IDM).

If you need more information about the properties in this file, refer to the following appendix: Salesforce Social Identity Provider Configuration Details.

Configure user registration to link to Salesforce

Once you’ve configured the Salesforce social identity provider, you can activate it through User Registration. To do so in the admin UI, select Configure > User Registration, and activate that feature. Under the Social tab that appears, enable Social Registration. For more information on IDM user self-service features, refer to Self-service end user UI.

When you enable Social Registration, you’re allowing users to register on IDM through all active social identity providers.

Salesforce social identity provider configuration details

You can set up the Salesforce social identity provider through the admin UI or in a conf/identityProvider-salesforce.json file. IDM generates the identityProvider-salesforce.json file when you configure and enable this social identity provider in the admin UI. Alternatively, you can create the file manually.

The following table includes the information shown in the admin UI Salesforce Provider pop-up window, along with associated information in the identityProvider-salesforce.json file:

Salesforce social identity provider configuration properties
Property (UI) Property (JSON file) Description

Client ID


The client identifier for your Salesforce App

Client Secret


Used with the Client ID to access the applicable Salesforce API



An array of strings that allows access to user data

Authorization Endpoint


A typical URL:

Token Endpoint


Endpoint that receives a one-time authorization code, and returns an access token; such as

User Info Endpoint


Endpoint that transmits scope-related fields; a typical URL:

Not in the admin UI


Name of the social identity provider

Not in the admin UI


Configuration class for the authentication module

Not in the admin UI


Whether to use basic authentication

Not in the admin UI


Mapping between Salesforce and IDM

Copyright © 2010-2024 ForgeRock, all rights reserved.