Setting Up Salesforce as an IDM Social Identity Provider

As suggested in the introduction to this chapter, you'll need to take the following basic steps to configure Salesforce as a social identity provider for IDM:


When you configure a Salesforce app, look for a Consumer Key and a Consumer Secret. IDM uses this information as a clientId and clientSecret, respectively.

For reference, read through the following Salesforce documentation: Connected Apps Overview.

Setting Up Salesforce

To set up Salesforce as a social identity provider, you will need a Salesforce developer account. Log in to the Salesforce Developers Page with your developer account credentials and create a new Connected App.


These instructions were written with the Winter '19 Release of the Salesforce API. The menu items might differ slightly if you are working with a different version of the API.

Under App Setup, select Create > Apps > Connected Apps > New. You will need to add the following information:

  • Connected App Name

  • API Name (defaults to the Connected App Name)

  • Contact Email

  • Activate the following option: Enable OAuth Settings

  • Callback URL (also known as the Redirect URI for other providers), for example https://localhost:8443/.

    The Callback URL must correspond to the URL that you use to log in to the IDM Admin UI.

  • Add the following OAuth scopes:

    • Access and Manage your data (api)

    • Access your basic information (id, profile, email, address, phone)

    • Perform requests on your behalf at any time (refresh_token, offline_access)

    • Provide access to your data via the Web (web)

    Note that these must be added even if you are otherwise planning to use the full OAuth scope.

After you have saved the Connected App, it might take a few minutes for the new app to appear under Administration Setup > Manage Apps > Connected Apps.

Select the new Connected App then locate the Consumer Key and Consumer Secret (under the API list). You'll use that information as shown here:

  • Salesforce Consumer Key = IDM Client ID

  • Salesforce Consumer Secret = IDM Client Secret

Configuring a Salesforce Social Identity Provider

  1. To configure a Salesforce social identity provider, log in to the Admin UI and navigate to Configure > Social ID Providers.

  2. Enable the Salesforce social identity provider.

    In the Salesforce Provider pop-up that appears, the values for Redirect URI should match the value that you've entered for Callback URL in "Setting Up Salesforce".

  3. Include the values that Salesforce created for Consumer Key and Consumer Secret, as described in "Setting Up Salesforce".

  4. Under regular and Advanced Options, include the options shown in the following appendix: "Salesforce Social Identity Provider Configuration Details".

When you enable a Salesforce social identity provider in the Admin UI, IDM generates the identityProvider-salesforce.json file in your project's conf/ subdirectory.

It includes parts of the file that you may have configured through the Admin UI. While the labels in the UI specify Consumer Key and Consumer Secret, you'll see them as clientId and clientSecret, respectively, in the configuration file.

    "provider" : "salesforce",
    "authorizationEndpoint" : "",
    "tokenEndpoint" : "",
    "userInfoEndpoint" : "",
    "clientId" : "<someUUID>",
    "clientSecret" : {
       "$crypto" : {
           "type" : "x-simple-encryption",
           "value" : {
               "cipher" : "AES/CBC/PKCS5Padding",
               "stableId" : "openidm-sym-default",
               "salt" : "<hashValue>",
               "data" : "<encryptedValue>",
               "keySize" : 16,
               "purpose" : "idm.config.encryption",
               "iv" : "<encryptedValue>",
               "mac" : "<hashValue>"
    "scope" : [

You should also see UI settings related to the social identity provider icon (badge) and the sign-in button, described in "Social Identity Provider Button and Badge Properties".

You'll see links related to the authenticationIdKey, redirectUri, and configClass; the location may vary.

The file includes schema information, which includes properties for each social identity account, as collected by IDM, as well as the order in which it appears in the Admin UI. When you've registered a user with a Salesforce social identity, you can verify this by selecting Manage > Salesforce, and then selecting a user.

Another part of the file includes a propertyMap, which maps user information entries between the source (social identity provider) and the target (IDM).

If you need more information about the properties in this file, refer to the following appendix: "Salesforce Social Identity Provider Configuration Details".

Configuring User Registration to Link to Salesforce

Once you've configured the Salesforce social identity provider, you can activate it through User Registration. To do so in the Admin UI, select Configure > User Registration, and activate that feature. Under the Social tab that appears, enable Social Registration. For more information on IDM user self-service features, see "Self-Service End User UI".

When you enable Social Registration, you're allowing users to register on IDM through all active social identity providers.

Read a different version of :