This article describes how to configure Identity Cloud to use Salesforce as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Salesforce social authentication and registration based on OIDC standards.
- You have a working Identity Cloud tenant.
- You have a Salesforce developer edition account. See Salesforce Developers for further information
ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.
Create a connected app for Identity Cloud
Refer to the Salesforce documentation for guidance on how to create a connected app.
Use the following configuration for Identity Cloud:
- Basic Information:
- Connected App Name: Enter the app name, for example, ForgeRock.
- API Name: The API Name defaults to the Connected App Name.
- Contact Email: Enter a contact email.
- API (Enable Auth Settings):
- Enable OAuth Settings: Select the checkbox to enable OAuth settings.
URL: Enter the URL that a user's browser is redirected to
after successful authentication. This must match the Redirect URL that you will configure in
Identity Cloud, for example,
Selected OAuth Scopes: Add the following scopes:
Access and Manage your data (API)
Access your basic information (id, profile, email, address, phone)
Perform requests on your behalf at any time (refresh_token, offline_access)
Provide access to your data via the Web (web)
Note that the connected app may take a few minutes to become available.
Once the connected app is available, make a note of the Consumer Key and Consumer Secret, which can be found under the API list. You'll use this information when you configure Salesforce as a social identity provider in Identity Cloud.
- In the Identity Cloud Admin UI, navigate to Native Consoles > Access Management > Services > Social Identity Provider Service.
- Choose Secondary Configurations, click Add a Secondary Configuration, and select the
Client configuration for Salesforceoption.
- Complete the following configuration:
- Name: Enter a name for the social identity provider, for example, Salesforce.
- Client ID: Enter the Consumer Key from the connected app you configured in Salesforce.
Redirect URL: Enter your Identity Cloud tenant login URL. This must match the
value that you entered for the Callback URL in Salesforce, for example,
- Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
- Click Create.
The full configuration for the new Salesforce social identity provider is displayed.
- In the Client Secret field, enter the Consumer Secret from the connected app you configured in Salesforce.
- Check the rest of the default settings are correct. In particular, check the following fields:
- Enabled: Ensure the configuration is enabled.
Transform Script: Ensure that
Salesforce Profile Normalizationis entered. This script transforms Salesforce credential data into a normalized form.
- Click Save Changes.
You can create custom end-user journeys for social registration and login. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.
See How do I create end-user journeys for social registration and login in Identity Cloud? for further information.
- In the Identity Cloud Admin UI, navigate to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
- Follow the sign in and/or registration steps to test your journey.
For example, if Salesforce is configured as a social identity provider for social sign in, users are asked if they want to authenticate with Salesforce, similar to the screenshot below.