Salesforce SSO integration with Identity Cloud for social authentication/registration
The purpose of this article is to provide information on configuring ForgeRock Identity Cloud to integrate with Salesforce® as a social provider using OpenID Connect (OIDC) for Single Sign-On (SSO).
1 reader recommends this article
Overview
This article describes how to configure Identity Cloud to use Salesforce as a social provider for authentication and/or registration. Identity Cloud provides a standards-based solution for Salesforce social authentication and registration based on OIDC standards.
Steps involved:
- Configure Salesforce
- Configure the Social Identity Provider in Identity Cloud
- Create the end user journey
- Test the end user experience
Prerequisites
- You have a working Identity Cloud tenant.
- You have a Salesforce developer edition account. See Salesforce Developers for further information
Configuring Salesforce
Disclaimer
ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.
Create a connected app for Identity Cloud
Refer to the Salesforce documentation for guidance on how to create a connected app.
Use the following configuration for Identity Cloud:
- Basic Information:
- Connected App Name: Enter the app name, for example, ForgeRock.
- API Name: The API Name defaults to the Connected App Name.
- Contact Email: Enter a contact email.
- API (Enable Auth Settings):
- Enable OAuth Settings: Select the checkbox to enable OAuth settings.
-
Callback
URL: Enter the URL that a user's browser is redirected to after successful authentication. This must match the Redirect URL that you will configure in Identity Cloud, for example,
https://<tenant-env-fqdn>/login
. -
Selected OAuth Scopes: Add the following scopes:
-
Manage user data via APIs (api)
-
Access the identity URL service (id, profile, email, address, phone)
-
Perform requests at any time (refresh_token, offline_access)
-
Manage user data via Web browsers (web)
-
Note that the connected app may take a few minutes to become available.
Once the connected app is available, click Manage Consumer Details and make a copy of the Consumer Key and Consumer Secret. You'll use this information when you configure Salesforce as a social identity provider in Identity Cloud.
Configuring the Social Identity Provider in Identity Cloud
- In the Identity Cloud admin UI, go to Native Consoles > Access Management > Services > Social Identity Provider Service.
- Choose Secondary Configurations, click Add a Secondary Configuration, and select the
Client configuration for Salesforce
option. - Complete the following configuration:
- Name: Enter a name for the social identity provider, for example, Salesforce.
- Client ID: Enter the Consumer Key from the connected app you configured in Salesforce.
-
Redirect URL: Enter your Identity Cloud tenant login URL. This must match the value that you entered for the Callback URL in Salesforce, for example,
https://<tenant-env-fqdn>/login
. - Scope Delimiter: Enter the scope delimiter, which is usually an empty space.
- Click Create.
The full configuration for the new Salesforce social identity provider is displayed.
- In the Client Secret field, enter the Consumer Secret from the connected app you configured in Salesforce.
- Check the rest of the default settings are correct. In particular, check the following fields:
- Enabled: Ensure the configuration is enabled.
-
Transform Script: Ensure that
Salesforce Profile Normalization
is entered. This script transforms Salesforce credential data into a normalized form.
- Click Save Changes.
Creating the end user journey
You can create custom end user journeys for social registration and login. These journeys will include all your enabled social identity providers, so you won't need to create different journeys for different providers.
See How do I create end user journeys for social registration and login in Identity Cloud? for further information.
Testing the end user experience
- In the Identity Cloud admin UI, go to Journeys.
- Click the journey that you want to test.
- Copy the Preview URL.
- Paste the preview URL into a browser using Incognito or Browsing mode.
- Follow the sign in and/or registration steps to test your journey.
For example, if Salesforce is configured as a social identity provider for social sign in, users are asked if they want to authenticate with Salesforce, similar to the screenshot below.
See Also
How do I create end user journeys for social registration and login in Identity Cloud?
Does the ForgeRock solution support social authentication?
Single Sign-On Integrations for Identity Cloud
Identity Cloud documentation:
Other social integrations:
- Amazon SSO integration with Identity Cloud for social authentication/registration
- Apple SSO integration with Identity Cloud for social authentication/registration
- Facebook SSO integration with Identity Cloud for social authentication/registration
- Google SSO integration with Identity Cloud for social authentication/registration
- LinkedIn SSO integration with Identity Cloud for social authentication/registration
- Microsoft SSO integration with Identity Cloud for social authentication/registration
- WordPress SSO integration with Identity Cloud for social authentication/registration
- Yahoo SSO integration with Identity Cloud for social authentication/registration