How To
ForgeRock Identity Cloud
Integrations

Salesforce SSO integration with Identity Cloud as OIDC identity provider

Last updated Nov 2, 2021

The purpose of this article is to provide information on configuring Identity Cloud to integrate with Salesforce® using OpenID Connect (OIDC) federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and Salesforce as the service provider (SP).


Overview

This article describes how to enable your users to sign in to Salesforce with Identity Cloud using OIDC SSO in a service provider-initiated flow. It assumes Identity Cloud is acting as the OIDC IdP and Salesforce as the SP. 

Once configured, Salesforce end-users will be presented with the ForgeRock Sign In screen to authenticate before being redirected back to Salesforce. Users who do not already exist in your Salesforce domain will be automatically provisioned when they first log in (providing you enable user provisioning in Salesforce).

Note

Salesforce as an SP is not available for all Salesforce editions. See the Salesforce documentation for further details.

Steps involved:

  1. Configure Salesforce
  2. Create the Salesforce client in Identity Cloud
  3. Test the end-user experience

Prerequisites

  • You have a working Identity Cloud tenant.
  • You have a Salesforce developer edition account. See Salesforce Developers for further information.

Configuring Salesforce

Disclaimer

ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.

Define an OpenID Connect authentication provider 

Refer to the Salesforce documentation for guidance on defining an OpenID Connect authentication provider for your Salesforce organization

Use the following configuration for Identity Cloud:

  • Name: Enter a name for the identity provider, for example, ForgeRock.
  • URL Suffix: Enter the URL suffix, which is used in the client configuration URLs. This defaults to the provider name.
  • Consumer Key: Enter the client key to use with Identity Cloud, for example, salesforce. This must match the Client ID you will configure in the Salesforce client in Identity Cloud.
  • Consumer Secret: Enter the client secret to use with Identity Cloud. This must match the Client secret you will configure in the Salesforce client in Identity Cloud.
  • Authorize Endpoint URL: Enter the authorize endpoint URL from Identity Cloud, for example, https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/authorize
  • Token Endpoint URL: Enter the token endpoint URL from Identity Cloud, for example, https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/access_token
  • User Info Endpoint URL: Enter the user info endpoint URL from Identity Cloud, for example, https://<tenant-name>.forgeblocks.com/am/oauth2/realms/root/realms/alpha/userinfo
  • Token Issuer: Leave blank.
  • Default Scopes: Enter the following scopes: profile email openid. Leave a space between the scope names.
  • Send access token in header: Select this checkbox.
  • Include Consumer Secret in API Responses: Select this checkbox.
  • Registration Handler: Click Automatically create a registration handler template, to create an Apex class template for the registration handler. You'll need to edit this Apex class template later. See Edit the registration handler Apex class template for further information.
  • Execute Registration As: Select your Salesforce admin user.

Once you have saved the authentication provider, make a note of the Salesforce configuration URLs. You'll need these when you configure your Salesforce client in Identity Cloud.

Edit the registration handler Apex class template 

Make the following changes to the registration handler Apex class template (that you auto created in the previous step):

  • Line 12. Specify return true;. This enables Just in Time (JIT) provisioning to Salesforce during federation.
  • Line 26. Set the u.username to the email claim, for example, u.username = data.email;
  • Line 30. Set the alias, for example, String alias = data.firstName+data.lastName;
  • Line 36. Set the language locale key, for example, u.languagelocalekey = 'en_US';

The registration handler Apex class template should now look similar to this:

1 //TODO:This autogenerated class includes the basics for a Registration 2 //Handler class. You will need to customize it to ensure it meets your needs and 3 //the data provided by the third party. 4 5 global class ForgeRock implements Auth.RegistrationHandler{ 6 global boolean canCreateUser(Auth.UserData data) { 7 //TODO: Check whether we want to allow creation of a user with this data 8 //Set<String> s = new Set<String>{'usernamea', 'usernameb', 'usernamec'}; 9    //if(s.contains(data.username)) { 10        //return true; 11    //} 12    return true; 13 } 14 15 global User createUser(Id portalId, Auth.UserData data){ 16    if(!canCreateUser(data)) { 17       //Returning null or throwing an exception fails the SSO flow 18        return null; 19    } 20    //The user is authorized, so create their Salesforce user 21    User u = new User(); 22    Profile p = [SELECT Id FROM profile WHERE name='Standard User']; 23    //TODO: Customize the username. Also check that the username doesn't already exist and 24    //possibly ensure there are enough org licenses to create a user. Must be 80 characters 25    //or less. 26    u.username = data.email; 27    u.email = data.email; 28    u.lastName = data.lastName; 29    u.firstName = data.firstName; 30    String alias = data.firstName+data.lastName; 31    //Alias must be 8 characters or less 32    if(alias.length() > 8) { 33        alias = alias.substring(0, 8); 34  } 35    u.alias = alias; 36    u.languagelocalekey = 'en_US'; 37    u.localesidkey = UserInfo.getLocale(); 38    u.emailEncodingKey = 'UTF-8'; 39    u.timeZoneSidKey = 'America/Los_Angeles'; 40    u.profileId = p.Id; 41    return u; 42 } 43 44 global void updateUser(Id userId, Id portalId, Auth.UserData data){ 45    User u = new User(id=userId); 46     //TODO: Customize the username. Must be 80 characters or less. 47    //u.username = data.username + '@myorg.com'; 48    u.email = data.email; 49    u.lastName = data.lastName; 50    u.firstName = data.firstName; 51    //String alias = data.username; 52    //Alias must be 8 characters or less 53    //if(alias.length() > 8) { 54        //alias = alias.substring(0, 8); 55    //} 56    //u.alias = alias; 57   update(u); 58 } 59 }

Configure language settings for your Salesforce organization

Enable both of the following options in Language Settings:

  • End-user languages
  • Platform-only languages

Enable the OIDC login

To enable Salesforce users to log in using OIDC SSO, you'll need to add the Identity Cloud identity provider (for example, ForgeRock) to your Salesforce domain as an authentication service. 

Creating the Salesforce client in Identity Cloud

  1. In the Identity Cloud Admin UI, navigate to Applications > + Add Application.
  2. Select Web and click Next.
  3. Complete the following details:
    • Client ID: Enter a name for the client. This must match the Consumer Key you configured in Salesforce, for example, salesforce.
    • Client Secret: Enter the client secret that will be used when Salesforce authenticates to Identity Cloud. This must match the Consumer Secret you configured in Salesforce.
  1. Click Create Application.
  2. Complete at least the following details:
    • Sign-in URLs: Enter the sign-in URL for Salesforce. This must match the Callback URL from your Salesforce configuration, for example, https://<YourSalesforceDomainName>/services/authcallback/ForgeRock.
    • Scopes: Enter the following scopes: openid profile email.

See Create a client profile for information on other settings available when creating a web application.

  1. Click Show advanced settings and enter at least the following details:
    • Default Scopes (Access tab): Enter the following scopes openid profile email.
    • Token Endpoint Authentication Method (Authentication tab): Enter client_secret_post.
  2. Click Save.

Testing the end-user experience

To log in to Salesforce using Identity Cloud as the OIDC identity provider:

  1. Go to your Salesforce instance login screen and click the Identity Cloud OIDC IdP, for example, ForgeRock.
  1. In the ForgeRock Sign In screen, enter your username and password, and click Next.

After successful authentication, you are logged into Salesforce.

See Also

Salesforce SSO integration with Identity Cloud for social authentication/registration

Salesforce SSO integration with Identity Cloud as SAML identity provider

Applications


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.