Skip to main content

Setup Salesforce for User Authentication

Users in your Salesforce tenant can access applications registered in SecureAuth. In this setup, Salesforce acts as an external Identity Provider for SecureAuth, following the Bring Your Own Identity (BYOID) model. Follow these steps to configure the integration.

Learn how to enable users to authenticate with Salesforce within SecureAuth and how to connect and configure Salesforce with the SecureAuth platform in accordance with the Bring Your Own Identity (BYOID) principle

About Salesforce as OIDC Identity Provider

Salesforce integration is supported by SecureAuth via the generic OIDC connector. This article shows how to configure and connect to Salesforce using the Generic OpenID Connector. The handshake between SecureAuth and Salesforce uses the OIDC pattern for user authentication and Salesforce provides SecureAuth with an ID Token containing user claims.

Prerequisites

  • Salesforce account with enough privileges to create connected apps, configure user profiles and other configurations as described below

Connect Salesforce IDP

To integrate SecureAuth with the Salesforce organization, we will create a connected app within Salesforce that implements OpenID Connect for user authentication. Then we will configure the connected app with the OpenID Connect scope for use by SecureAuth. The OpenID Connect scope passes user information in an ID token. Users can then log in to SecureAuth with their Salesforce or Experience Cloud credentials.

Note

This section contains images that reflect the state of the Salesforce portal at the time of publication. The actual Salesforce GUI may differ from the examples shown here. Use this guide as a reference and adapt the instructions to suit the current Salesforce GUI as necessary.

Configuring Salesforce

  • You have an OAuth Connected App registered within Salesforce. Follow Salesforce documentation for detailed instructions.

    Note

    When prompted for the Callback URL in Salesforce, use the Redirect URL from SecureAuth once you have registered a Salesforce connection in SecureAuth. Start the configuration setup in SecureAuth in a different browser tab as described in below Configuring SecureAuth section and you can find this in Step 3.

    salesforce_oidc_connected_app_config.png

  • Once the app is created, obtain the Consumer Key and secret (Client ID & Secret) from the Salesforce Connected App Management screen. Details about how to reach the page within Salesforce can be found here . These credentials are required for SecureAuth configuration as described in Step 4 of the Configuring SecureAuth section below.

    salesforce_oauth_client_id_and_secret.png

Configuring SecureAuth

  1. In your workspace, go to Authentication > Providers > Create Connection.

  2. Select the OpenID Connect template under Third party providers and click Next.

  3. You will see a Redirect URL prepopulated within the form. This is the Callback URL for Salesforce and needs to be populated when the connected app is being created in Salesforce (as described in previous section).

  4. In the Register OpenID Connect form, enter the Logo, Name, Issuer URL, Client ID, and Client Secret.

    Parameter

    Description

    Issuer URL

    OpenID configuration of Salesforce OIDC provider. The general format is https://<your-domain>.my.salesforce.com, for example https://cloudentity-dev-ed.my.salesforce.com. Do not append /.well-known/openid-configuration.

    Client ID

    Client ID of the Connected App registered in Salesforce above.

    Authentication method

    Set it as Client Secret.

    Client secret

    Client Secret of the Connected App registered in Salesforce above.

    cloudentity_salesforce_idp_connection.png

  5. Select Save.

    Result: Your Salesforce identity provider connection with SecureAuth platform is created and listed in the Identities view. Users can now authenticate via Salesforce as Identity Provider

Connected App OAuth Access Policy in Salesforce

While integrating with SecureAuth, Connected App access policy must be configured within Salesforce. It is recommended to Set Permitted Users to Admin-approved users are pre-authorized instead of the default setting of All users may self-authorize. Salesforce profile for the external users must be configured to allow above created connected app usage. More details on managing oAuth access policies for connected app can be found here.

salesforce_manage_oauth_app_policy.png
salesforce_oauth_access_policy_setting.png

Note

If the above recommended setting is not configured, the user experience is not seamless as the end user would see the following prompt from Salesforce during the authentication process handshake between SecureAuth and Salesforce.

salesforce_user_auth_policy_prompt.png

Test your IDP

Prerequisites

  • Salesforce IDP is enabled for user authentication.

  • Demo workspace is created with the Demo Portal connected.

Test

  1. Open the Demo Portal (Dashboards -> Client Applications-> Demo Portal -> Click on the launch icon on the right side of the text).

  2. Select LOGIN TO DEMO APP.

  3. Select your configured Salesforce Identity Provider and, next, authenticate in Salesforce. If there is only one identity provider, the selection screen is skipped.

    Result: SecureAuth displays the consent page that lists data scopes to be shared with the application. When you proceed to the application (ALLOW ACCESS), the Access Token and the ID Token generated by SecureAuth for the demo application based on the end user authentication performed at Salesforce.

    token_issued.png
In this section: