Salesforce SSO using OAuth2
You may come across customers who want to use Salesforce as an Authentication Provider and they want to use the OAuth2 method. Here are a couple of clarifications and pitfalls.
First of all, OAuth2 is not just a Single Sign On protocol, it is a protocol for authentication between any two applications. I say this because our Salesforce documentation, or for that matter documentation on Salesforce.com, will talk about OAuth2 connections but that doesn't mean they are talking about users is signing on to Vanilla. For example, when a user wants to be able to create cases or leads in Salesforce from our application they are using the OAuth2 protocol to get an access token and then use that access token to make the necessary API calls.
But some customers want to use Salesforce to allow their users to sign into Vanilla using their Salesforce credentials. For this we have a dedicated Salesforce SSO addon hidden in the Plugins folder. There a few important differences in the way that Salesforce does OAuth2 that make using our OAuth2 plugin (almost) impossible.
To create an application in Salesforce for single sign on, checkout this video in the comment below.
Configure the Salesforce SSO addon in the Dashboard like you would any OAuth2 application.
- For the endpoints, consult this Salesforce document, substituting the domain for the domain or your Salesforce application.
- Make sure the Authorization Code in Header option is checked.
- Basic Authorization Code in Header should be unchecked.
- Request Profile Using the POST Method should be unchecked.
- Request Scope should be
id profile email - Mappings should be:
- Email is
email - Photos is
photos.thumbnail - Display Name is
display_name - Full Name is something we ignore, you can put
name - User ID is
user_id - Roles could be passed in a variety of ways. You would have to checkout the logs to see how and/or if they are being passed. They will not be mapped in the same way as the other profile fields. More about that in the comments.
- Email is
Just like the OAuth2 addon you can turn on the DB Logger addon and then add to the site config Vanilla.SSO.Debug: true to see the sso_logging data in the Event Log for debugging purposes.
Comments
-
Here is a video I found valuable setting up Salesforce SSO application.
0 -
For mapping the roles, for now you have to update the config. You should turn on the DB Logger, add
Vanilla.SSO.Debug: trueto the config and do a test login to see how the roles are being passed. Look for the JSON object RawProfile which is the profile that Salesforce has passed (before we translate it into the Profile JSON object which has been mapped to our application). It will look something like this:{ "active": true, "addr_city": null, "addr_country": "United States", "addr_state": null, "addr_street": null, "addr_zip": null, "asserted_user": true, "display_name": "Patrick Kelly", "email": "pkelly@higherlogic.com", "email_verified": true, "first_name": "Patrick", "id": "https://test.salesforce.com/id/00D590000008iH3EAI/00559000001DSAtAAO", "is_app_installed": true, "is_lightning_login_user": false, "language": "en_US", "last_modified_date": "2022-06-29T19:36:26Z", "last_name": "Kelly", "locale": "en_US", "mobile_phone": "+1 5148830520", "mobile_phone_verified": true, "nick_name": "User16565198955355017485", "organization_id": "00D590000008iH3EAI", "custom_attributes": { "usersroles": ["Agent"] }, "photos": { "picture": "https://higherlogic--pkelly.sandbox.file.force.com/profilephoto/005/F", "thumbnail": "https://higherlogic--pkelly.sandbox.file.force.com/profilephoto/005/T" }, "status": { "body": null, "created_date": null }, "timezone": "America/New_York", "urls": { "custom_domain": "https://higherlogic--pkelly.sandbox.my.salesforce.com", "enterprise": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/Soap/c/{version}/00D590000008iH3", "feed_elements": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/chatter/feed-elements", "feed_items": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/chatter/feed-items", "feeds": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/chatter/feeds", "groups": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/chatter/groups", "metadata": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/Soap/m/{version}/00D590000008iH3", "partner": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/Soap/u/{version}/00D590000008iH3", "profile": "https://higherlogic--pkelly.sandbox.my.salesforce.com/00559000001DSAtAAO", "query": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/query/", "recent": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/recent/", "rest": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/", "search": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/search/", "sobjects": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/sobjects/", "tooling_rest": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/tooling/", "tooling_soap": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/Soap/T/{version}/00D590000008iH3", "users": "https://higherlogic--pkelly.sandbox.my.salesforce.com/services/data/v{version}/chatter/users" }, "user_id": "00559000001DSAtAAO", "user_type": "STANDARD", "username": "pkelly@higherlogic.com.pkelly", "utcOffset": -18000000 }We don't know what the actual name of the roles attribute will be. It will be in the
custom_attributesand it will be an object. I have put this in as an example:"custom_attributes": { "usersroles": ["Agent"] },In this case you would have to add, manually, to the customer's config:
SalesForceSSO.CustomAttributeKey.Roles: "usersroles",
to tell our system how to map them. This addon was made before we allowed for mapping roles, and this was our workaround.
0