SSO Salesforce with WSO2 Identity Server using OpenID Connect

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

This post summarizes steps relevant to configuring OpenID Connect based SSO with Salesforce using WSO2 Identity Server as the Identity Provider.

Make sure WSO2 Identity Server has “Email Username” configuration enabled and relevant modifications made to user-mgt.xml file bu following “Using Email Address as the Username” official documentation.

 

In Salesforce, open “Security Controls”, “Auth Provider” configuration screen and add configuration similar to following to match with your deployment URLs:

Once this configuration is saved, you will be able to get the “Callback URL” from Salesforce.

Copy the Callback URL from Salesforce.

Login to WSO2 Identity Server and create a “Service Provider” (SP) for Salesforce.

In”Inbound Authentication Configuration”, use “OAuth/OpenID Connect Configuration” and enable OpenID Connect for the SP application, using the “Callback URL” copied from Salesforce.

Open “My Domain” configuration in Salesforce and click on “Deploy to users” button, if that has not been done already. Edit “Authentication Configuration” and enable login with the newly defined “Auth Provider” for the domain, by selecting it from “Authentication Service” list.

Open the domain in a separate private browsing window to observe that the new button has been added to the login page. Test the authentication flow by login with the OpenID Connect provider.

Please note that in this configuration, Identity Provider is WSO2 Identity Server. Hence, user validation happens at Identity Server side and a token will be issued to Salesforce, that can be used to obtain required user information from IDP. However, to make sure Salesforce can continue it’s operations, there should be a user account at Salesforce side as well. To make sure Salesforce create user accounts correctly, make sure “Apex Class” for the “Registration Handler” of “Auth Provider” is modified accordingly:

Sample:

 

 

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">