< All Topics
You are here:
Print

SalesForce

BlokSec can be configured as an inbound federation identity provider (a.k.a. social provider) for your SalesForce tenant, and can also be integrated to support just in time provisioning (JIT) for user creation in SalesForce. The following article describes the process to configure authentication and provisioning to support passwordless SalesForce login.

BlokSec Admin UI

  1. Sign into BlokSec admin UI as a user with admin privileges for your tenant
  2. On the main dashboard, click the Add Application drop-down and select Create From Template
  3. Select the SalesForce template
  4. Complete the application details as follows and submit:
    • Name: Default is set to SalesForce (or your desired application name – we will assume this is called ‘SalesForce’ for the remainder of this article)
    • Redirect URIs: (leave blank for now)
    • Post Logout Redirect URIs: (leave blank for now)
  5. Once saved, click back into the newly created ‘SalesForce’ application to open the application configuration
  6. Click Generate App Secret, then make note of the Application ID and Application Secret as these will be required when registering your application with SalesForce

SalesForce Admin UI

Registration Handler Configuration

  1. Sign into the SalesForce as a user with admin privileges for your tenant
  2. Navigate to Platform Tools > Custom Code
  3. Select Apex Classes and then choose New
    • Add the following to the Apex Class tab

//TODO: You will need to customize this class to ensure it meets your needs and
//the data provided by the third party.global class BlokSecRegHandler implements Auth.RegistrationHandler{
global boolean canCreateUser(Auth.UserData data) {
    //TODO: Check whether we want to allow creation of a user with this data
    return true;
}global User createUser(Id portalId, Auth.UserData data){
    if(!canCreateUser(data)) {
        //Returning null or throwing an exception fails the SSO flow
        return null;
    }
    //The user is authorized, so create their Salesforce user
    User u = new User();
   //NOTE UPDATE THE PROFILE TYPE BELOW FROM CHATTER FREE USER TO SUPPORT YOUR BUSINESS REQUIREMENTS
    Profile p = [SELECT Id FROM profile WHERE name=’Chatter Free User’];
    //TODO: Customize the username. Also check that the username doesn’t already exist and
    //possibly ensure there are enough org licenses to create a user. Must be 80 characters
    //or less.
    u.username = data.username;
    u.email = data.username;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    String alias = data.username;
    //Alias must be 8 characters or less
    if(alias.length() > 8) {
        alias = alias.substring(0, 8);
    }
    u.alias = alias;
    u.email = data.username;
    u.localesidkey = UserInfo.getLocale();
    u.languagelocalekey = ‘en_US’;
    //u.localesidkey = UserInfo.getLocale();
    u.emailEncodingKey = ‘UTF-8’;
    u.timeZoneSidKey = ‘America/Los_Angeles’;
    u.profileId = p.Id;
    return u;
}

global void updateUser(Id userId, Id portalId, Auth.UserData data){
    User u = new User(id=userId);
    u.email = data.username;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    u.username = data.username;
    update(u);
}
}

    • Click Save

OIDC Configuration

  1. Sign into the SalesForce as a user with admin privileges for your tenant
  2. Navigate to Settings > Identity 
  3. Select Auth. Providers and then choose New
  4. Select Open ID Connect from the dropdown menu and complete the authentication provider configuration with the following values (adjusting if required to meet your desired behaviour):
    • Name:  yuID Passwordless Login (or the name of your choice)
    • URL Suffix: Keep the auto generated value or update it to meet your requirements
    • Consumer Key: (the Application ID captured from the BlokSec admin UI above)
    • Consumer Secret: (the Application Secret captured from the BlokSec admin UI above)
    • Authorize Endpoint URL: https://api.bloksec.io/oidc/auth
    • Token Endpoint URL: https://api.bloksec.io/oidc/token
    • User Info Endpoint URL: https://api.bloksec.io/oidc/me
    • Default Scopes: openid email profile
    • Send access token in header: selected / checked
    • Include Consumer Secrets in API Responses: selected / checked
    • Custom Logout URL: https://api.bloksec.io/oidc/session/end
    • Registration Handler: BlokSecRegHandler (use registration handler lookup)
    • Execute Registration As: (choose a user / account that has the ability to create / update / delete users)
    • Once saved, navigate to the SalesForce configuration section and copy the values for the following URL’s:
      • Callback URL
      • SingleLogout URL

Authentication Configuration

  1. Sign into the SalesForce as a user with admin privileges for your tenant
  2. Navigate to Settings > Company Settings
  3. Select My Domain and then navigate to Authentication Configuration section
  4. Select Edit and then select / check the name of the Authentication Service created above in OIDC configuration
  5. Select Save

BlokSec Admin UI (Part 2)

  1. Return to the SalesForce application configuration, click the gear in the upper-right, and select Edit Application
  2. Input the value of the CallBackURL into BlokSec Redirect URI field as defined by SalesForce in last step of OIDC configuration
  3. Input the value of SingleLogout URL into BlokSec Post Logout Redirect URIs field as defined by SalesForce in last step of OIDC configuration
  4. Select Submit 
Previous Okta
Table of Contents