Configuring OpenID SSO for Salesforce

These steps show you how to configure the single sign-on (SSO) functionality using OpenID between ManageEngine ADSelfService Plus and Salesforce.

Prerequisites

1. Log into ADSelfService Plus as an administrator.
2. Go to Configuration > Password Sync/Single Sign On and click Add Application. Select Salesforce from the list.
Note: You can also use the search bar at the top-left of the page to search for the application.
3. Click IdP Details and select the SSO(OAuth/OpenID) Connect tab.
4. Copy the Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL information.

Salesforce (service provider) configuration steps

1. Log into Salesforce with administrator credentials.
2. Navigate to the Setup page by clicking the Gear icon at the top-right corner.



3. Search for Auth.Provider in the Quick Find/Search box at the top-left. This is where you can add new authentication providers.
4. Click New to add a new Auth. Provider.
5. Select the Provider Type as Open ID Connect.



6. Enter the Name and URL Suffix, which will be used in the client configuration URLs generated by Salesforce according to your preference.
7. Fill the following fields with the corresponding details saved in Step 4 of the Prerequisites:
1. Consumer Key: Client ID
2. Consumer Secret: Client Secret
3. Token Issuer: Issuer
4. Authorization Endpoint URL: Authorization Endpoint URL
5. Token Endpoint URL: Token Endpoint URL
6. User Info Endpoint URL: User Endpoint URL



8. Now, click the Automatically create a registration handler template link under Registration Handler. Registration handler is a code snippet that matches service provider attributes with the corresponding identity provider attributes.
9. In the Execute Registration As field, provide the Salesforce admin account details.
10. Click Save.



11. After saving, copy the Callback URL as it will be required for Login Redirect URL in ADSelfService Plus' configuration.



12. Now click the link next to Registration Handler.



13. Go to the Class Body tab and replace the existing code with the following code:

global class ADSSPOIDCHandler implements Auth.RegistrationHandler{

global User createUser(Id portalId, Auth.UserData data){

//The user is authorized, so create their Salesforce user

User u = new User();

String username = data.email;

List userList = [Select Id, Name, Email, UserName From User Where ( UserName =: username) AND isActive = true ];

if(userList != null && userList.size() > 0) {

u = userList.get(0);

}

return u;

}

global void updateUser(Id userId, Id portalId, Auth.UserData data){

User u = new User(id=userId);

update(u);

}

}
14. Now, to include the instance of ADSelfService Plus in the Salesforce login screen, go to Administer > Domain Management > My Domain.
15. Click the Edit button next to Authentication Configuration.



16. In the next page, check the box next to ADSelfService Plus' instance under Authentication Service. Click Save.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' Salesforce configuration page.



2. Enter the Application Name and Description as per your preferences.
3. Enter the Domain Name of your Salesforce account. For example, if your Salesforce username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. In the Assign Policies field, select the policies for which SSO need to be enabled.
Note: ADSelfService Plus allows you to create OU and group-based policies for your AD domains. To create a policy, go to Configuration > Self-Service > Policy Configuration > Add New Policy.
5. Under the SSO tab, select Enable OAuth/OpenID Connect.
6. Choose OAuth/OpenID Connect from the Select Method drop-down.
7. Enter the Salesforce portal's login URL in the SP Login Initiate URL field.
Note: Salesforce requires sign-in to begin from their login page, known as SP-initiated login. Users are first directed to the Salesforce login page, specified in the SP Login Initiate URL field, after which Salesforce (the SP) redirects them to ADSelfService Plus (the IdP) for authentication.
8. Enter the Redirect URL copied in Step 11 of configuring Salesforce in the SSO Redirect URL field.
9. Using the Scopes drop-down, select openid, which is the scope required for OIDC authentication. You can also specify scopes such as profile or email to include extra user information in the authorization request.
Note: Scopes specify the level of access the access token has. They are typically included in the authorization request. Specify the scopes for which you wish to allow access to your authorization token, using the drop-down.
10. Click Add Application to save the configuration.

The Well-known Configuration URL in the IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes, and client details. This is enabled only after you finish configuring the application for SSO in ADSelfService Plus. You can provide this to your service provider if required.