Configuring OpenID SSO for Salesforce

These steps show you how to configure the single sign-on (SSO) functionality using OpenID Connect between ManageEngine ADSelfService Plus and Salesforce.

1. Login to ADSelfService Plus as Super administrator.
2. Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select Salesforce from the list.
Note: You can also use the search bar, in the top-left, to search for the application.
3. Click on IdP Details and select the SSO (OAuth/OpenID Connect) tab.
4. Copy Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL.

Salesforce (service provider) configuration steps

1. Login to Salesforce with administrator's credentials.
2. Navigate to the Setup page from the Gear icon in the top-right corner.

3. Search for Auth.Provider in the Quick Find/ Search box in the top-left. This is where you can add new authentication providers.
4. Click New to add a new Auth. Provider.
5. Select the Provider Type as Open ID Connect.

6. Enter the Name and URL Suffix, which will be used in the client configuration URLs generated by Salesforce, according to your preference.
7. Fill the following fields with the corresponding details saved in step 4 of the Prerequisites:
• Consumer Key: Client ID
• Consumer Secret: Client Secret
• Token Issuer: Issuer
• Authorization Endpoint URL: Authorization Endpoint URL
• Token Endpoint URL: Token Endpoint URL
• User Info Endpoint URL: User Endpoint URL

8. Now, click Automatically create a registration handler template link under Registration Handler. Registration handler is a code snippet that matches service provider attributes with the corresponding identity provider attributes.
9. For Execute Registration As field, give the Salesforce admin account details.
10. Click Save.

11. After saving, copy the Callback URL as it will be required for Login Redirect URL in ADSelfService Plus' configuration.

12. Now click the link next to Registration Handler.

13. Go to the Class Body tab and replace the existing code with the following code:

global class IDMPOIDCHandler implements Auth.RegistrationHandler{

global User createUser(Id portalId, Auth.UserData data){

//The user is authorized, so create their Salesforce user

User u = new User();

String username = data.email;

List userList = [Select Id, Name, Email, UserName From User Where ( UserName =: username) AND isActive = true ];

if(userList != null && userList.size() > 0) {

u = userList.get(0);

}

return u;

}

global void updateUser(Id userId, Id portalId, Auth.UserData data){

User u = new User(id=userId);

update(u);

}

}


14. Now, to include the instance of ADSelfService Plus in the Salesforce login screen, go to Administer → Domain Management → My Domain.
15. Click the Edit button next to Authentication Configuration.

16. In the next page, check the box next to ADSelfService Plus' instance under Authentication Service. Click Save.

ADSelfService Plus (identity provider) configuration steps

1. Switch back to ADSelfService Plus' Salesforce configuration page.
2. Enter the Application Name and Description as per your preference.
3. Enter the Domain Name of your Salesforce account. For example, if your Salesforce username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
4. Select policies from the Assign policies dropdown, to decide for whom this setting will be applicable.
5. Check the box next to Enable OAuth/OpenID Connect.
6. Enter the Callback URL you saved in step 11 of Salesforce configuration in Login Redirect URL field.
7. Scopes specify the level of access the access token has. The scopes are generally provided in the authorization request so, you don't have to specify them here. If the scopes are not mentioned by your service provider, you must add them in this field.

8. Click Add Application to save these settings.
9. The Well-known Configuration URL in IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes and client details. You can provide this to your service provider if required.