Configuring OpenID SSO for Salesforce

These steps show you how to configure the single sign-on (SSO) functionality using OpenID Connect between ManageEngine ADSelfService Plus and Salesforce.

  • Do not terminate the session before the configuration is complete in both the identity provider and the service provider.
  • Please enable HTTPS is the product to ensure proper functioning of single sign-on.
  1. Login to ADSelfService Plus as Super administrator.
  2. Go to Configuration > Password Sync/ Single Sign On and click Add Application. Select Salesforce from the list.
  3. Note: You can also use the search bar, in the top-left, to search for the application.
  4. Click on IdP Details and select the SSO (OAuth/OpenID Connect) tab.
  5. Copy Client ID, Client Secret, Issuer, Authorization Endpoint URL, Token Endpoint URL, and User Endpoint URL.
  6. Configure Oauth or OpenID Connect SSO for custom application

Salesforce (service provider) configuration steps

  1. Login to Salesforce with administrator's credentials.
  2. Navigate to the Setup page from the Gear icon in the top-right corner.
  3. Configure Oauth or OpenID Connect SSO for custom application
  4. Search for Auth.Provider in the Quick Find/ Search box in the top-left. This is where you can add new authentication providers.
  5. Click New to add a new Auth. Provider.
  6. Select the Provider Type as Open ID Connect.
  7. Configure Oauth or OpenID Connect SSO for custom application
  8. Enter the Name and URL Suffix, which will be used in the client configuration URLs generated by Salesforce, according to your preference.
  9. Fill the following fields with the corresponding details saved in step 4 of the Prerequisites:
    • Consumer Key: Client ID
    • Consumer Secret: Client Secret
    • Token Issuer: Issuer
    • Authorization Endpoint URL: Authorization Endpoint URL
    • Token Endpoint URL: Token Endpoint URL
    • User Info Endpoint URL: User Endpoint URL
    Configure Oauth or OpenID Connect SSO for custom application
  10. Now, click Automatically create a registration handler template link under Registration Handler. Registration handler is a code snippet that matches service provider attributes with the corresponding identity provider attributes.
  11. For Execute Registration As field, give the Salesforce admin account details.
  12. Click Save.
  13. Configure Oauth or OpenID Connect SSO for custom application
  14. After saving, copy the Callback URL as it will be required for Login Redirect URL in ADSelfService Plus' configuration.
  15. Configure Oauth or OpenID Connect SSO for custom application
  16. Now click the link next to Registration Handler.
  17. Configure Oauth or OpenID Connect SSO for custom application
  18. Go to the Class Body tab and replace the existing code with the following code:
  19. global class IDMPOIDCHandler implements Auth.RegistrationHandler{

    global User createUser(Id portalId, Auth.UserData data){

    //The user is authorized, so create their Salesforce user

    User u = new User();

    String username = data.email;

    List userList = [Select Id, Name, Email, UserName From User Where ( UserName =: username) AND isActive = true ];

    if(userList != null && userList.size() > 0) {

    u = userList.get(0);

    }

    return u;

    }

    global void updateUser(Id userId, Id portalId, Auth.UserData data){

    User u = new User(id=userId);

    update(u);

    }

    }

    Configure Oauth or OpenID Connect SSO for custom application
  20. Now, to include the instance of ADSelfService Plus in the Salesforce login screen, go to Administer → Domain Management → My Domain.
  21. Click the Edit button next to Authentication Configuration.
  22. Configure Oauth or OpenID Connect SSO for custom application
  23. In the next page, check the box next to ADSelfService Plus' instance under Authentication Service. Click Save.
  24. Configure Oauth or OpenID Connect SSO for custom application

ADSelfService Plus (identity provider) configuration steps

  1. Switch back to ADSelfService Plus' Salesforce configuration page.
  2. Enter the Application Name and Description as per your preference.
  3. Enter the Domain Name of your Salesforce account. For example, if your Salesforce username is johnwatts@thinktodaytech.com, then thinktodaytech.com is your domain name.
  4. Select policies from the Assign policies dropdown, to decide for whom this setting will be applicable.
  5. Check the box next to Enable OAuth/OpenID Connect.
  6. Enter the Callback URL you saved in step 11 of Salesforce configuration in Login Redirect URL field.
  7. Scopes specify the level of access the access token has. The scopes are generally provided in the authorization request so, you don't have to specify them here. If the scopes are not mentioned by your service provider, you must add them in this field.
  8. Configure Oauth or OpenID Connect SSO for custom application
  9. Click Add Application to save these settings.
  10. The Well-known Configuration URL in IdP details pop-up contains all the endpoint values, supported scopes, response modes, client authentication modes and client details. You can provide this to your service provider if required.
Go to Top

Copyright © 2023, ZOHO Corp. All Rights Reserved.