Salesforce

By configuring Salesforce to use Specops Authentication for Single Sign-On (SSO), a user attempting to log in to Salesforce will be redirected to Specops Authentication.

The user will be presented with a list of Identity Services based on the policy configured for Salesforce in Specops Authentication. To successfully authenticate, the user must complete one or more of these Identity Services. Once authentication is successful, the user is redirected back to Salesforce, which validates the OIDC token and allows the login.

The policy that defines the Identity Services can be stored either in the Specops Authentication Cloud or in a Group Policy Object (GPO) in Active Directory. When creating the OpenID Connect application, you will have the following policy mode options:

Cloud - All users in the organization are affected.
Group Policy - Only users targeted by a tagged GPO are affected.
Both - All users are affected. If a user also is targeted by a tagged GPO, the Group Policy takes preference over the Cloud Policy.

Prerequisites

A Salesforce Cloud account must be in place before proceeding with the configuration.

Configuration

These are the main configuration steps:

Configure a Group Policy Object
Create an OpenID Connect application for Single Sign-On
Add Specops Authentication as a new Authentication Provider in Salesforce

Configure a Group Policy Object

Follow these steps only if you select Group Policy or Both as the policy mode when creating the OpenID Connect application.

In the Group Policy Management Console, create a Group Policy Object and name it to, for example, Salesforce.
Link the GPO to some container with users that should be able to access Salesforce.
In the Gatekeeper Admin Tool, click Single Sign-on.
Click Tag GPOs, select the GPO that should be available to use when configuring an OpenID Connect application in Specops Authentication, and click OK.

Create an OpenID Connect application for Single Sign-On

Log in as admin to the Specops Authentication Web.
Click Single Sign-On.
Click Add new.
Select Application Type: Salesforce.
Under General Settings, type an application name and optionally a description for the application.
Under Redirect URL's, add URLs that should be allowed for redirection during authentication and logout. Leave it empty for now. A callback URL will be added later when the authentication provider has been registered in Salesforce.
In Standard Claim Mapping, add information about the user that should be supplied from AD to Salesforce:
- Claim: Our example registration handler in Salesforce uses the following values: "email", "given_name" and "family_name".
- AD Attribute or Custom Value: Select a value from the list of Active Directory attributes. When an AD attribute is selected, the claim will be populated from the user during authentication.
Click Save and Continue.
Select a Policy mode from the list.
If you selected Group Policy or Both as policy mode, choose your Salesforce GPO from the Group Policy Objects list, and click Add.
Click Edit Authentication Rules next to the added GPO. Configure your desired authentication rules and click Save.
If you selected Cloud or Both as policy mode, click Configure and add the identity services that you want to include.
Click I'm done.
The Application Credentials page contains credentials and URLs that may be needed when configuring Specops Authentication as an identity provider in Salesforce. Copy the Client Secret and ensure you save it for later use. Click Continue.

Note

The client secret is shown only once and cannot be viewed or copied again after leaving this page.

Add Specops Authentication as a new Authentication Provider

These are the minimum steps for adding the new OpenID Connect application in Salesforce. For detailed documentation see: https://help.salesforce.com/s/articleView?id=xcloud.sso_provider_openid_connect.htm&type=5

Create an Apex Registration Handler Class

You need to create a custom Apex class that controls how new user records are created (or linked) when someone logs in through Specops Authentication, using OpenID Connect.

Log in to Salesforce, click the Settings icon and select Open Advanced Setup.
In Quick Find, enter "Apex" and select Apex Classes.
Click New.
Enter the code for creating the Apex class. Refer to the example below and use it as needed. When finished, click Save.

global class MyOpenIdRegistrationHandler implements Auth.RegistrationHandler {

    static final String GIVEN_NAME_CLAIM = 'given_name';
    static final String FAMILY_NAME_CLAIM = 'family_name';

    static Map<String, String> getClaimsFromIdToken(Auth.UserData data) {
        return (Map<String, String>) JSON.deserialize(data.idTokenJSONString, Map<String, String>.class);
    }

    static boolean hasValue(string str) {
        return str != null && !str.isWhitespace();
    }

    global User createUser(Id portalId, Auth.UserData data) {

        Map<String, String> m = getClaimsFromIdToken(data);
        String firstName = m.get(GIVEN_NAME_CLAIM);
        String lastName = m.get(FAMILY_NAME_CLAIM);

        User u = new User();

        // From id token claims
        u.FirstName = hasValue(firstName) ? firstName : 'Unknown';
        u.LastName  = hasValue(lastName) ? lastName  : 'User';

        // From user info
        u.Email = data.email;
        u.Username = data.email;

        u.Alias = (u.Username.length() > 8) ? u.Username.substring(0, 8) : u.Username;
        u.CommunityNickname = u.Username;
        u.FederationIdentifier = data.identifier;
        u.IsActive = true;

        // Set other required fields
        u.EmailEncodingKey   = 'UTF-8';
        u.LanguageLocaleKey  = 'en_US';
        u.LocaleSidKey       = 'en_US';
        u.TimeZoneSidKey     = 'America/Los_Angeles';

        // Assign a profile (must exist in your org)
        u.ProfileId = [SELECT Id FROM Profile WHERE Name = 'Standard User' LIMIT 1].Id;

        insert u;
        return u;
    }

    global void updateUser(Id userId, Id portalId, Auth.UserData data) {

        Map<String, String> m = getClaimsFromIdToken(data);
        String firstName = m.get(GIVEN_NAME_CLAIM);
        String lastName = m.get(FAMILY_NAME_CLAIM);

        User u = [SELECT Id, FirstName, LastName, Email FROM User WHERE Id = :userId LIMIT 1];

        if (hasValue(firstName)) u.FirstName = firstName;
        if (hasValue(lastName)) u.LastName = lastName;

        if (hasValue(data.email)) u.Email = data.email;

        update u;
    }
}

Add Authentication Provider

Log in to Salesforce. In Quick Find, type "auth" and select Auth. Providers from the list.
Click New.
Select Provider Type: Open ID Connect.
Enter a name, for example "sa".
For Consumer Key, enter Client Id from Application Credentials in Specops Authentication.
For Consumer Secret, enter Client Secret from Application Credentials in Specops Authentication.
For Authorize, Token and User Info Endpoint URL, enter the corresponding URLs from Specops Authentication.
For Token Issuer, enter Issuer from Specops Authentication.
In Custom Logout URL, enter End Session Endpoint from Specops Authentication.
Select Registration Handler Type: Apex
Click the search button next to Registration Handler and select "MyOpenIdRegistrationHandler" that was created earlier.
In Execute Registration As, select an existing user.
Click Save.
Copy the Callback URL and save it for now. You will add it later to the OpenID Connect application in Specops Authentication.

Add the Redirect URLs to the OpenID Connect application

Log in as admin to the Specops Authentication Web.
Click Single Sign-On.
Go to the OpenID Connect application created for Salesforce earlier, and click Edit Application.
Under Redirect URLs, add the Callback URL from Salesforce.
Click Save.

Log in to Salesforce. In Quick Find, enter "Domain" and select My Domain.
Under Authentication Configuration, click Edit.
Under Authentication Service, check the box next to the authentication provider created earlier.
Click Save.