Salesforce application

By configuring Salesforce to use Specops Authentication for Single Sign-On (SSO), users who attempt to sign in to Salesforce are redirected to Specops Authentication for authentication.

The user will be presented with a list of Identity Services based on the policy configured for Salesforce in Specops Authentication. To successfully authenticate, the user must complete one or more of these Identity Services. Once authentication is successful, the user is redirected back to Salesforce, which validates the OpenID Connect token and allows the login.

The policy that defines the Identity Services can be stored either in the Specops Authentication Cloud or in a Group Policy Object (GPO) in Active Directory. When creating a Single Sign-On application, you will have the following policy mode options:

Cloud - All users in the organization are affected.
Group Policy - Only users targeted by a tagged GPO are affected.
Both - All users are affected. If a user also is targeted by a tagged GPO, the Group Policy takes preference over the Cloud Policy.

Prerequisites

A Salesforce Cloud account must be in place before proceeding with the configuration.
The Specops Domain Name Protection feature must be disabled, see Domain Name Protection.

Set up a Salesforce application

These are the main steps to set up a Salesforce application:

Configure a Group Policy Object
Create a Single Sign-On application
Add Specops Authentication as a new Authentication Provider in Salesforce

Configure a Group Policy Object

Follow these steps only if you select Group Policy or Both as the policy mode when creating the Single Sign-On application.

In the Group Policy Management Console, create a Group Policy Object and name it to, for example, Salesforce.
Link the GPO to some container with users that should be able to access Salesforce.
In the Gatekeeper Admin Tool, click Single Sign-on.
Click Tag GPOs, select the GPO that should be available to use when configuring an OpenID Connect application in Specops Authentication, and click OK.

Create a Single Sign-On application

Log in as admin to the Specops Authentication Web.
Click Single Sign-On.
Click Add new.
Select Application Template: Salesforce. The Application Protocol is automatically set to OpenID Connect.
Click Next.
Under General Settings, type an application name and optionally a description for the application.
Under Redirect URL's, add URLs that should be allowed for redirection during authentication and logout. Leave it empty for now. A callback URL will be added later when the authentication provider has been registered in Salesforce.
In Standard Claim Mapping, optionally configure claims with information about the user that should be supplied from Active Directory to Salesforce. This list will be pre-filled with the claims used by the example registration handler in the Salesforce documentation, see Create an Apex Registration Handler Class. Claims can still be added, removed or modified to suit your needs.
- Claim: Select a name from the list of predefined names or select Custom... to enter a custom name.
- AD Attribute or Custom Value: Select a value from the list of Active Directory attributes or select Custom... to enter a custom name. If an AD attribute is selected, the claim will be populated from the user during authentication. If Custom is selected, a fixed value is used.
  
  Warning
  
  The "sub" claim needs to be mapped to an AD attribute that is immutable and uniquely identifies the user. Never map "sub" to, for example, the "mail" attribute since this could allow a malicious user to gain access to another user's account. The "sub" claim will be mapped to "objectGUID" as default.
Click Next: Group Claim Mapping.

Note

The standard claims added in Standard Claim Mapping are always sent to the relying party. The group claims entered in Group Claim Mapping are additional claims added to the OIDC token for users who are members of the selected AD groups.

This configuration does not control which users can access the application. Access to the application is controlled through Policy Configuration which means that users in the selected groups must also be included in a policy to access the application.
Under Add new group claims, optionally add claims for security groups. Enter the name of a group in Active Directory and click Add.
Enter one or more claims and claim values for the group and click Save.
Click Next: Policy Configuration.

Note

Policy Configuration determines which users the application policy applies to and which authentication rules are enforced for them. Only users included in a policy are allowed to access the application. Users who are not included in any policy will not have access.
Select a Policy mode from the list.
If you selected Group Policy or Both as policy mode, choose your Salesforce GPO from the Group Policy Objects list, and click Add.
Click Edit Authentication Rules next to the added GPO. Configure your desired authentication rules and click Save.
If you selected Cloud or Both as policy mode, click Configure and add the identity services that you want to include.
Click I'm done.
The Application Credentials page shows the credentials and URLs that may be needed when configuring Specops Authentication as an identity provider in Salesforce.
Copy the Current Client Secret value under Client Id and save it for later use. This is the client secret value that must be entered in the relying party configuration.

Important!

The Current Client Secret value is shown only once. After you leave this page, the value cannot be viewed or copied again.
When finished, click Close.

For information on generating a new client secret or revoking an old one, see the next section.

Rotate and Revoke a Client Secret

Rotating creates a new Current Client Secret and keeps the previous secret temporarily available. Revoking removes the old client secret so it can no longer be used. Use these options to replace the current client secret or permanently revoke an old one.

Click Credentials next to the OIDC application on the Configured Single Sign-On Applications page.
On the Application Credentials page:
1. Click Rotate secret to generate a new Current Client Secret. The previous current client secret becomes an old client secret. If an old secret already exists, it is replaced. Both secrets remain valid until the old client secret is revoked or replaced by another rotation.
2. Click Revoke old secret to permanently remove the old client secret. After it is revoked, the old secret can no longer be used, and the new Current Client Secret remains active.

Add Specops Authentication as a new Authentication Provider

These are the minimum steps for adding the new OpenID Connect application in Salesforce. For detailed documentation see: https://help.salesforce.com/s/articleView?id=xcloud.sso_provider_openid_connect.htm&type=5

Create an Apex Registration Handler Class

You need to create a custom Apex class that controls how new user records are created (or linked) when someone logs in through Specops Authentication, using OpenID Connect.

Log in to Salesforce, click the Settings icon and select Open Advanced Setup.
In Quick Find, enter "Apex" and select Apex Classes.
Click New.
Enter the code for creating the Apex class. Refer to https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_auth_plugin.htm#apex_auth_plugin_example for a code example. When finished, click Save.

Add Authentication Provider

Log in to Salesforce. In Quick Find, type "auth" and select Auth. Providers from the list.
Click New.
Select Provider Type: Open ID Connect.
Enter a name, for example "sa".
For Consumer Key, enter Client Id from Application Credentials in Specops Authentication.
For Consumer Secret, enter Client Secret from Application Credentials in Specops Authentication.
For Authorize, Token and User Info Endpoint URL, enter the corresponding URLs from Specops Authentication.
For Token Issuer, enter Issuer from Specops Authentication.
In Custom Logout URL, enter End Session Endpoint from Specops Authentication.
Select Registration Handler Type: Apex
Click the search button next to Registration Handler and select the registration handler that was created earlier.
In Execute Registration As, select an existing user.
Click Save.
Copy the Callback URL and save it for now. You will add it later to the OpenID Connect application in Specops Authentication.

Add the Redirect URLs to the OpenID Connect application

Log in as admin to the Specops Authentication Web.
Click Single Sign-On.
Go to the OpenID Connect application created for Salesforce earlier, and click Edit Application.
Under Redirect URLs, add the Callback URL from Salesforce.
Click Save.

Log in to Salesforce. In Quick Find, enter "Domain" and select My Domain.
Under Authentication Configuration, click Edit.
Under Authentication Service, check the box next to the authentication provider created earlier.
Click Save.