SSO, also known as sign-on, avoids the need for users to log in to every system. It configures one system to rely on another to authenticate users. The system that authenticates users is known as an identity provider, and the system that trusts the identity provider for authentication is known as the service provider.
You can also implement Salesforce SSO to diminish the number of attack surfaces, as users only log in once daily and use one set of credentials. Also, reducing login to one set of credentials enhances enterprise security.
We can implement Salesforce SSO using 3rd party identity provider, delegated authentication, OAuth, and more. You can choose any method depending on your organization’s current infrastructure, user management practices, and security requirements. You need to understand the process and then move ahead thoroughly.
In this post, we will implement Salesforce SSO using OAuth (An open protocol that authorizes a client app to access data from a protected resource through the tokens exchange).
Implement Salesforce SSO – Let’s Start The Process
First, we need to create the Connect App for Salesforce SSO. A connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID connect. Moreover, connected Apps use these protocols to authenticate, authorize, and provide single sign-on (SSO) for external apps. Such apps activate an SSO or set security policies to restrict what data 3rd-party apps can access from your org.
The external apps that are integrated with Salesforce can run on the customer success platform, other platforms, devices, or SaaS subscriptions.
For example, when you log in to your Salesforce mobile app and see your data from your Salesforce org, you’re using a connected app.
By capturing metadata about an external app, a connected app tells Salesforce which protocol—SAML, OAuth, and OpenID Connect—the external app uses, and where the external app runs. Salesforce can then grant the external app access to its data, and attach policies that define access restrictions, such as when the app’s access expires. Salesforce can also audit connected app usage.
How Can My Salesforce.Org Use Connected Apps?
- Access Data with API Integration
- Integrate Service Providers with Salesforce
Access Data with API Integration:
When developers or independent software vendors (ISV) build web-based or mobile applications that need to pull data from your Salesforce org, you can use connected apps as the clients to request this data. To do so, you create a connected app that integrates with Salesforce APIs.
Integrate Service Providers with Salesforce:
When Salesforce acts as your identity provider, you can use a connected app to integrate your service provider with your org. Depending on your org’s configuration, you can use one of these methods.
Use a connected app with SAML 2.0 to integrate a service provider with your org. Salesforce supports SAML single sign-on (SSO) when the service provider or the identity provider initiates the flow.
What Role Do I Play with Connected Apps?
To put it simply, developers create and configure authorization flows for connected apps, and admins set policies and permissions to control connected app usage. But there’s much more to each role.
- Connected App Developer
- Connected App Admin
The steps to use a connected app:
There are some steps you need to follow. These steps are described below:
- 1. Domain Setup
- 2. The profile must access User Object
- 3. Connected App Setup
Domain Setup Steps:
Go to Setup -> Quick find box -> Domain Management -> Click Domains -> Create New Domain (If not exists already)
In my case domain name is : gst-idp-dev-ed
Profile Access User Object
The profile you are using for any user it can be any which has access to the User.
- For Example here is one profile “Standard User”. By clicking on this profile you can add users to this profile.
Setup -> Quick find Box -> Profiles -> Standard User profile -> Click Standard Users or any other profile.
Add external users to any profile, for example, I am working on Standard User.
- Or while you are creating a user you can assign this profile to User.
Click on Assigned Users
Click on New User and then add users
- Or you can create a new custom profile which must access user object and then use it.
Setup -> Quick find Box -> Create new User or Edit Existing User -> Assign Standard User Profile or the Custom Profile you have created.
for custom Go to:
Setup -> Quick find Box -> Profiles -> Create New Profile with Users Access Permission.
Connected App Setup Steps:
Setup -> Quick Find Box -> Manage Apps -> Connected App -> Create Connected App
In my case app label is GST_IDP you can give any name and version.
Details inside Connected App:
Consumer Key and Consumer Secret are generated by Salesforce itself.
GST System Calling API
Access your basic information (id, profile, email, address, phone)
Full access (full)
This URL will be used by GST System.
Selected OAuth Scopes:
The domain name will be replaced by site URL, using that they will access the application
1. This will return Consumer Key and Consumer Secret
2. Then we need to pass consumer key, consumer secret, and domain name to .net API as parameters.
Note: Whenever you do the integration with any other site using API, you need to set the site URL in remote site settings.
If you are searching for experienced salesforce consultants for salesforce development services then please get in touch with us.
Now, you know how to implement SSO using OAuth to ease users’ log-in to each system. You may find it simple to attain this, but trust us, it needs expertise. You can connect with a leading Salesforce consulting company offering perfect guidance to make the best use of the platform.
When Emizentech is here to serve you the best, you don’t need to go here and there to find the best company. We have a team of experienced Salesforce consultants assisting worldwide clients in accomplishing their Salesforce projects.