To configure Single Sign On (SSO) for use with Salesforce you must create a new authentication provider in Salesforce, create a Salesforce domain, configure a Custom Logout URL for Salesforce, and update the Apex Code.
Ensure you have the prerequisites installed and configured first, and have also configured SSO in Alfresco products.
-
To create an authentication provider, navigate to Salesforce and log in as an Administrator.
-
Go to Setup Tab > Identity > Auth. Providers and click New.
-
Select OpenID Connect from the Provider Type drop down list.
The table represents the fields on the Auth. Provider Edit window.
| Auth. Provider create fields | Value/Description |
| Provider Type | OpenID Connect |
| Name | Enter a name for the authentication service. |
| URL Suffix | Automatically filled in based on the name you enter. |
| Consumer Key | To find this key go to Identity Service > Alfresco Realm > Clients and the client ID you have configured for Alfresco Content Services. The key is usually alfresco. |
| Consumer Secret | 1. Go to the Identity Service > Alfresco Realm > Realm Settings > Keys Tab. 2. Click Public key next to the algorithm that has one. 3. Copy and paste the key. |
| Authorize Endpoint URL | 1. Go to the Identity Service > Alfresco Realm > Realm Settings. 2. Click the link in the Endpoints field. 3. Copy and paste the JSON output into a reader to make it more readable. 4. Find the value for authorization_endpoint.5. Copy and paste the value. Note: Keep the JSON file because it will be used to find other URLs for other fields. |
| Token Endpoint URL | 1. Find the value for token_endpoint in the JSON file.2. Copy and paste the value. |
| User Info Endpoint URL | 1. Find the value for userinfo_endpoint in the JSON file.2. Copy and paste the value. |
| Token Issuer | 1. Find the value for issuer in the JSON file.2. Copy and paste the value. |
| Default Scopes | OpenID email Note: See Use the Scope URL Parameter for more on the use of OpenID. |
| Send access token in header | Selected |
| Send client credentials in header | Not Selected |
| Include Consumer Secret in API Responses | Selected |
| Custom Error URL | Leave Empty |
| Custom Logout URL | Leave Empty Note: The Custom Logout URL will be configured later on in the configuration steps. |
| Registration Handler | Select an existing Registration Handler for your provider or click Automatically create a registration handler template. Note: Creating a template will require modification by your Salesforce team for it to work for your use case and provider. |
| Execute Registration As | Select an Admin user. |
| Portal | None |
| Icon URL | Optional. Enter a URL where an image can be found. |
-
Enter your information in the fields and click Save.
-
To create your domain go back to Setup Tab > Company Settings > My Domain.
-
Enter the name of the domain you want to use and click Check Availability.
-
Click Register Domain if it's available.
You will see a notice that tells you the domain is registering. This process may take 60 minutes.
-
Once the domain is registered you can test it. Use the Login button to log in and test the domain.
-
Click Deploy to Users to deploy your domain.
-
Click Edit under the Authentication Configuration heading.
-
Select the Auth. Provider service you have created under the Authentication Service heading and click Save.
-
To add your Custom Logout URL copy your domain name as it appears next to Your domain name is.
-
Go back to Setup Tab > Identity > Auth. Providers and edit the authentication provider you created earlier.
-
Paste your domain URL into the Custom Logout URL field.
-
Navigate to the JSON file you used earlier and find the value of
end_session_endpointand also paste it into the Custom Logout URL field. -
Add
?redirect_uri=between your domain URL and theend_session_endpointvalue and click Save.It should take the form of
end_session_endpoint?redirect_uri=<Your domain>.