NAM as OpenID Connect provider for Salesforce



Salesforce allows you to use any third party web application that implements the server side of the OpenID Connect protocol. This allows you to use authentication providers like NetIQ Access Manager.

Why is this useful?

This allows user to do SSO with enterprise authentication and seamless access to Salesforce. User can access Salesforce from enterprise user portal without additional login. Enterprise organization can protect Salesforce access by corporate policy like Risk Based Authentication or Strong Authentication like two factor authentication. NetIQ Access Manager supports Risk Based Authentication and strong authentication using Advanced Authentication Framework.

Goal of this solution

NetIQ Access Manager provides documentation which enlists steps how to configure OpenID Connect protocol and how to register a client.

Salesforce provides documentation provides how to configure OpenID Connect provider.

This Solution will guide basic steps to setting up NAM as OpenID Connect provider for Salesforce.

Configuration steps

  1. Register OAuth2 client with NAM

  • Configure Salesforce
    1. Create Authentication Provider

  • Create or modify auto created Registration Handler

  • Configure NAM with Salesforce OAuth2 redirect URI

  • Testing configuration

  • Create a domain and customize the login page of Salesforce to show the NAM as authentication source

Setup Information

Register OAuth2 client with NAM

  1. Make sure NAM IDP server is accessible from outside enterprise/ from salesforce server

  • Note down the client id and secret

  • Note down NAM Oauth2 endpoints.

Salesforce Configuration

  1. In Salesforce go to Setup -> Security Controls -> Auth Providers


  • Click New and select OpenID Connect as the Provider Type


  • Enter your organization as the name, in this example organization taken is NetIQ

  • Enter your organization name as the URL Suffix, in this example name used as netiq

  • Enter the CLIENT ID noted from NetIQ OAuth2 client registration as the Consumer Key in Salesforce

  • Enter the CLIENT SECRET noted from NetIQ OAuth2 client registration as the Consumer Secret in Salesforce

  • Enter “profile email openid” as the Default Scopes

  • Send access token in header check box is checked by default leave it as it is.

  • Registration Handler select as auto generated

  • Set a System Admin as the Execute Registration As

  • Save

  • Above configured values showed as Read only format, Take a note of the Callback URL in the Client Configuration section( at bottom)

  • Note down other URLs for testing.


NAM Configuration update with Salesforce Callback URL

  1. Go to your NAM OAuth2 client configuration and edit configuration

  • Add Callback URL noted at the end of Salesforce configuration as one more redirect URL

  • Refer NAM documentation for more information

Modify Registration Handler

  1. In Salesforce go to Setup > Build > manage your Apex Classes

  • Select Auto generated class and edit to your requirement

  • Sample class used for testing

//TODO:This autogenerated class includes the basics for a Registration
//Handler class. You will need to customize it to ensure it meets your needs and
//the data provided by the third party.

global class AutocreatedRegHandler1430979754892 implements Auth.RegistrationHandler{
global boolean canCreateUser(Auth.UserData data) {
//TODO: Check whether we want to allow creation of a user with this data
//Set<String> s = new Set<String>{'usernamea', 'usernameb', 'usernamec'};
//if(s.contains(data.username)) {
//return true;
List<User> users = [select Id from User where username];
system.debug('#1##' users[0]);
return false;
system.debug('#2## user not exists');
return true;

global User createUser(Id portalId, Auth.UserData data){
if(!canCreateUser(data)) {
//Returning null or throwing an exception fails the SSO flow
system.debug('#3## return null');
return null;
system.debug('#4## user creating ';
//The user is authorized, so create their Salesforce user
User u = new User();
Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
//TODO: Customize the username. Also check that the username doesn't already exist and
//possibly ensure there are enough org licenses to create a user. Must be 80 characters
//or less.
u.username =; =;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.firstName data.lastName;
//Alias must be 8 characters or less
if(alias.length() > 8) {
alias = alias.substring(0, 8);
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
return u;

global void updateUser(Id userId, Id portalId, Auth.UserData data){
User u = new User(id=userId);
//TODO: Customize the username. Must be 80 characters or less.
u.username =; =;
u.lastName = data.lastName;
u.firstName = data.firstName;
//String alias = data.username;
//Alias must be 8 characters or less
//if(alias.length() > 8) {
//alias = alias.substring(0, 8);
//u.alias = alias;

Testing Configuration

  1. At end of Salesforce noted URL “Test-Only Initialization URL” access this URL on a browser

  • It will redirected to NAM IDP with OAuth2 authorization flow

  • NAM IDP prompt for authentication if authentication is session is not exists with browser

  • On successful authentication NAM will redirect browser to Salesforce with Salesforce Callback URL

  • If everything go well user is logged in to Salesforce, If error check for URL where error code and description will be available, to resolve this Check IDP logs whether OAuth2 flow and UserInfo Endpoint call successful and contact Salesforce communities for further help.

Create your Salesforce Domain

Salesforce allows to have custom subdomain to login to Salesforce the formate is https://<subdomain>

To enable subdomain do follow these steps:

  1. In Salesforce go to Setup > Domain Management > My Domain

  • Choose a domain, check its availability and click the Register button

  • Adding OpenID Connect provider as button to login page
    1. a. Edit Authentication Configuration section
    2. Select your OpenID Connector provider check box as Authentication Service

  • Now subdomain can be used for login, Access https://<subdomain>


Please share your comments!!


How To-Best Practice
Comment List