NAM as OpenID Connect provider for Salesforce

0 Likes

over 7 years ago

Introduction

Salesforce allows you to use any third party web application that implements the server side of the OpenID Connect protocol. This allows you to use authentication providers like NetIQ Access Manager.

Why is this useful?

This allows user to do SSO with enterprise authentication and seamless access to Salesforce. User can access Salesforce from enterprise user portal without additional login. Enterprise organization can protect Salesforce access by corporate policy like Risk Based Authentication or Strong Authentication like two factor authentication. NetIQ Access Manager supports Risk Based Authentication and strong authentication using Advanced Authentication Framework.

Goal of this solution

NetIQ Access Manager provides documentation which enlists steps how to configure OpenID Connect protocol and how to register a client.

Salesforce provides documentation provides how to configure OpenID Connect provider.

This Solution will guide basic steps to setting up NAM as OpenID Connect provider for Salesforce.

Configuration steps

Configure Salesforce
1. Create Authentication Provider
Create or modify auto created Registration Handler

Configure NAM with Salesforce OAuth2 redirect URI

Testing configuration

Create a domain and customize the login page of Salesforce to show the NAM as authentication source

Setup Information

Register OAuth2 client with NAM

Make sure NAM IDP server is accessible from outside enterprise/ from salesforce server

Follow documentation how to create OAuth2 client https://www.netiq.com/documentation/access-manager-41/admin/data/b1dj6b2f.html

Note down the client id and secret

Note down NAM Oauth2 endpoints.

Salesforce Configuration

In Salesforce go to Setup -> Security Controls -> Auth Providers

Click New and select OpenID Connect as the Provider Type

Enter your organization as the name, in this example organization taken is NetIQ

Enter your organization name as the URL Suffix, in this example name used as netiq

Enter the CLIENT ID noted from NetIQ OAuth2 client registration as the Consumer Key in Salesforce

Enter the CLIENT SECRET noted from NetIQ OAuth2 client registration as the Consumer Secret in Salesforce

Enter https://www.idp.com/nidp/oauth/nam/authz as the Authorize Endpoint URL

Enter https://www.idp.com/nidp/oauth/nam/token as the Token Endpoint URL

Enter https://www.idp.com/nidp/oauth/nam/userinfo as the User Info Endpoint URL

Enter https://www.idp.com/nidp/oauth/nam as the Token Issuer

Enter “profile email openid” as the Default Scopes

Send access token in header check box is checked by default leave it as it is.

Registration Handler select as auto generated

Set a System Admin as the Execute Registration As

Save

Above configured values showed as Read only format, Take a note of the Callback URL in the Client Configuration section( at bottom)

Note down other URLs for testing.

NAM Configuration update with Salesforce Callback URL

Go to your NAM OAuth2 client configuration and edit configuration

Add Callback URL noted at the end of Salesforce configuration as one more redirect URL

Refer NAM documentation for more information

Modify Registration Handler

In Salesforce go to Setup > Build > manage your Apex Classes

Select Auto generated class and edit to your requirement

Sample class used for testing

//TODO:This autogenerated class includes the basics for a Registration
//Handler class. You will need to customize it to ensure it meets your needs and
//the data provided by the third party.

global class AutocreatedRegHandler1430979754892 implements Auth.RegistrationHandler{
global boolean canCreateUser(Auth.UserData data) {
    //TODO: Check whether we want to allow creation of a user with this data
    //Set<String> s = new Set<String>{'usernamea', 'usernameb', 'usernamec'};
    //if(s.contains(data.username)) {
        //return true;
    //}
    List<User> users = [select Id from User where username =:data.email];
        if(users.size()==1)
        {
        system.debug('#1##' users[0]);
            return false;
        }
        system.debug('#2## user not exists');
    return true;
}

global User createUser(Id portalId, Auth.UserData data){
    if(!canCreateUser(data)) {
        //Returning null or throwing an exception fails the SSO flow
        system.debug('#3## return null');
        return null;
    }
    system.debug('#4## user creating ' data.email);
    //The user is authorized, so create their Salesforce user
    User u = new User();
    Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
    //TODO: Customize the username. Also check that the username doesn't already exist and
    //possibly ensure there are enough org licenses to create a user. Must be 80 characters
    //or less.
    u.username = data.email;
    u.email = data.email;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    String alias = data.firstName   data.lastName;
    //Alias must be 8 characters or less
    if(alias.length() > 8) {
        alias = alias.substring(0, 8);
    }
    u.alias = alias;
    u.languagelocalekey = UserInfo.getLocale();
    u.localesidkey = UserInfo.getLocale();
    u.emailEncodingKey = 'UTF-8';
    u.timeZoneSidKey = 'America/Los_Angeles';
    u.profileId = p.Id;
    return u;
}

global void updateUser(Id userId, Id portalId, Auth.UserData data){
    User u = new User(id=userId);
    //TODO: Customize the username. Must be 80 characters or less.
    u.username = data.email;
    u.email = data.email;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    //String alias = data.username;
    //Alias must be 8 characters or less
    //if(alias.length() > 8) {
        //alias = alias.substring(0, 8);
    //}
    //u.alias = alias;
    update(u);
}
}

Testing Configuration

At end of Salesforce noted URL “Test-Only Initialization URL” access this URL on a browser

It will redirected to NAM IDP with OAuth2 authorization flow

NAM IDP prompt for authentication if authentication is session is not exists with browser

On successful authentication NAM will redirect browser to Salesforce with Salesforce Callback URL

If everything go well user is logged in to Salesforce, If error check for URL where error code and description will be available, to resolve this Check IDP logs whether OAuth2 flow and UserInfo Endpoint call successful and contact Salesforce communities for further help.

Create your Salesforce Domain

Salesforce allows to have custom subdomain to login to Salesforce the formate is https://<subdomain>.my.salesforce.com

To enable subdomain do follow these steps:

In Salesforce go to Setup > Domain Management > My Domain

Choose a domain, check its availability and click the Register button

Documentation link https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_define.htm&language=en_US

Once domain is registered and active you can customize the login page https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_login_branding.htm&language=en_US

Adding OpenID Connect provider as button to login page
1. a. Edit Authentication Configuration section
2. Select your OpenID Connector provider check box as Authentication Service

Now subdomain can be used for login, Access https://<subdomain>.my.salesforce.com/

References

https://developer.salesforce.com/page/Developer_Edition

https://help.salesforce.com/HTViewHelpDoc?id=sso_provider_openid_connect.htm&language=en_US

https://www.netiq.com/communities/cool-solutions/oauth2-mobile-client-netiq-access-manager-4-1-using-implicit-flow/

https://www.netiq.com/documentation/access-manager-41/admin/data/b1dj6b2f.html

Please share your comments!!

Tags:

OpenID Connect

CRM

Salesforce

authentication

OAuth2

Labels:

How To-Best Practice

Comment List

Recommended

Menu

NetIQ Access Manager