NAM as OpenID Connect provider for Salesforce

NAM as OpenID Connect provider for Salesforce

Introduction


 
Salesforce allows you to use any third party web application that implements the server side of the OpenID Connect protocol. This allows you to use authentication providers like NetIQ Access Manager.

Why is this useful?


 
This allows user to do SSO with enterprise authentication and seamless access to Salesforce. User can access Salesforce from enterprise user portal without additional login. Enterprise organization can protect Salesforce access by corporate policy like Risk Based Authentication or Strong Authentication like two factor authentication. NetIQ Access Manager supports Risk Based Authentication and strong authentication using Advanced Authentication Framework.

Goal of this solution


 
NetIQ Access Manager provides documentation which enlists steps how to configure OpenID Connect protocol and how to register a client.

Salesforce provides documentation provides how to configure OpenID Connect provider.

This Solution will guide basic steps to setting up NAM as OpenID Connect provider for Salesforce.

Configuration steps


  1. Register OAuth2 client with NAM

  2. Configure Salesforce
    1. Create Authentication Provider

    2. Create or modify auto created Registration Handler


  3. Configure NAM with Salesforce OAuth2 redirect URI

  4. Testing configuration

  5. Create a domain and customize the login page of Salesforce to show the NAM as authentication source



Setup Information


 
Register OAuth2 client with NAM


  1. Make sure NAM IDP server is accessible from outside enterprise/ from salesforce server

  2. Follow documentation how to create OAuth2 client https://www.netiq.com/documentation/access-manager-41/admin/data/b1dj6b2f.html

  3. Note down the client id and secret

  4. Note down NAM Oauth2 endpoints.


Salesforce Configuration



  1. In Salesforce go to Setup -> Security Controls -> Auth Providers


  2.  
    namasopenid-1
     

  3. Click New and select OpenID Connect as the Provider Type


  4.  
    namasopenid-2
     

  5. Enter your organization as the name, in this example organization taken is NetIQ

  6. Enter your organization name as the URL Suffix, in this example name used as netiq

  7. Enter the CLIENT ID noted from NetIQ OAuth2 client registration as the Consumer Key in Salesforce

  8. Enter the CLIENT SECRET noted from NetIQ OAuth2 client registration as the Consumer Secret in Salesforce

  9. Enter https://www.idp.com/nidp/oauth/nam/authz as the Authorize Endpoint URL

  10. Enter https://www.idp.com/nidp/oauth/nam/token as the Token Endpoint URL

  11. Enter https://www.idp.com/nidp/oauth/nam/userinfo as the User Info Endpoint URL

  12. Enter https://www.idp.com/nidp/oauth/nam as the Token Issuer

  13. Enter “profile email openid” as the Default Scopes

  14. Send access token in header check box is checked by default leave it as it is.

  15. Registration Handler select as auto generated

  16. Set a System Admin as the Execute Registration As

  17. Save

  18. Above configured values showed as Read only format, Take a note of the Callback URL in the Client Configuration section( at bottom)

  19. Note down other URLs for testing.


  20.  namasopenid-3
     





NAM Configuration update with Salesforce Callback URL


  1. Go to your NAM OAuth2 client configuration and edit configuration

  2. Add Callback URL noted at the end of Salesforce configuration as one more redirect URL

  3. Refer NAM documentation for more information



Modify Registration Handler


  1. In Salesforce go to Setup > Build > manage your Apex Classes

  2. Select Auto generated class and edit to your requirement

  3. Sample class used for testing



//TODO:This autogenerated class includes the basics for a Registration
//Handler class. You will need to customize it to ensure it meets your needs and
//the data provided by the third party.

global class AutocreatedRegHandler1430979754892 implements Auth.RegistrationHandler{
global boolean canCreateUser(Auth.UserData data) {
//TODO: Check whether we want to allow creation of a user with this data
//Set<String> s = new Set<String>{'usernamea', 'usernameb', 'usernamec'};
//if(s.contains(data.username)) {
//return true;
//}
List<User> users = [select Id from User where username =:data.email];
if(users.size()==1)
{
system.debug('#1##'+users[0]);
return false;
}
system.debug('#2## user not exists');
return true;
}

global User createUser(Id portalId, Auth.UserData data){
if(!canCreateUser(data)) {
//Returning null or throwing an exception fails the SSO flow
system.debug('#3## return null');
return null;
}
system.debug('#4## user creating '+data.email);
//The user is authorized, so create their Salesforce user
User u = new User();
Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
//TODO: Customize the username. Also check that the username doesn't already exist and
//possibly ensure there are enough org licenses to create a user. Must be 80 characters
//or less.
u.username = data.email;
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.firstName + data.lastName;
//Alias must be 8 characters or less
if(alias.length() > 8) {
alias = alias.substring(0, 8);
}
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
return u;
}

global void updateUser(Id userId, Id portalId, Auth.UserData data){
User u = new User(id=userId);
//TODO: Customize the username. Must be 80 characters or less.
u.username = data.email;
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
//String alias = data.username;
//Alias must be 8 characters or less
//if(alias.length() > 8) {
//alias = alias.substring(0, 8);
//}
//u.alias = alias;
update(u);
}
}


Testing Configuration




  1. At end of Salesforce noted URL “Test-Only Initialization URL” access this URL on a browser

  2. It will redirected to NAM IDP with OAuth2 authorization flow

  3. NAM IDP prompt for authentication if authentication is session is not exists with browser

  4. On successful authentication NAM will redirect browser to Salesforce with Salesforce Callback URL

  5. If everything go well user is logged in to Salesforce, If error check for URL where error code and description will be available, to resolve this Check IDP logs whether OAuth2 flow and UserInfo Endpoint call successful and contact Salesforce communities for further help.



Create your Salesforce Domain



Salesforce allows to have custom subdomain to login to Salesforce the formate is https://<subdomain>.my.salesforce.com

To enable subdomain do follow these steps:


  1. In Salesforce go to Setup > Domain Management > My Domain

  2. Choose a domain, check its availability and click the Register button

  3. Documentation link https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_define.htm&language=en_US

  4. Once domain is registered and active you can customize the login page https://help.salesforce.com/apex/HTViewHelpDoc?id=domain_name_login_branding.htm&language=en_US

  5. Adding OpenID Connect provider as button to login page
    1. a. Edit Authentication Configuration section
    2. Select your OpenID Connector provider check box as Authentication Service


  6. Now subdomain can be used for login, Access https://<subdomain>.my.salesforce.com/



References




Please share your comments!!
Labels (1)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
3 of 3
Last update:
‎2020-01-31 22:07
Updated by:
Micro Focus Contributor
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.