Salesforce now like many other consumer facing authenticated sites, now allows you to login with an alternate account such as your google account.

This is provided through OpenID Connect, where we configure an google as the OpenId Identity provider.

This is great for many smaller or more progressive organisations that have dumped the Active Directory and the Microsoft stack in favor of Gmail and the cloud.

Register a Google APP as an oAuth Client

  1. Go to you google developer console: https://console.developers.google.com/project
  2. Create a new project, “SFDC-OPENID-CONNECT” or any name you like
  3. Under API’s for this project Enable Google+ API.
  4. Under Credentials for this project Create New Client ID, selecting web-application as the type.
  5. Save this, you will come back later to update the Authorized Redirect URI

googleOpenId

Create a RegistrationHandler Class

When we login with OpenID the data we get back from the Authentication Provider needs to be handled and from this we need to figure out which of our users in loggin in..

Here is a simple Registration handler that will just get a user based on an email address match:

 

Setup your authentication provider in Salesforce

  1. Setup->Security Controls->Auth. Providers
  2. Create a new one, select OpenId as the type.
  3. Set Name and Url Suffix as you like.
  4. Set Consumer Key as the Client ID from your Google project
  5. Set Consumer Secret as the Client Secret from your Google project
  6. Set the Default Scope as text entry “email openid profile”, this defines what data we request permission over from Google, there is a good post here.
  7. Enter the Endpoint URLs as below (you can get these from the google client ID download json, but yours should be the same)
  8. Select the RegistrationHandler class you created earlier.
  9. Set an admin user as the Execute as.
  10. Save as below…

salesforceAuthProvider

Note the Test-Only URL, this can be used at any time to see the xml data returned from the OpenID authentication provider, just pop this url into a browser and follow the flow.

Update Authentication Provider details to the Google Project

  1.  On your Google Project edit the Authorized Callback URI and enter the Callback URLfrom the Salesforce Auth. Provider

Create a My Domain and add Authentication Service

  1. If you don’t already utilise My Domain, then create yours now…  Setup->Domain Management -> My Domain (after creation you will need to wait a few mins or more for it to activate)
  2. Login and deploy the My Domain (press the button where prompted)
  3. Now you can edit the branding, within this you should have the option to add a new Authentication Service, the Authentication Provider that you created earlier.

branding

Get users logging in

Now with the new my domain url, your users can select the Login With Google button and experience Single-Sign-On to Salesforce with their Google Account…

flow

 

David Cameron

 

Close
Go top

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close