Salesforce

BlokSec can be configured as an inbound federation identity provider (a.k.a. social provider) for your SalesForce tenant, and can also be integrated to support just in time provisioning (JIT) for user creation in SalesForce. The following article describes the process to configure authentication and provisioning to support passwordless SalesForce login.

BlokSec Admin UI

1. Sign into BlokSec admin UI as a user with admin privileges for your tenant
2. On the main dashboard, click the Add Application drop-down and select Create From Template, and then select SalesForce
3. Complete the application details as follows :
   • Name: Default is set to SalesForce (or your desired application name – we will assume this is called ‘SalesForce’ for the remainder of this article)
   • Logo URI: Loation of the image URL (For example : https://bloksec.io/images/appLogo.png)
   • Backgroun URI: Location of the brackground image URL (For example : https://bloksec.io/images/appLogoBackground.png)
   • Session Length: Length of the authenticated session. Default value is set to 60 minutes
   • Redirect URIs: (leave blank for now)
   • Post Logout Redirect URIs: (leave blank for now)
   • Select Submit to save the configuration
4. Click Generate App Secret, and make note of the Application ID and Application Secret as these will be required when registering your application with SalesForce

SalesForce Admin UI

Registration Handler Configuration

1. Sign into the SalesForce as a user with admin privileges for your tenant
2. Navigate to Platform Tools > Custom Code
3. Select Apex Classes and then choose New, and add the following to the Appex Clas tab:

//TODO: You will need to customize this class to ensure it meets your needs and
//the data provided by the third party.

global class BlokSecRegHandler implements Auth.RegistrationHandler{
global boolean canCreateUser(Auth.UserData data) {
    System.debug('canCreateUser was called for ' + (data != null ? data.username : 'null'));
    Boolean retVal = (data != null 
            && data.email != null
            && data.lastName != null
            && data.firstName != null
            && data.username != null);
    
    System.debug('data.username='+data.username);
    System.debug('data.email='+data.email);
    System.debug('data.lastName='+data.lastName);
    System.debug('data.firstName='+data.firstName);
    System.debug('canCreateUser='+retVal);
    
    return retVal;
}

global User createUser(Id portalId, Auth.UserData data){
    System.debug('createUser was called for portalId: ' + portalId + ' and userName: ' + data.username);
    
    User u;

        List<User> l = [SELECT Id,UserName,FirstName,LastName,Email FROM User WHERE UserName = :data.username];
        if (l.size() > 0) 
        {
            u = l[0];
            System.debug('Found existing user record for '+ data.firstName + ' ' + data.lastName + ' ' + data.email);
            System.debug(u.FirstName + ' ' + u.LastName + ' ' + u.Email + ' ' + u.UserName);

            // Update existing record
            u.Email = data.email;
            u.LastName = data.lastName;
            u.FirstName = data.firstName;

            System.debug('Updating user record for '+ data.firstName + ' ' + data.lastName + ' ' + data.email);
            System.debug(u.FirstName + ' ' + u.LastName + ' ' + u.Email);

            update(u);
            return u;
        } 
    
    // If the user was not found, we will create a new one
    // First check that the required data was provided
    if(!canCreateUser(data)) {
        System.debug('canCreateUser returned false; aborting SSO flow');
        //Returning null or throwing an exception fails the SSO flow
        return null;
    }
    //The user is authorized, so create their Salesforce user
    u = new User();
    Profile p = [SELECT Id FROM profile WHERE name='Chatter Free User'];
    //TODO: Customize the username. Also check that the username doesn't already exist and
    //possibly ensure there are enough org licenses to create a user. Must be 80 characters
    //or less.
    u.username = data.username;
    u.email = data.username;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    String alias = data.username;
    //Alias must be 8 characters or less
    if(alias.length() > 8) {
        alias = alias.substring(0, 8);
    }
    u.alias = alias;
    u.email = data.username;
    u.localesidkey = UserInfo.getLocale();
    u.languagelocalekey = 'en_US';
    //u.localesidkey = UserInfo.getLocale();
    u.emailEncodingKey = 'UTF-8';
    u.timeZoneSidKey = 'America/Los_Angeles';
    u.profileId = p.Id;
    return u;
}

global void updateUser(Id userId, Id portalId, Auth.UserData data){
    System.debug('The userid is: ' + userId);
    System.debug('The Auth.UserData is: ' + data);
    User u = new User(id=userId);
    u.email = data.email;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    u.username = data.username;
    update(u);
}
}

4. Slick Save

OIDC Configuration

1. Sign into the SalesForce as a user with admin privileges for your tenant
2. Navigate to Settings > Identity
3. Select Auth. Providers and then choose New
4. Select Open ID Connect from the dropdown menu and complete the authentication provider configuration with the following values (adjusting if required to meet your desired behaviour):
   • Name: Salesforce Passwordless Login (or the name of your choice)
   • URL Suffix: Keep the auto generated value or update it to meet your requirements
   • Consumer Key: (the Application ID captured from the BlokSec admin UI above)
   • Consumer Secret: (the Application Secret captured from the BlokSec admin UI above)
   • Authorize Endpoint URL: https://api.bloksec.io/oidc/auth
   • Token Endpoint URL: https://api.bloksec.io/oidc/token
   • User Info Endpoint URL: https://api.bloksec.io/oidc/me
   • Default Scopes: openid email profile
   • Send access token in header: selected / checked
   • Include Consumer Secrets in API Responses: selected / checked
   • Custom Logout URL: https://api.bloksec.io/oidc/session/end
   • Registration Handler: BlokSecRegHandler (use registration handler lookup)
   • Execute Registration As: (choose a user / account that has the ability to create / update / delete users)
   • Select Save to accept configuration changes
5. Once saved, navigate to the SalesForce configuration section and copy the values for the following URL’s:
   • Callback URL
   • SingleLogout URL



Authentication Configuration

1. Sign into the SalesForce as a user with admin privileges for your tenant
2. Navigate to Settings > Company Settings
3. Select My Domain and then navigate to Authentication Configuration section
4. Select Edit and then select / check the name of the Authentication Service created above in OIDC configuration, for example, Salesforce Passwordless Login
5. Select Save

BlokSec Admin UI (Part 2)

1. Return to the SalesForce application configuration, click the gear in the upper-right, and select Edit Application
2. Input the value of the CallBackURL into BlokSec Redirect URI field as defined by Salesforce in last step of OIDC configuration
3. Input the value of SingleLogout URL into BlokSec Post Logout Redirect URIs field as defined by Salesforce in last step of OIDC configuration
4. Select Submit to save the configuration