| title | titleSuffix | description | author | manager | ms.service | ms.topic | ms.date | ms.author | ms.subservice | zone_pivot_groups |
|---|---|---|---|---|---|---|---|---|---|---|
Set up sign-up and sign-in with a Salesforce account |
Azure AD B2C |
Provide sign-up and sign-in to customers with Salesforce accounts in your applications using Azure Active Directory B2C. |
garrodonnell |
CelesteDG |
active-directory |
how-to |
09/16/2021 |
godonnell |
B2C |
b2c-policy-type |
[!INCLUDE active-directory-b2c-choose-user-flow-or-custom-policy]
::: zone pivot="b2c-custom-policy"
[!INCLUDE active-directory-b2c-advanced-audience-warning]
::: zone-end
[!INCLUDE active-directory-b2c-customization-prerequisites]
To enable sign-in for users with a Salesforce account in Azure Active Directory B2C (Azure AD B2C), you need to create an application in your Salesforce App Manager. For more information, see Configure Basic Connected App Settings, and Enable OAuth Settings for API Integration
- Sign in to Salesforce.
- From the menu, select Setup.
- Expand Apps, and then select App Manager.
- Select New Connected App.
- Under the Basic Information, enter:
- Connected App Name - The connected app name is displayed in the App Manager and on its App Launcher tile. The name must be unique within your org.
- API Name
- Contact Email - The contact email for Salesforce
- Under API (Enable OAuth Settings), select Enable OAuth Settings
- For the Callback URL, enter
https://your-tenant-name.b2clogin.com/your-tenant-name.onmicrosoft.com/oauth2/authresp. If you use a custom domain, enterhttps://your-domain-name/your-tenant-name.onmicrosoft.com/oauth2/authresp. Replaceyour-tenant-namewith the name of your tenant, andyour-domain-namewith your custom domain. You need to use all lowercase letters when entering your tenant name even if the tenant is defined with uppercase letters in Azure AD B2C. - In the Selected OAuth Scopes, select Access the identity URL service (id, profile, email, address, phone), and Allow access to your unique identifier (openid).
- Select Require Secret for Web Server Flow.
- For the Callback URL, enter
- Select Configure ID Token
- Set the Token Valid for 5 minutes.
- Select Include Standard Claims.
- Click Save.
- Copy the values of Consumer Key and Consumer Secret. You will need both of them to configure Salesforce as an identity provider in your tenant. Client secret is an important security credential.
::: zone pivot="b2c-user-flow"
-
If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
-
Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
-
Select Identity providers, and then select New OpenID Connect provider.
-
Enter a Name. For example, enter Salesforce.
-
For Metadata url, enter the URL of the Salesforce OpenID Connect Configuration document. For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS.
https://login.salesforce.com/.well-known/openid-configuration -
For Client ID, enter the application ID that you previously recorded.
-
For Client secret, enter the client secret that you previously recorded.
-
For the Scope, enter the
openid id profile email. -
Leave the default values for Response type, and Response mode.
-
(Optional) For the Domain hint, enter
contoso.com. For more information, see Set up direct sign-in using Azure Active Directory B2C. -
Under Identity provider claims mapping, select the following claims:
- User ID: sub
- Display name: name
- Given name: given_name
- Surname: family_name
- Email: email
-
Select Save.
At this point, the Salesforce identity provider has been set up, but it's not yet available in any of the sign-in pages. To add the Salesforce identity provider to a user flow:
- In your Azure AD B2C tenant, select User flows.
- Click the user flow that you want to add the Salesforce identity provider.
- Under the Social identity providers, select Salesforce.
- Select Save.
- To test your policy, select Run user flow.
- For Application, select the web application named testapp1 that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run user flow button.
- From the sign-up or sign-in page, select Salesforce to sign in with Salesforce account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
::: zone pivot="b2c-custom-policy"
You need to store the client secret that you previously recorded in your Azure AD B2C tenant.
- Sign in to the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
- Choose All services in the top-left corner of the Azure portal, and then search for and select Azure AD B2C.
- On the Overview page, select Identity Experience Framework.
- Select Policy Keys and then select Add.
- For Options, choose
Manual. - Enter a Name for the policy key. For example,
SalesforceSecret. The prefixB2C_1A_is added automatically to the name of your key. - In Secret, enter your client secret that you previously recorded.
- For Key usage, select
Signature. - Click Create.
To enable users to sign in using a Salesforce account, you need to define the account as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify that a specific user has authenticated.
You can define a Salesforce account as a claims provider by adding it to the ClaimsProviders element in the extension file of your policy.
-
Open the TrustFrameworkExtensions.xml.
-
Find the ClaimsProviders element. If it does not exist, add it under the root element.
-
Add a new ClaimsProvider as follows:
<ClaimsProvider> <Domain>salesforce.com</Domain> <DisplayName>Salesforce</DisplayName> <TechnicalProfiles> <TechnicalProfile Id="Salesforce-OpenIdConnect"> <DisplayName>Salesforce</DisplayName> <Protocol Name="OpenIdConnect" /> <Metadata> <Item Key="METADATA">https://login.salesforce.com/.well-known/openid-configuration</Item> <Item Key="response_types">code</Item> <Item Key="response_mode">form_post</Item> <Item Key="scope">openid id profile email</Item> <Item Key="HttpBinding">POST</Item> <Item Key="UsePolicyInRedirectUri">0</Item> <!-- Update the Client ID below to the Application ID --> <Item Key="client_id">Your Salesforce application ID</Item> </Metadata> <CryptographicKeys> <Key Id="client_secret" StorageReferenceId="B2C_1A_SalesforceSecret"/> </CryptographicKeys> <OutputClaims> <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" /> <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name" /> <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name" /> <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" /> <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email" /> <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="salesforce.com" AlwaysUseDefaultValue="true" /> <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" /> </OutputClaims> <OutputClaimsTransformations> <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" /> <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" /> <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" /> </OutputClaimsTransformations> <UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" /> </TechnicalProfile> </TechnicalProfiles> </ClaimsProvider>
-
The METADATA is set to the URL of the Salesforce OpenID Connect Configuration document. For a sandbox, login.salesforce.com is replaced with test.salesforce.com. For a community, login.salesforce.com is replaced with the community URL, such as username.force.com/.well-known/openid-configuration. The URL must be HTTPS.
-
Set client_id to the application ID from the application registration.
-
Save the file.
[!INCLUDE active-directory-b2c-add-identity-provider-to-user-journey]
<OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
<ClaimsProviderSelections>
...
<ClaimsProviderSelection TargetClaimsExchangeId="SalesforceExchange" />
</ClaimsProviderSelections>
...
</OrchestrationStep>
<OrchestrationStep Order="2" Type="ClaimsExchange">
...
<ClaimsExchanges>
<ClaimsExchange Id="SalesforceExchange" TechnicalProfileReferenceId="Salesforce-OpenIdConnect" />
</ClaimsExchanges>
</OrchestrationStep>[!INCLUDE active-directory-b2c-configure-relying-party-policy]
- Select your relying party policy, for example
B2C_1A_signup_signin. - For Application, select a web application that you previously registered. The Reply URL should show
https://jwt.ms. - Select the Run now button.
- From the sign-up or sign-in page, select Salesforce to sign in with Salesforce account.
If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
::: zone-end
Learn how to pass Salesforce token to your application.