Given my background in single sign-on, the Spring ’12 feature I’m most excited about is the ability to use external ‘authentication providers’ to give access to Salesforce portals and orgs. Where the existing SAML-based SSO allows you to authenticate users within the enterprise for single sign-on into Salesforce, you will now be able to leverage third-party services such as Facebook and Janrain to log users in. One use case for this technology is allowing customers to access a portal via Facebook; another would be for small businesses, for which a SAML identity provider is out of reach, to use their Google login via the Janrain service to access their Salesforce org. You can even use another Salesforce org as the authentication provider, enabling some very interesting scenarios such as single sign-on to ISV customer support portals.

So how do you get this all working? Taking Facebook as an example, you will need to create a new Facebook App, then, in Salesforce, configure an Authentication Provider (Your Name > Setup > Security Controls > Auth. Providers) with your new Facebook app’s ID and secret. You can optionally provide an Apex class that implements the Auth.RegistrationHandler interface (documented in Spring ’12 Preview Release Notes [PDF]) to automatically map external identities into User objects, or have users link their Facebook ID to their existing Salesforce account (Josh demonstrates manual account linking from Facebook to Salesforce in the release preview webinar.) You can also configure SSO into the org itself or a portal.

When you save the Authentication Provider configuration, you’ll be given a set of four URLs:

Copy the callback URL over to the Facebook app’s Website URL and you’re all set.

As well as the callback URL, the Authentication Provider also provides URLs to link accounts, initiate single sign-on, and, usefully, test the configuration. The latter will run through the process of logging in at Facebook and prompt you to allow your Salesforce org to access a subset of your profile data:

The test URL just renders XML with the Salesforce org ID and the user info passed from Facebook:

The link URL will run through the same login/authorization at Facebook, but then prompt the user to login to their existing Salesforce account:

After logging in, the user is prompted to link their accounts:

Once the accounts are linked, the user can just hit the initiate SSO link to login to Salesforce via Facebook.

If, for some reason, the user, or an admin, later wishes to unlink accounts, there is a new ‘Third Party Account Links’ section in Personal Information that gives full control:

As an alternative to this manual link process, you can automatically provision user account by providing an Apex class that implements the Auth.RegistrationHandler interface, with methods to setup a new User record the first time a user signs in and to update the User record subsequently – ideal for implementing that customer portal!

I’m sure this new functionality will provoke many ideas and questions – I’m looking forward to your comments…

 

Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • http://www.facebook.com/people/Antony-Blanco/1386970500 Antony Blanco

    Hello, this new functionality looks great, actually im trying to use this functionality but i cant find the Identity menu on my dev org or sandbox, both already have the spring 12 release, is any extra configuration i need to do to get this functionality available? I hope explained my self, thanks for this great post. I’ll wait for your answer.
    Best Regards.
    Antony

    • http://blog.superpat.com/ Pat Patterson

      Hi Antony – I’d expected this feature to be live now also. I’ll investigate and get back to you…

      • http://www.facebook.com/people/Antony-Blanco/1386970500 Antony Blanco

        Thanks Pat, I just come back to work today and i checked on my org and i have the feature working already. Thank you again for your support. Regards

    • http://blog.superpat.com/ Pat Patterson

      Hi Antony – update from the product team is that Authentication Providers is scheduled to go live on Thursday (‘safe harbor’). Also, the menu item will show up in ‘Security Controls’ rather than ‘Identity’. I’ll update the text of the blog post to reflect this.

      • Amit Katre

        Hi Pat – Can you help me to link existing Customer Community user with existing Facebook account. i am not able to connect with Existing User Linking URL because my user is Customer Community user is any workaround?
        Your help is appreciated.Thanks

        • http://blog.superpat.com/ Pat Patterson

          You can search for your user by email address (for example) in the registration handler, and return the existing user, instead of creating a new one. Don’t need link URL.

  • http://www.facebook.com/people/Antony-Blanco/1386970500 Antony Blanco

    Pat, I just begin to work on this new feature, actually i need some documentation in how to use this feature, i mean how can i develop the custom pages, buttons and all the functionality. It would be awesome if you can provide me any link or document. I would really appreciate it, best regards.

    • http://blog.superpat.com/ Pat Patterson

      Hi Antony – you use an Authentication Provider to authenticate users in a portal or org, after that point, everything is pretty much the same as a regular login. I’ll be writing an article giving more detail on the feature in the next few weeks, but feel free to post additional questions here.

  • Saurabh Rawane

    Can you please add an example of how we can dynamically create a new User in Salesforce or guide a document which can be referred.

  • http://profile.yahoo.com/NN3YPFLBGHD6VMN743ZRKHNLWE Matthias

    This is really nice, I implemented the Auth.RegistrationHandler and got it working, only question I have: “How to redirect the portal user to a custom url as the portal start page?”
    We don’t use the std. portal and redirect to a custom VF page. I thought siteLoginUrl would do that, but it does not seem to work the same way the startURL works in the Site.login method.

    Thanks,

    Matthias

    • Saurabh Rawane

      I believe startURL should ultimately work, but meanwhile I was able to workaround this by setting the custom VF page as my site active home page, so on successful user creation or user login, I did get redirected to the active site home page. Hope that works for you.

  • Ondrej Bedajanek

    Hi there,
    I am having bit of hard time with implementing Single Sign On with facebook.
    I’ve followed all steps in blog. Can see Third-Party Account Links in User Profile.
    But when I get to step: Single Sign-On Initialization URL it gives me error:

    Error:
    There was a problem with your authentication attempt. Please try again. If you continue to encounter problems, contact your administrator.
    AuthorizationError?ErrorCode=REGISTRATION_HANDLER_ERROR&ErrorDescription=Attempt+to+de-reference+a+null+object#_=_

    Do I have to ask Salesforce to activate this service. I am talking about production environment for Single Sign On. I haven’t touched Registration Handler(used default from Salesforce)

    Thank you for any thoughts

    • http://blog.superpat.com/ Pat Patterson

      Hi Ondrej – open the developer console, uncheck ‘this session only’, and try the SSO. If you examine the log output, you should get a hint on what the problem is. You may well need to edit the default RegistrationHandler to get it working; the default code is only a starting point.

      • Ondrej Bedajanek

        Thx Pat,
        good tip with developer console, very handy. After looking into code I’ve found out that error occures on this line 53: if(alias.length() > 8) {
        as String alias = data.username is Null
        Can you provide me with more info how to modify AutocreatedRegHandler.
        Thank you

        • http://blog.superpat.com/ Pat Patterson

          If data.username is null, then something is wrong! Try the ‘test only initialization url’ and see what the username is there. Is this with Facebook?

        • http://blog.superpat.com/ Pat Patterson

          I looked into this, and it is possible for the username from Facebook to be null, for example, if the user hasn’t created a Facebook username (see http://www.facebook.com/help/usernames/general). You should handle this by using some other piece of information for the username, for example, id, which is less friendly, but is unique across Facebook and guaranteed to be there.

  • saraag reddy

    Hi Patterson,

    Thanks for the post. I’m not sure what I’m doing wrong, but after I have everything setup and linked my FB account to my SFDC account, I get “There was a problem with your authentication attempt. Please try again. If you continue to encounter problems, contact your administrator.”

    The post says “Once the accounts are linked, the user can just hit the initiate SSO link to login to Salesforce via Facebook.” where do I find this SSO link? I tried logging into SFDC by going to my FB app and clicking on “visit website” but got the above error.

    Any help will be appreciated.
    SS

    • Riezel Ramos

      I think the Initiate SSO link would be the “Single Sign-On Initialization URL” in the Auth. Provider settings. If this doesn’t work, can you also post the value of the “ErrorDescription” in the URL?

      • saraag reddy

        Riezel Ramos,

        Thanks for your reply. The initialization URL worked fine, I was able to link FB to SFDC account, but when I went to my FB app(which has the callback URL) and clicked on “Go to App” I got that error.

        Error Code: Unknown_Flow
        Error Description:The+flow+type+was+not+recognized

        Thanks,
        SS

  • http://twitter.com/ajaygupta2312 Ajay Gupta

    Hi Patterson,

    I am able to configure properly with facebook but having issues in doing it with Janrain. Is there any detailed configuration steps that shows how to configure Salesforce end and also JanRain end. I am keep getting the error that my token_url is not in whitelist on JanRain settings. Where I have all the settings done on their end. There might some configuration issue that needs to be done specially for Salesforce Integration.

    Any help will be very much appreciated.

    Thanks
    Ajay

    • http://blog.superpat.com/ Pat Patterson

      Hi Ajay – in the Janrain settings, under ‘Application Settings’, I added authtest-developer-edition.na14.force.com (my Site URL) and login.salesforce.com to the Domain Whitelist. I’m planning to write up the Janrain steps in the near future – watch for a wiki article and blog post!

  • http://twitter.com/kanwar18 Kr. Digvijay Singh

    Hi Pat,

    I have set up facebook as Auth provider and configured salesforce as explained in this article. It’s creating a customer portal user in salesforce. But my question is how do we create a regular salesforce user instead of customer portal user?

    • http://blog.superpat.com/ Pat Patterson

      When you configure the Auth Provider, select ‘none’ as the Portal. You will get a different template for the registration handler that does not create a Contact. Pay particular attention to the ‘canCreateUser()’ method – you need to constrain the set of users that have accounts created for them. Presumably you do not want this available to all Facebook users!

  • Ashwin Reddy

    Hi Pat
    I have setup Auth provider for Help and training portal. Customers log-in into their org and click help and training link and they will be taken to H&T portal which is in dreamforce org.
    Currently Auth provider creates a third party account link for each user. Auth Provider is calling createUser in registration handler if the third party account link is not there under user. But we already have all customer users created in H&T portal. We some how need to by pass createUser for existing users in portal. How do we do that?

    Also we want to by suppress the allow deny message when the users click the single sign on because it is salesforce to salesforce connection.

    There seems to be an issue with disco cookie with the single sign on. When i click on the SSO url provided by auth provider 2 times it is throwing cannot log into same org error. First time it works fine but then onwards it thorws error. Customers can click on Help and training link in their org any number of times. we simply have to take to the destination org.

    Thanks
    Ashwin

    • http://blog.superpat.com/ Pat Patterson

      If you find a match on, say, email address, you can now update an existing portal user record in the registration handler’s createUser method. See this answer: http://salesforce.stackexchange.com/a/5995/67

      You can now suppress the allow/deny message by installing the connected app (the new name for remote access apps) and setting policy.

      If you have a site for your portal, that should resolve the cookie errors.

  • Diego Amarante

    Hi Pat
    Is there a way to get the Single Sign-On Initialization URL on a visualforce controller? My problem is that if I made a managed package I won’t be able to change the url that I get from the site url and the one given by the auth. Provider.

    • http://blog.superpat.com/ Pat Patterson

      Not at this time – you will have to save the init URL in a custom setting.

  • Anonymous

    Do you know if this will work if the portal user is in turn, using delegated authentication to validate their password?

    • http://blog.superpat.com/ Pat Patterson

      Yes – if the portal user logs in with username/password and DA is configured.

  • Sanjeev Mehta

    The registration handler apex class example requires the account name to be hard-coded, in order to create an customer portal user.
    Is it possible to dynamically specify the account id/name via URL passing (or some other mechanism) and use it instead to create the contact for?? For example, it would be great to be able to show a list of accounts in a drop down (in a VF page) and let end user select the account to be used. Is that possible?.

    • http://blog.superpat.com/ Pat Patterson

      You can’t pass anything in via the URL, but the registration handler could certainly select an account based on other information in the incoming user data, such as locale or email domain.

  • http://www.facebook.com/ivorocha90 Ivo Rocha

    Hi Pat
    How can i set a new user email template for new users logged via Auth provider Facebook? I’m using a customer portal.

    • http://blog.superpat.com/ Pat Patterson

      You can send single or mass email from the registration handler. To use a template, pass the new Contact’s Id field via mail.setTargetObjectIds() and set the template Id via mail.setTemplateID().

  • http://www.facebook.com/profile.php?id=100000867743449 Mohan Reddy

    it is more usefull for salesforce to facebook integration

  • http://www.facebook.com/profile.php?id=100000867743449 Mohan Reddy

    it is more usefull for me, for sharing the data from salesforce site to facebook, without loging in salesforce

  • http://www.facebook.com/Abhishek.dey001 Abhishek Dey

    Pat Patterson sherod

    1. I exposed the “Single Sign-On Initialization URL” via site .It allowed me to create a CP user logging in via my FB account.but I tried with different FB account,it shown me an error msg”something went wrong” in FB page.Is because of the app is created in my FB account,so other FB accounts are not able to reach to the newly created app.If so, then how to generalise the app for accross FB users so that all of my customers can have their CP account linked with FB ?

    2.I went to my FB app(which has the callback URL) and clicked on “Go to App” I got that error.

    Error Code: Unknown_Flow
    Error Description:The+flow+type+was+not+recognized

    Please help!!

    • Vaibhav

      Hi Pat,

      Thanks for the post.
      I faced the similar issue while setting up Social sign on. I was able access salesforce using one fb account creds in which app is created but not from another fb account.
      For other account got below error in URL
      ErrorCode=No_Oauth_Code&ErrorDescription=Exchange+code+was+not+returned

      Am I only able to access salesforce via fb account in which fb app has been created ?
      Is there something else need to be configured to allow creating users from diff fb creds ?

      Thanks.

  • Shankar Sharma

    Hi Pat,

    I have followed the same approach for portal users but getting below error message :

    ErrorCode=NO_ACCESS&ErrorDescription=User+was+not+a+portal+user

    Can you please suggets something ?

    Thanks,
    Shankar

    • http://blog.superpat.com/ Pat Patterson

      It sounds like you need to create a contact, and associate it with the user via the ContactID field. Here’s some sample code: https://gist.github.com/metadaddy-sfdc/6774317

      • Shankar Sharma

        Hi Pat,

        I have already created a portal user with same email-id as of facebook account and has associated that one with a contact but still I am getting the same error. I am able to login into portal org using the “Login to Portal as user” button on contact but not able to do same using facebook as SSO.

        Can you please suggest something that could help me to resolve the issue ?

        • http://blog.superpat.com/ Pat Patterson

          Do you see the ‘third party account link’ on the user page? Put System.debug() statements in your reg handler so you can see which path the code is taking.

          • Shankar Sharma

            Hi Patt,

            No, there is no “third party account link” on user page. Also, it seems that registration handler is not getting called properly. I have used debug in both methods but none of them has been called.

            Any suggestions ?

            Thanks,
            Shankar

          • http://blog.superpat.com/ Pat Patterson

            Did you try the ‘test URL’ with Facebook? Can you see any errors in the debug log (you’ll need to enable debugging for the user you selected to run the reg handler). I’m out of ideas, but I’ll point some of our identity folks here and see if they can help.

          • Shankar Sharma

            Hi Pat,

            Just got the solution. Facebook account through which I was trying to login into portal org was already associated with another user so issue was occurring. I revoked fb account from that user and now it’s working perfectly.

            Thanks a lot for your precious time :)

            Thanks & Regards,
            Shankar

          • http://blog.superpat.com/ Pat Patterson

            Great – good to know it’s working!

  • suren

    Hi Pat,
    my fb account is linked with the salesforce account. what is the further process, where i need to initiate SSO.
    can u please explain me.

    • http://blog.superpat.com/ Pat Patterson

      Hi Suren – if you are using the Portal, you will need to create a custom login page containing the SSO initialization link and expose it via a Force.com Site. If you are using Communities, you can just select the authentication provider in the login page configuration.

      • suren

        Thanks Pat. I got it. I have some other doubts. I enabled the fb Auth. prvider in my partner community. so it have the button in my community login page like in the added image.

        but when i am trying to login using fb login details it show me the follwing errors:

        Error

        There was a problem with your
        authentication attempt. Please try again. If you continue to encounter
        problems, contact your administrator.

        • http://blog.superpat.com/ Pat Patterson

          Look at the URL in the address bar – it often has a clue as to the problem. One possibility is that the user does not have permission to use the community – check profile and permission sets.

  • Rakesh Boinepalli

    Hi Pat,

    Is there a way to perform “revoke” operation by apex class or some sort of automated way? .

    Thanks,

    Rakesh.

    • http://blog.superpat.com/ Pat Patterson

      Hi Rakesh – instructions for revoking OAuth tokens are here: https://help.salesforce.com/apex/HTViewHelpDoc?id=remoteaccess_revoke_token.htm&language=en If you wanted to do it from Apex you would have to do an HTTP callout. Note that you can log the user out of the current session by just redirecting to /secur/logout.jsp

      • Rakesh Boinepalli

        Pat, Thanks so much for your super fast response .
        Can I do a schedule job to revoke tokens from my guest user. Basically, all users who has no corresponding portal users are automatically getting guest token and we are currently revoking manually (by clicking on revoke link under third party links in user record).
        Thanks.

        • http://blog.superpat.com/ Pat Patterson

          Hi Rakesh – only way I can think of is to do an HTTP callout in a @future method. I’ll check if there’s a way to do it directly from Apex.

  • Sagar Tapadia

    Hi Pat,

    I want to use a Custom Login Screen where i want to Provide Login through facebook. This facebook login should work in same way as it works in Login Standard Page in Community. Later if login is successful, i want user to be redirected to Community site(A VF Page) showing some content and logged in user information. This logged in User should be the current user which got created through facebook credentials.

    Can you help in this?

    Regards,
    Sagar

  • Devesh

    Hi Pat,

    I followed the JanRain tutorial for social login implementation and getting following error:

    https://ap1.salesforce.com/_nc_external/identity/sso/ui/AuthorizationError?ErrorCode=No_Oauth_Token&ErrorDescription=Access+token+was+not+returned

    “There was a problem with your authentication attempt. Please try again. If you continue to encounter problems, contact your administrator.”

    I guess what I have missed in the tutorial (http://help.salesforce.com/HTViewHelpDoc?id=sso_provider_janrain.htm&language=en_US#sso_provider_janrain) is point 8 where it is advised to edit Registration Handler class to edit content before using it.

    Kindly let me know what and where exactly i need to edit in this class ?

    Thanks,

    • http://blog.superpat.com/ Pat Patterson

      I’m guessing you’re using the automatically generated registration handler, which, by default, will not create users dynamically. You need to edit the registration handler code and implement whatever policy you need – i.e. are you going to create accounts automatically for all users? How will you construct the username? Once you’ve done that, use the ‘Test-Only Callback URL’ to test the connection.

      • Devesh

        Hi Pat,

        I am using following Apex class as registration handler. And my requirement is to create a dynamic user

        Please have a look at following code snippet and let me know what I am missing ? An immediate reply will be highly appreciated.

        global class StandardUserRegistrationHandler implements Auth.RegistrationHandler{
        global User createUser(Id portalId, Auth.UserData data){
        User u = new User();
        Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
        u.username = data.username + ‘@salesforce.com’;
        u.email = data.email;
        u.lastName = data.lastName;
        u.firstName = data.firstName;
        String alias = data.username;
        if(alias.length() > 8) {
        alias = alias.substring(0, 8);
        }
        u.alias = alias;
        u.languagelocalekey = data.attributeMap.get(‘language’);
        u.localesidkey = data.locale;
        u.emailEncodingKey = ‘UTF-8′;
        u.timeZoneSidKey = ‘America/Los_Angeles’;
        u.profileId = p.Id;
        return u;
        }

        global void updateUser(Id userId, Id portalId, Auth.UserData data){
        User u = new User(id=userId);
        u.username = data.username + ‘@salesforce.com’;
        u.email = data.email;
        u.lastName = data.lastName;
        u.firstName = data.firstName;
        String alias = data.username;
        if(alias.length() > 8) {
        alias = alias.substring(0, 8);
        }
        u.alias = alias;
        u.languagelocalekey = data.attributeMap.get(‘language’);
        u.localesidkey = data.locale;
        update(u);
        }
        }

        • http://blog.superpat.com/ Pat Patterson

          That looks ok (though you might generate name collisions if you try to use @salesforce.com in the username!). Looking at the error URL parameters (ErrorCode=No_Oauth_Token&ErrorDescription=Access+token+was+not+returned), it looks like the token isn’t coming back from the Janrain plugin. Double check all the settings there. Which identity provider are you trying to use with Janrain?

          • Devesh

            Pat,

            Sorry, but i could not understand clearly , what identity provider you are referring to ?

            Moreover, do i need to make any change in the attached code snippet of registrationHandler class or it can be used as it is ?

            For your information I am following the janrain tutorial line by line.

          • http://blog.superpat.com/ Pat Patterson

            The providers you set up at Janrain – e.g. Twitter, Google, Facebook.

          • Sunil kumar sirangi

            Hi Pat Patterson,
            Could you please provide the tutorial for Janrain especially for Twitter.
            Thanks in advance.

          • http://blog.superpat.com/ Pat Patterson
          • Sunil kumar sirangi

            Hi Pat,
            I tried it before posting it here, but it did not worked. So seeking your help.

          • http://blog.superpat.com/ Pat Patterson

            Sunil – what problems are you seeing?

          • Sunil kumar sirangi

            I have performed all the steps from janrain tutorial. In the end i have placed the widget on a site page. But the problem when i click on facebook or twitter logo on widget i am not redirecting to the twitter or facebook.

          • http://blog.superpat.com/ Pat Patterson

            Email the URL for your site page to me at ppatterson (at) salesforce [dot] com and I’ll take a look.

  • riffindus

    Hi Pat,

    i just followed all the steps mentioned but when i launch my test URL. i get this error. am i missing something.

    Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App’s settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App’s domains.

    I am doing this in my test environment.

    • riffindus

      Hi Pat,

      I deleted the app and auth connection and i did it from first. it is working now.

      Please ignore my question.

  • Sudipta Panja

    I get the following error when trying to browse the test only URLThis XML file does not appear to have any style information associated with it. The document tree is shown below.

    • http://blog.superpat.com/ Pat Patterson

      That’s not actually a problem – it’s just because it’s raw XML and your browser is telling you that it can’t render it any more nicely than just showing you the document tree.

  • Sunil kumar sirangi

    Hi Pat Patterson,
    Could you give some description on how to use JanRain for salesforce.