Login to Your Salesforce Org with OpenID Connect in Winter ’14

OpenID ConnectI’ve been working in identity for about a decade now – since the days of SAML 1.1, in fact. Back then, the standard example for federated identity was airline customers accessing a rental car site without needing a second login. As things turned out, travel sites such as Expedia and Kayak did all that integration on the back end, but, as with many aspects of IT, the cloud changed everything for identity. With the rise of SaaS, it seems like we all acquired usernames and passwords for Gmail, salesforce.com, Concur, and a host of other online service providers, and mitigating password proliferation by leveraging credentials across services – single sign-on for short – is hotter than ever.

The new kid on the single sign-on block is OpenID Connect, which actually has more in common with OAuth than OpenID. Basically, OpenID Connect, like SAML, allows one site, such as salesforce.com (termed the Client in the protocol), to verify the identity of a user based on the authentication performed by another site, such as Google (the Authorization Server). Where SAML was built in the last decade on technologies such as XML and SOAP, OpenID Connect is engineered for the current toolset of JSON and REST. In fact, OpenID Connect is still on the road to standardization (real soon now!), but it has been stable enough for some time for providers such as Google, PayPal and, now, salesforce.com to build implementations.

The Winter ’14 release includes OpenID Connect Authentication Providers, allowing your org to be an OpenID Connect Client, and leverage an Authorization Server for user login. Let’s take a look at how this works:


If you want to walk through the protocol in detail, there’s an excellent, detailed description on Google’s Developer site, and if you want to try it out, sign up for a Winter ’14 pre-release account and give it a go!

UPDATE: the security rules in the pre-release environment don’t allow callouts, so this does not work in pre-release. It should work just fine in a sandbox, though, so give it a go there after they cut over tomorrow (Sept 7). Apologies if you spent time trying to get this working in pre-rel!

tagged , , Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Chirag Mehta

    Thanks for sharing (in lines of Thanks for watching) 🙂

    Great, simple and clear post. Looking forward to this feature release, much awaited feature. Thank you Salesforce, as always!

  • James Melville

    Thanks for the article, its going to be a very useful feature and gave me good pointers to try and get this implemented. Should I expect this to work in a pre-release org? (I see you didn’t use one.) I have configured it all, and after logging into google I get an error page using the test link, with ErrorCode=No_Openid_Response in the URL. Nothing shows in the logs for the ‘Execute registration as’ user. If I manually take the code that was provided to the callback endpoint I can successfully retrieve a token from the token endpoint, and retrieve the userinfo with that token. Can you give me any pointers? Thanks

    • Argh! One detail totally slipped my mind – we don’t allow callouts from the pre-release environment (security restriction). The sandboxes get Winter ’14 this weekend (http://trust.salesforce.com/trust/maintenance/) – everything should work from there. Apologies! I’ll update the blog entry.

      • Amitkumar Katre

        Hi Pat, I appreciate this post is really helpful to us.

        but It also not working in developer org. see the below error code which i facing now..

        Can you give me any other pointers? Thanks

        • You probably need to add the Google endpoints (https://accounts.google.com & https://www.googleapis.com) to your Remote Site Settings

          • Code Werks

            This is an old thread, but the information still helped me get this far. I am now stuck at the same ErrorCode=No_OpenID error. Remote settings are fine, and it actually works to authenticate. So if I’m not logged in to gmail, it prompts, and if I’m already logged-in, it doesn’t as expected. May be something in the return url handling?

  • Medtexter

    Can this be used with customer portal like we can already with Janrain?

  • Ravi Katragunta

    Hi Pat,
    I have tried and it worked very well.


  • Antoine Magnier

    “the security rules in the pre-release environment don’t allow callouts” thx for the tip, how did u got the info pls ?

    • I did some research into why my callout wasn’t working. It seems that we whitelist a very limited number of remote sites for callouts from pre-release orgs. We’re working on adding accounts.google.com to that list.

      • John

        Can some one help me how to Integrate salesforce with gmail, I want to allow user to login automatically login to gmail at user level. based on the salesforce credentials..

        • Hi John – configure Google as a SAML 2.0 service provider, Salesforce as an identity provider – see http://na1.salesforce.com/help/pdfs/en/salesforce_single_sign_on.pdf for more information.

          • Priyanka Singh

            Hi Pat,

            my requirement is i need to connect forge rock as IDP and salesforce as SP using open id connect.I am new to salesforce.i did some configuration but got failed.can u please some steps how to configure forge rock as idp and salesforce as sp.urgent requirement in project.

  • Shankar Sharma

    Hi Pat,

    Can you please suggest that How can I get consumer key and consumer secret to create OpenId connect provider instance ?

    Shankar Sharma

  • shankar sharma

    Hi Pat,

    I have tried this and it worked well. Once issue I am facing is that while trying to access the url related to “Test-Only Initialization URL” , I am only getting user’s google+ id.

    Is there any way to get more info related to user like name, email etc ?

    Shankar Sharma

    • Alexander Taylor

      probably too late but for anyone else who finds this, you have to change the “default scopes” field on the authentication provider. try including the “profile” scope.

  • Mythili P

    Hi Pat,
    I am able to get just identifier of the person in the response. How do I get other details like name,email etc from the repsonse??

    Mythili P

    • Ensure you specify ’email’ in the auth provider default scopes. You can also specify ‘profile’ and call the Google user info endpoint for more data: https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation

      • Mythili P

        Thanks Pat. I specified this in the URL and it worked:)
        But i get username as null. Does google does not have username field with it??

        • Alexander Taylor

          i think for google, your email address is your username. at least that’s the only way it could be for google apps users.

  • I created the “Authenfication Provider” (Google) as showed above and enabled SAML in the Single Sign On Settings. If I go on the custom branded login page, I still cannot see the “Google” button to login. Am I missing anything?

    • I answered my own question after digging more. For anyone interested, you just have to go in “Domain Management > My Domain” and check your new “Authentification Service”.

      • Noelia Frontera

        Hi Jean, that works for you? I can’t make this work…can you share screenshots of your configuration?

        • Sadly, I cannot screenshot my organization for confidentiality reason. Make sure you create your custom domain, enable the custom branded login page, create the auth provider, checkbox the auth provider as mentionned in my previous comment and then go to your https://[YOURNAME].my.salesforce.com/ page. It should work :)! If not, send some screenshots and I’ll look at them!

          • Noelia Frontera

            Thanks a lot for your reply. I’m working on my sandbox, thats could be the reason?
            Anyway, I’ll share with you screenshots in a minutes.
            Thanks for your help.

          • Noelia Frontera

            I just add a default scope on my auth. provider’s configuration and works! Do you mind to give me an example on how do I need to proceed to deploy the apex class on my production environment?
            Thanks in advance!

  • Noelia Frontera


    This is really awesome…I tried but at the end of the process I get an error in my authentication attempt. The url show the following: mydomain/_nc_external/identity/sso/ui/AuthorizationError?ErrorCode=REGISTRATION_HANDLER_ERROR&ErrorDescription=List+has+more+than+1+row+for+assignment+to+SObject.

    Any thoughts?
    Thanks in advance…

    • Alexander Taylor

      according to the ErrorCode it’s a problem with the registration handler associated with the auth provider config, so check your create_user function if you’re trying to sign in for the first time with the 3rd party account.

      not sure if i could debug your code by just looking at it but “You can debug your Apex code using the Developer Console and debug logs” http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_debugging.htm

      you might also get some ideas from the example reg handler:

      • Noelia Frontera

        Hi Alexander,
        Thanks for your reply. I solve the issue, I just add a default scope on my auth. provider configuration and works! Now I have another problem, I would like to deploy the GoogleInternalRegHandler on my production environment and I don’t know how. Maybe you’re more familiarized with this, is there a quick guide to achieve this? I’m not a developer I’m just an amateur.
        Thanks for the help.

  • Noelia Frontera

    Hi everyone!!! I made this work for my org. But now I have another issue, I have to deploy this to production. And I’m not a programmer and I need to build a @isTest class, I don’t have a clue how to do that! Please, I appreciate your help in this matter!
    Thanks in advance!

  • Sebastian Claros

    Hi Pat,

    I created a openid connect server (using oauth2-server-php) and everything goes well until a part where I received:

    The implementation is similar with another that is working against google accounts (that works fine). I don’t have a clue of what may be wrong and I don’t see any debugging or documentation that explain in low level what is happening.

    Thanks on advance,


  • Dane Oshiro

    Hi, I’m getting a similar issue like James and Amitkumar, except when I’m using the Test-Only Initialization URL. I’d open a new browser, copy/paste the url and sign into my google account, which will take me to the consent screen. I press ‘ok’ then I’ll get the error url:

    I am using a custom registration handler similar to what James Melville shared athttps://github.com/jamesmelville/OpenIdConnectDemo/blob/master/src/classes/GoogleHandler.cls

    Could this be an issue with my settings on my domain?

  • Nagendra Singh

    Hi Pat,

    i am getting this error “ErrorCode=ERROR_CREATING_USER&ErrorDescription=Duplicate+Username.Another+user+has+already+selected+this+username.Please+select+another. ”

    but i am login with new email and password

    • You might have a new email and password, but your registration handler may be generating the same username as an existing user. Check your application logic, and maybe add a system.debug to show the new username you are creating.

  • engine

    Hi Pat,
    About the acception,
    There is a page with an accept button that Google accepts SFDC,
    Is there a missing step that SFDC accepts Google?

    • No – by configuring the Google Authentication Provider, the admin is accepting Google for their org.

  • Sarah Ahn


    I have configured this with the external authorization server that supports OAuth2.
    After logging into the external server, I got an error page, with ErrorCode=Remote_Error&ErrorDescription=427 in the URL.
    Also, nothing shows in the logs for the ‘Execute registration as’ user.

    Can you give me an idea about this error?


    • Apologies for the delay in answering this! We reply with ‘Remote Error’ when the authorization server has returned an error. The displayed ErrorDescription is from the “error” parameter the external service served to us. What auth server are you using? You should check there for error 427.

  • Mohit Pant

    Hi ,
    we are trying to configure the OPenID Connect
    but after providing cred on SSO side , we getting error :
    No_Oauth_State: State was not sent back
    Any idea

    • It sounds like the OpenID Provider is not returning the state parameter. OpenID Connect (and OAuth) allow the service provider to pass a state parameter in the auth request, which the OP MUST return in the response. What provider are you using?

      • Priyankar Pakhira

        I’m getting the same issue

  • Priyankar Pakhira

    Hi Pat,

    we are trying to configure the OPenID Connect ,now when I am giving the SSO credential in Salesforce side (Service Provider),it redirects to Forgerock (Identity provider) but after that I am getting below error

    We can’t log you in because of the following error. For more information, contact your Salesforce administrator.
    Missing_Value: Could not find unique third-party identifier

    Please can you help me on that one thing I would like to mention I am getting the same error when I am using Google as a Identity provider.