OpenID ConnectI’ve been working in identity for about a decade now – since the days of SAML 1.1, in fact. Back then, the standard example for federated identity was airline customers accessing a rental car site without needing a second login. As things turned out, travel sites such as Expedia and Kayak did all that integration on the back end, but, as with many aspects of IT, the cloud changed everything for identity. With the rise of SaaS, it seems like we all acquired usernames and passwords for Gmail, salesforce.com, Concur, and a host of other online service providers, and mitigating password proliferation by leveraging credentials across services – single sign-on for short - is hotter than ever.

The new kid on the single sign-on block is OpenID Connect, which actually has more in common with OAuth than OpenID. Basically, OpenID Connect, like SAML, allows one site, such as salesforce.com (termed the Client in the protocol), to verify the identity of a user based on the authentication performed by another site, such as Google (the Authorization Server). Where SAML was built in the last decade on technologies such as XML and SOAP, OpenID Connect is engineered for the current toolset of JSON and REST. In fact, OpenID Connect is still on the road to standardization (real soon now!), but it has been stable enough for some time for providers such as Google, PayPal and, now, salesforce.com to build implementations.

The Winter ’14 release includes OpenID Connect Authentication Providers, allowing your org to be an OpenID Connect Client, and leverage an Authorization Server for user login. Let’s take a look at how this works:

//www.youtube.com/watch?v=jGLoK4rCHrU

If you want to walk through the protocol in detail, there’s an excellent, detailed description on Google’s Developer site, and if you want to try it out, sign up for a Winter ’14 pre-release account and give it a go!

UPDATE: the security rules in the pre-release environment don’t allow callouts, so this does not work in pre-release. It should work just fine in a sandbox, though, so give it a go there after they cut over tomorrow (Sept 7). Apologies if you spent time trying to get this working in pre-rel!

tagged , , Bookmark the permalink. Trackbacks are closed, but you can post a comment.
  • Chirag Mehta

    Thanks for sharing (in lines of Thanks for watching) :)

    Great, simple and clear post. Looking forward to this feature release, much awaited feature. Thank you Salesforce, as always!

  • James Melville

    Thanks for the article, its going to be a very useful feature and gave me good pointers to try and get this implemented. Should I expect this to work in a pre-release org? (I see you didn’t use one.) I have configured it all, and after logging into google I get an error page using the test link, with ErrorCode=No_Openid_Response in the URL. Nothing shows in the logs for the ‘Execute registration as’ user. If I manually take the code that was provided to the callback endpoint I can successfully retrieve a token from the token endpoint, and retrieve the userinfo with that token. Can you give me any pointers? Thanks

    • http://blog.superpat.com/ Pat Patterson

      Argh! One detail totally slipped my mind – we don’t allow callouts from the pre-release environment (security restriction). The sandboxes get Winter ’14 this weekend (http://trust.salesforce.com/trust/maintenance/) – everything should work from there. Apologies! I’ll update the blog entry.

      • Amitkumar Katre

        Hi Pat, I appreciate this post is really helpful to us.

        but It also not working in developer org. see the below error code which i facing now..
        ErrorCode=No_Openid_Response&ErrorDescription=Bad+response

        Can you give me any other pointers? Thanks

  • Medtexter

    Can this be used with customer portal like we can already with Janrain?

  • Ravi Katragunta

    Hi Pat,
    I have tried and it worked very well.

    Thanks

  • Antoine Magnier

    “the security rules in the pre-release environment don’t allow callouts” thx for the tip, how did u got the info pls ?

    • http://blog.superpat.com/ Pat Patterson

      I did some research into why my callout wasn’t working. It seems that we whitelist a very limited number of remote sites for callouts from pre-release orgs. We’re working on adding accounts.google.com to that list.

      • John

        Can some one help me how to Integrate salesforce with gmail, I want to allow user to login automatically login to gmail at user level. based on the salesforce credentials..

  • Shankar Sharma

    Hi Pat,

    Can you please suggest that How can I get consumer key and consumer secret to create OpenId connect provider instance ?

    Thanks,
    Shankar Sharma

  • shankar sharma

    Hi Pat,

    I have tried this and it worked well. Once issue I am facing is that while trying to access the url related to “Test-Only Initialization URL” , I am only getting user’s google+ id.

    Is there any way to get more info related to user like name, email etc ?

    Thanks,
    Shankar Sharma

    • Alexander Taylor

      probably too late but for anyone else who finds this, you have to change the “default scopes” field on the authentication provider. try including the “profile” scope.

  • Mythili P

    Hi Pat,
    I am able to get just identifier of the person in the response. How do I get other details like name,email etc from the repsonse??

    Thanks,
    Mythili P

    • http://blog.superpat.com/ Pat Patterson

      Ensure you specify ‘email’ in the auth provider default scopes. You can also specify ‘profile’ and call the Google user info endpoint for more data: https://developers.google.com/accounts/docs/OAuth2Login#obtaininguserprofileinformation

      • Mythili P

        Thanks Pat. I specified this in the URL and it worked:)
        But i get username as null. Does google does not have username field with it??

        • Alexander Taylor

          i think for google, your email address is your username. at least that’s the only way it could be for google apps users.

  • http://blogue.jpmonette.net/ Jean-Philippe Monette

    I created the “Authenfication Provider” (Google) as showed above and enabled SAML in the Single Sign On Settings. If I go on the custom branded login page, I still cannot see the “Google” button to login. Am I missing anything?

    • http://blogue.jpmonette.net/ Jean-Philippe Monette

      I answered my own question after digging more. For anyone interested, you just have to go in “Domain Management > My Domain” and check your new “Authentification Service”.

      • Noelia Frontera

        Hi Jean, that works for you? I can’t make this work…can you share screenshots of your configuration?
        Thanks!

        • http://blogue.jpmonette.net/ Jean-Philippe Monette

          Sadly, I cannot screenshot my organization for confidentiality reason. Make sure you create your custom domain, enable the custom branded login page, create the auth provider, checkbox the auth provider as mentionned in my previous comment and then go to your https://YOURNAME.my.salesforce.com/ page. It should work :)! If not, send some screenshots and I’ll look at them!

          • Noelia Frontera

            Jean,
            Thanks a lot for your reply. I’m working on my sandbox, thats could be the reason?
            Anyway, I’ll share with you screenshots in a minutes.
            Thanks for your help.

          • Noelia Frontera

            I just add a default scope on my auth. provider’s configuration and works! Do you mind to give me an example on how do I need to proceed to deploy the apex class on my production environment?
            Thanks in advance!

  • Noelia Frontera

    Hi,

    This is really awesome…I tried but at the end of the process I get an error in my authentication attempt. The url show the following: mydomain/_nc_external/identity/sso/ui/AuthorizationError?ErrorCode=REGISTRATION_HANDLER_ERROR&ErrorDescription=List+has+more+than+1+row+for+assignment+to+SObject.

    Any thoughts?
    Thanks in advance…

    • Alexander Taylor

      according to the ErrorCode it’s a problem with the registration handler associated with the auth provider config, so check your create_user function if you’re trying to sign in for the first time with the 3rd party account.

      not sure if i could debug your code by just looking at it but “You can debug your Apex code using the Developer Console and debug logs” http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_debugging.htm

      you might also get some ideas from the example reg handler:
      http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_auth_plugin_example.htm

      • Noelia Frontera

        Hi Alexander,
        Thanks for your reply. I solve the issue, I just add a default scope on my auth. provider configuration and works! Now I have another problem, I would like to deploy the GoogleInternalRegHandler on my production environment and I don’t know how. Maybe you’re more familiarized with this, is there a quick guide to achieve this? I’m not a developer I’m just an amateur.
        Thanks for the help.

  • Noelia Frontera

    Hi everyone!!! I made this work for my org. But now I have another issue, I have to deploy this to production. And I’m not a programmer and I need to build a @isTest class, I don’t have a clue how to do that! Please, I appreciate your help in this matter!
    Thanks in advance!