Set up Social Sign-On | Trailhead Screen Reader Instructions    

Learning Objectives

After completing this module, you’ll be able to:

• Describe what an auth provider is.
• List the auth providers that come with Salesforce.
• Configure an auth provider.
• Describe the value of a registration handler.

Before we Get Started

We’ll be using the Apex code editor in this unit. There is a bug in Chrome-based browsers like Google Chrome and Microsoft Edge that hides the edit field from keyboard access. You are able to TAB to the field and enter it using the Firefox browser, however. The instructions for that part of the unit will direct you to use Firefox to complete the steps. You will need to be logged into Trailhead and navigate to this unit in Firefox before tackling the Update the Registration Handler section.

You can

download the Firefox internet browser here

Social Sign-On

It’s been this way since before the Beigecoats League was formed. If it’s an option, settlers in the outlying space colonies prefer to use their social account rather than creating a new online account with each website. They can log in once to their favorite social account like ShadowMoon (or one of the old standbys, like Facebook or Google) to access other accounts, such as their email or online banking. By offering social sign-on, you give your customers a convenient and secure experience with Universal Deliveries.

To enable customers to log in to Salesforce with their social credentials, you configure an authentication (auth) provider for the social account. Here’s what your customer experiences when you do.

• A customer encounters a Salesforce login page with options to log in via Google, Facebook, Twitter, as well as username and password.
• The customer chooses to log in via Facebook credentials.
• Salesforce redirects the customer to Facebook.
• The customer logs in to Facebook.
• Facebook logs in the customer to Salesforce automatically because Salesforce trusts Facebook’s verification.

Salesforce has several auth providers to choose from—more, if you count those auth providers that your developers can configure using the OpenID Connect protocol. And even more—if your developers want to create their own authentication provider, they can use Salesforce APIs to do so.

Create an Authentication Provider

You choose which auth providers can access your Salesforce org from Setup. With a few clicks, you can add the option to log in with one or more social accounts. Here’s how to set up Facebook as an auth provider.

1. From Setup, enter Auth in the Quick Find box, then select Auth. Providers.
2. Click New, then select Facebook for the provider type.
3. Tab into the name field and name the auth provider Facebook.
4. For Registration Handler, click the link called Automatically create a registration handler template.
5. Next, click the link called  Execute Registration As Lookup (New Window), and choose your username from the list. Heads up: This step is essential and often gets overlooked. In production, you don’t choose yourself. You create a service account instead to avoid problems in the future. If you use yourself and leave the company, the process starts to fail when your Salesforce account is disabled.
6. For Icon URL, click the link called  Choose one of our sample icons and select an icon.
7. An Icon URL field appears at the bottom of the page. Copy the URL from that field and close out that tab to return to the Auth setup page.
8. Back on the auth setup page, paste it into the Icon URL edit field.
9. Leave the other fields empty. Salesforce supplies the values, including the consumer key and consumer secret, when you use the Salesforce out-of-the-box providers (Facebook, Google, and so on).
10. Click Save.

After defining the auth provider, Salesforce generates several URLs. Use the Test-Only Initialization URL to test your connection with the social network.

1. From the auth provider detail page, under the Salesforce Configuration heading, copy the URL displayed under Test-Only Initialization URL.
2. Paste the URL into a browser.
   If it works, you get the Facebook login page.
3. Log in to the Facebook page.
4. When prompted, authorize your app. You’re redirected to Salesforce, where you see the XML information that Facebook sent us.

This XML information is useful for debugging and adding more functionality to your auth provider.

Log In with Facebook

Now that you’ve created a Facebook authentication provider, let’s return to the Login & Registration page and add Facebook as a login option.

1. From Setup, enter Sites in the Quick Find box, select All Sites, then click the Workspaces link in the table next to customers.
2. Click the Administration link, then click the Login & Registration link. Under the Login Page Setup heading, more checkboxes have appeared for login options. These checkboxes don’t have proper labels for screen readers, but one of them now shows an option for Facebook.
3. Navigate down to text that says “Select login options to display on the login page.” There will be a list of checkboxes after this block of text. Since they are not properly labeled, select all of them. This will include the Facebook option.
4. Click Save.

To confirm your change, return to your private (incognito) browser window for your customers site. Remember, you can find this under the Settings link. Reload the login page. Check that the Facebook icon appears on the login page.

Try to sign in with a Facebook account. Did you get an authentication error?

Not to worry. We fix it next.

Update the Registration Handler

The Facebook login doesn’t work because the out-of-the-box Salesforce registration handler for the Facebook authentication provider doesn’t work. Why? Authentication providers like Facebook frequently change authentication requirements to increase security. No problem. We can update the registration handler on our own.

What’s a registration handler?

A registration handler (sometimes called reghandler) creates and updates a user on the fly with identity information pulled from the authentication provider, in this case, Facebook. A registration handler allows you to get additional information from Facebook, like a profile picture, to use when creating the Salesforce user.

We chose the out-of-the-box Facebook registration handler when we selected the Automatically create a registration handler template on the Login & Registration page.

Before continuing, this is the point at which we’ll need to switch to Firefox. You can leave this browser tab open, but go ahead and log into Trailhead in the Firefox browser and navigate to your playground.

Open the autogenerated registration handler.

1. From Setup, enter Auth. in the Quick Find box, then select Auth. Providers.
2. In the table, click the Edit link in the Facebook authentication provider row.
3. In the Registration Handler edit field, just take note of the full name of the autocreated registration handler, for example, AutocreatedRegHandler1467402405056.
4. From Setup, enter Apex Classes in the Quick Find box, then select Apex Classes.
5. In the table, locate the row for your registration handler. IT should start with “AutocreatedRegHandler.” Click the Edit link in that row.
6. If you get an error about cross-domain cookies and a link to view the page in Salesforce Classic, click the link. Otherwise, you should be taken to a page with an edit field full of code.

Yes, it’s code, in the form of an Apex class. If you don’t do code, that’s okay. You don’t have to. You’re just going to do a simple cut and paste to replace this Apex class with the one we provide in the Salesforce Identity Git repository.

Replace the registration handler with the one provided in the GitHub repository.

1. In another browser tab, open the registration handler at this link, https://github.com/salesforceidentity/IdentityTrail-Module3/blob/master/SimpleFacebookRegistrationHandler.cls.
2. Click the Copy Raw Content button. This will copy the code from GitHub.
3. In the Apex code editor field in your playground, select all and delete the contents of the field. Paste your copied code in its place.
4. In line 9 of the registration handler file, for INTERNAL_USER_PROFILE, change 'Standard User' to ‘System Administrator’. So instead of     private static final String INTERNAL_USER_PROFILE = 'Standard User';    the line should say     private static final String INTERNAL_USER_PROFILE = 'System Administrator';
5. Click Save.

For this Trailhead unit, you use your account to create the registration handler. Since your profile in your Trailhead Playground is System Administrator, you must use the System Administrator profile in the registration handler. In production, use the profile that is assigned to the service account that you use to create the registration handler.

Now try to log in to Facebook again.

1. Return to the private (incognito) browser window for your Customers site and reload the login page.
2. Click the Facebook icon and then enter your Facebook username and password. If you see a page with an app launcher, your Facebook login is working. Because you built the site with the Customer Service template, your customers are greeted with a page like this one. The page has an App Launcher where customers can access apps with single sign-on.

The App Launcher doesn’t look like much now, but you can add apps for your customers’ convenience. This way, customers can click an icon to get instant access to apps for support, billing, collaboration, and more.

Resources

• Salesforce Help: Authentication Providers
• Salesforce Help: Create a Custom External Authentication Provider
• Video: Configure SAML Single Sign-On with Salesforce as the Identity Provider (4:09)

Click to return to the unit on Trailhead