By Isaac Lehr
So you’ve set up Salesforce Communities and you want to direct your external users to the appropriate Community through Single Sign-On (SSO) or Authentication Providers (Auth. Providers). First of all, who are these external users? Second, where do I select the SSO or Auth. Providers for Salesforce Communities? Last thought, can I extend Salesforce Communities standard login functionality?
Enable Single Sign-On
To enable: User > Setup > Administer > Security Controls > Single Sign-On Settings
For this blog we’re assuming that this step is complete. So here are a few references if this is where you’re starting from:
Security Implementation Guide, chapter 4
Single Sign-On with SAML on Force.com, Jeff Douglas (Appirio’s own technical guru)
Enable Authentication Providers
To enable: User > Setup > Administer > Security Controls > Auth. Providers
Same as above, for this blog we’re assuming that this step is complete. So here are a few references if this is where you’re starting from:
Authentication Options, p. 43-46
Several client configuration URLs are generated after defining the authentication provider:
Test-Only Initialization URL: Administrators use this URL to ensure the third-party provider is set up correctly. The administrator opens this URL in a browser, signs in to the third party, and is redirected back to Salesforce with a map of attributes.
Single Sign-On Initialization URL: Use this URL to perform single sign-on into Salesforce from a third party (using third-party credentials). The end user opens this URL in a browser, and signs in to the third party. This then either creates a new user for them, or updates an existing user, and then signs them into Salesforce as that user.
Existing User Linking URL: Use this URL to link existing Salesforce users to a third-party account. The end user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
Callback URL: Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the Callback URL with information for each of the above client configuration URLs.
The client configuration URLs support additional request parameters that enable you to direct users to log into specific sites, obtain customized permissions from the third party, or go to a specific location after authenticating.
Community Login Page – Options for External Users
These next steps take place after a Community has been created and is being setup or managed.
To setup or manage: User > Setup > Build > Customize > Communities > Manage Communities > Edit (needed Community) > Login Page > Options for External Users
So who are external users? They are customers or partners with Community, Customer Portal, or partner portal licenses. The default login option for external users is the username and password that Salesforce assigned for the community.
Before SSO or Auth. Providers enabled example:
To include more options on the login page, enable and edit your single sign-on or authentication provider settings (see above links). You should see the default login credentials as selected until you set up SSO or Auth. Providers.
After SSO or Auth. Providers enabled example:
Select the default login credentials that are needed.
The options for login credentials from an external service provider are Facebook©, Janrain©, Salesforce, or Open ID Connect.
SFDC description of login options and what displays on the login page:
Adding Functionality to Your Authentication Provider
You can add functionality to your authentication provider by using additional request parameters.
Scope – Customizes the permissions requested from the third party
Site – Enables the provider to be used with a site
StartURL – Sends the user to a specified location after authentication
Community – Sends the user to a specific community after authentication
We’ll focus on the Community URL parameter.
Using the Community URL Parameter
This functionality extension sends the user to a specific Community after authenticating. If you don’t add the Community URL parameter, the user is sent to either /home/home.jsp (for a portal or standard application) or to the default sites page (for a site) after authentication completes. So you’ll need to specify a URL with the community request parameter.
With a Single Sign-On Initialization URL, the user is sent to this location after being logged in. For an Existing User Linking URL, the “Continue to Salesforce” link on the confirmation page leads to this page.
Single Sign-On Initialization URL Example:
To extend the Single Sign-On Initialization URL or Existing User Linking URL add the following to the community parameter:
orgID is your Auth. Provider ID
URLsuffix is the value you specified when you defined the authentication provider
The Single Sign-On Initialization URL, Existing User Linking URL, orgID, and URLsuffix values are accessible after the Auth. Provider is created.
We’ve identified who our external users are, how to extend users’ login options, and we have seen how URL parameters can be added to extend functionality to your Auth. Provider. There is more to Community logins than just /home/home.jsp … so send your users to the page that they need to start from!
Issac Lehr is an Associate consultant working in Appirio’s Salesforce Consulting practice.