Single-Sign-On for Salesforce via OpenID Connect

Salesforce-specific notes on implementing and configuring single-sign-on via OpenID Connect

SSO Configuration

Configure in Setup > Auth Providers
In this case the IDP must allow for the OpenID Connect standard
Requires Consumer Key and Consumer Secret from the IDP
Also, given that it’s OAuth-based, you’ll need to know the OAuth-based Scopes that SFDC should request from the IDP
- Ex. email openid for access to the user’s email address and OpenID information
When setting up, you can have a Registration Handler automatically generated, and then you can update it after-the-fact to meet your needs
- Note that the default handler is very basic, and almost ALWAYS needs to be updated after-the-fact
- However, having it auto-generated saves you a lot of time from having to write the boilerplate yourself
Important: Make sure that (after you’ve saved the new Auth Provider info in SFDC) you copy the Callback URL that is generated and paste it into the “Redirect URI” or “Redirect URL” of the IDP that you’re setting up.

After the default handler is generated, you can navigate to the code and edit it in order to actually do what you want it to do
Apex class implements the Auth.RegistrationHandler interface which has two methods
- createUser() which is called when a person cannot be found for the SSO intent
- updateUser() which is called when a person IS located for the SSO intent
A single registration handler Apex class can handle provisioning / updating Community Users, Standard Users, or both.
- According to the video series, an if statement like the following checks that it’s a Community user:
  - if (data.attributeMap.containsKey('sfdc_networkid'))

How does the OpenID Connect locate the user? The video series wasn’t super explicit about the means through which a user is located
- Ex. In a SAML-based approach, you utilize the Federation ID for figuring out which user is which. What does OpenID Connect use?