fusionauth logo
search-interface-symbol
Downloads
Quickstarts
API Docs
SDKs
search-interface-symbol
talk to an expert
Log In
talk to an expert
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
      • Overview
      • Angular
      • C# .NET
      • .NET Core API
      • Express.js
      • Express API
      • Flutter
      • Java Spring
      • Laravel API
      • Python Django
      • Python Flask
      • React
      • Ruby on Rails
      • Ruby on Rails API
      • Vue.js
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Amazon Cognito
    • Duende IdentityServer
    • Firebase
    • Keycloak
    • Microsoft Azure AD B2C
    • Supabase
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • CLI
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • User Support Guide
    • Vulnerabilities
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
        • Okta
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
        • Okta
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
      • URL Validation
      • Integrations
        • CockroachDB
        • Salesforce
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Aiven
      • Google
      • PagerDuty
      • SendGrid
      • Tableau Cloud
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • Amazon API Gateway
      • HAProxy
      • Kong Gateway
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Angular
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
      • Vue
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Reg. Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Anonymous Users
      • Application Specific Email Templates
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
      • User Actions
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Self-Service Registration
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Client-side Password Validation
      • Examples
      • Helpers
      • Kickstart Custom Theme
      • Localization
      • Template Variables
      • Tailwind CSS
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Bootstrapping Login
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Hosted Backend
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    OAuth Integrations: Salesforce

    Overview

    Salesforce is a robust customer relationship management software that allows users to sign in into their accounts using an external Identity Provider. This document covers the configuration necessary to get Salesforce working with FusionAuth as the identity provider using OpenID Connect.

    Prerequisites

    This document assumes you have a running instance of FusionAuth and a working Salesforce application. You will also need admin accounts for both to configure them correctly and a FusionAuth user that you will use to sign into Salesforce. You can use an existing user or create a new user for this purpose.

    Configure FusionAuth

    Navigate to Applications and click on to create an application named Salesforce.

    Create an Application.

    Click on to save your application. After being redirected to the Applications page, click on the icon to view the application details. Write down the OAuth IdP login URL, Logout URL, Token endpoint and Userinfo endpoint fields, located in the OAuth2 & OpenID Connect Integration details section, as you’ll need that information later.

    Configure Salesforce

    Before configuring FusionAuth as an identity provider in Salesforce, you need to create some code that will map the information returned from FusionAuth into a user entity that will then be persisted in Salesforce using Apex, their object-oriented programming language.

    Navigate to PLATFORM TOOLS → Custom Code → Apex Classes and click the New button to create a new class.

    Create an Apex class.

    In the editor, paste the following code as a starting point:

    
    global class FusionAuthRegHandler implements Auth.RegistrationHandler {
        // This is the profile name that you want to create users
        static final string STANDARD_PROFILE = 'Standard User';
    
        // This will be appended to the username and it must be unique across all Salesforce organizations
        static final string ORG_SUFFIX = '.your.fusionauth.application.url';
    
        global User createUser(Id portalId, Auth.UserData data) {
            User u = buildUser(
                    new User(),
                    data
            );
            return u;
        }
    
        global void updateUser(Id userId, Id portalId, Auth.UserData data) {
            User u = buildUser(
                    new User(id = userId),
                    data
            );
            update (u);
        }
    
        private User buildUser(User u, Auth.UserData data) {
            Profile p = [SELECT Id FROM profile WHERE name = :STANDARD_PROFILE];
            u.profileId = p.Id;
            u.username = data.email + ORG_SUFFIX;
            u.email = data.email;
            if (data.firstName != null && data.firstName != '') {
                u.firstName = data.firstName;
            } else {
                String givenName = data.attributeMap.get('given_name');
                if (givenName != null && givenName != '') {
                    u.firstName = givenName;
                }
            }
            if (data.lastName != null && data.lastName != '') {
                u.lastName = data.lastName;
            } else {
                String familyName = data.attributeMap.get('family_name');
                if (familyName != null && familyName != '') {
                    u.lastName = familyName;
                }
            }
            String alias;
            if (data.userName != null && data.userName != '') {
                alias = data.userName;
            } else {
                alias = data.email;
            }
            if (alias.length() > 8) {
                alias = alias.substring(0, 8);
            }
            u.alias = alias;
            u.languagelocalekey = UserInfo.getLocale();
            u.localesidkey = UserInfo.getLocale();
            u.emailEncodingKey = 'UTF-8';
            u.timeZoneSidKey = data.attributeMap.get('timezone');
            if (u.timeZoneSidKey == null || u.timeZoneSidKey == '') {
                // @TODO change this to the default timezone for users
                u.timeZoneSidKey = 'GMT';
            }
            return u;
        }
    }

    Complete the code above by making the following changes:

    • Update the ORG_SUFFIX to your actual FusionAuth instance URL

    • Set STANDARD_PROFILE to the profile name you want to add users to (you can find the available options by navigating to ADMINISTRATION → Users → Profiles)

    • Add a default time zone by setting u.timeZoneSidKey to a time zone code from this list. This will be used as a fallback when one is not received from FusionAuth.

    Finally, click Save to create the class.

    Browse to SETTINGS → Identity → Auth. Providers to get to the Authentication Providers page and click New.

    Create an Authentication Provider.

    Fill in the values as shown in the image below, using the information you copied from your FusionAuth application earlier.

    Fill in Authentication Provider values.

    The following table describes the necessary values that you need to copy from your FusionAuth application onto the fields in Salesforce.

    Salesforce field FusionAuth field Sample value

    Provider Type

     

    Open ID Connect

    Name

     

    FusionAuth

    URL Suffix

     

    FusionAuth

    Consumer Key

    Your FusionAuth application Client Id

    fb45c33d-72db-4852-b764-3e8556916193

    Consumer Secret

    Your FusionAuth application Client secret

    QCuUxBdSq-B-GKpydrh63ASkHZnJZS7P-6Ib2PYZNQw

    Authorize Endpoint URL

    Your FusionAuth application OAuth IdP login URL until the question mark (?)

    https://your.fusionauth.application.url/oauth2/authorize

    Token Endpoint URL

    Your FusionAuth application Token endpoint

    https://your.fusionauth.application.url/oauth2/token

    User Info Endpoint URL

    Your FusionAuth application Userinfo endpoint

    https://your.fusionauth.application.url/oauth2/userinfo

    Token Issuer

    Your FusionAuth application Userinfo issuer

    https://your.fusionauth.application.url

    Default Scopes

     

    openid email

    Send access token in header

     

    Checked

    Send client credentials in header

     

    Unchecked

    Include Consumer Secret in SOAP API Responses

     

    Unchecked

    Custom Logout URL

    Your FusionAuth application Logout Url

    https://your.fusionauth.application.url/oauth2/logout?client_id=fb45c33d-72db-4852-b764-3e8556916193

    In Registration Handler, click the magnifying glass button to open a window with the existing Apex Classes in your Salesforce organization. There, click FusionAuthRegHandler to select it. Click the other magnifying glass button in Execute Registration As and select the user that will be responsible for executing the registration (you can select your own user here).

    Click Save to finish configuring the provider. Scroll down to the Salesforce Configuration section and open the address from Test-Only Initialization URL in an incognito window.

    Copy Test-Only Initialization URL from the Authentication Provider.

    After logging in with your FusionAuth credentials, you should be redirected to an XML file with the user details that Salesforce will receive from FusionAuth, like the example below.

    
    <user>
        <full_name>Your Full Name</full_name>
        <provider>Open ID Connect</provider>
        <org_id>000000000000000</org_id>
        <last_name>Your Last Name</last_name>
        <id>00000000-0000-0000-0000-000000000000</id>
        <portal_id>000000000000000</portal_id>
        <first_name>Your First Name</first_name>
        <email>Your Email</email>
    </user>

    If you are not seeing these values, click Edit in the Salesforce Auth. Providers page and double-check the values.

    Now, go back to the Salesforce Configuration section in Salesforce and write down Callback URL, Single Sign-On Initialization URL and Single Logout URL values. In your FusionAuth instance, edit the Salesforce application you just created and paste Callback URL in Authorized redirect URLs and Single Logout URL in Logout URL.

    Click on to save the changes.

    Editing the Application.

    Log in

    Open the Single Sign-On Initialization URL you copied from the Salesforce Configuration in a new browser or an incognito window. You should be taken to the FusionAuth login page. Fill in your credentials and you should be redirected back to your Salesforce account already logged in.

    Troubleshooting

    Most errors occur due to misconfiguration of the Authentication Provider while copying values from FusionAuth into Salesforce. Make sure you have provided the right values there.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    How-to
    Blog
    Expert Advice
    Download
    Release Notes
    Subscribe for developer updates