Salesforce supports many Auth Provider out of the box, which can be used as Identity provider. Some of the examples – Facebook, Google, Github, Salesforce, OpenId Connect , Linked In and Janrain.
If you are in need to use Wechat , Yahoo or some other social account like Microsoft, don’t get disappointed. Even if they are not available out of the box as Auth Provider in Salesforce , Salesforce has provided magical box Janrain. Janrain supports vast list of social platform which can be used as Identity provider for your Salesforce instance.
How Janrain is different compared to other SSO solutions for Salesforce
If we configure Identity provider for Salesforce using Single Sign On or Auth Provider, those options will appear on Login Salesforce page as a button (shown in below image).
However, if we use Janrain as Identity provider it would not appear on Salesforce login page. Janrain gives HTML code which needs to be placed on public accessible page. If Login is success, then Janrain redirects to Salesforce SSO endpoint ending up seamless login experience as shown in this animated image.
Note in above demo :
- Single Sign On launched from local HTML file
- We can login using Twitter, Yahoo, AOL and other social application using Janrain
Let’s see how Janrain and Salesforce can be configured
Step 1: Create Janrain Application
Create Janrain application by navigating this URL (Its free)
Step 2: Create Auth Provider in Salesforce
In this step, navigate to Salesforce | Setup | Identity | Auth. providers | New | Janrain.
You can keep Name and URL suffix same. Value in Consumer Secret would come from Janrain | Your application | Setting | API Key (secret).
For registration handler , choose auto create on save. We will update this Apex class later in this post.
Select Admin User in Execute Registration As .
Once setting saved, Salesforce would generate various SSO login URL for internal users and all Communities available in your Salesforce org. We are interested only in internal users, and therefore we are only interested in Single Sign-On Callback URL, we would need it later in Step 5.
Step 3 – Configure providers in Janrain
Now in Janrain application, you can configure Social login providers like Facebook, Twitter, Yahoo etc. It can be configured by navigating to Janrain | Your Application | Provider. Setting up providers are very easy, you just need to follow instructions.
Configuring Facebook Provider in Janrain
I only faced small hiccup in configuring facebook because instruction in Janrain is pretty old. Only missing step was adding callback URL in facebook application. Below image shows format of callback URL, you would only need to replace sfdcilovesso by your Janrain application name in facebook application.
Step 4 – Get Janrain Widget Code
Navigate to your Janrain application ad click on Widgets and SDKs | Sign Ins. Choose providers for widget and get code.
Step 5 – Place Janrain Widget code in Public Site
we would need some public accessible page to place code copied in Step 4. I have used Salesforce public Site. In this code, you would need to update value for variable janrain.settings.tokenUrl. This would be Single Sign-On Callback URL, copied in Step 2. Source Code of Visualforce page is provided at end of this post.
Step 6 – Update Registration Handler Apex class
Registration handler Apex class was auto created in Step 2. It would need to be updated as per your requirement. One user can have multiple social accounts, so I have created custom object to store all unique identifiers of social applications configured in Janrain. This custom object would have lookup relationship with User. This object is used only in createUser() method, that means it would be used only first time when user would attempt to use social login. Every subsequent login attempt would use updateUser() method because link between third party social account and user would be established already. Source code is provided at end of this post.
Question : How Salesforce decides that createUser() or updateUser() method of Apex Registration handler needs to be executed ?
Ans : When user attempts to login first time in Salesforce using registration handler class, createMethod is executed. Salesforce internally saves mapping between user and application against which it is authenticated, in Third-Party Account Links , found in user’s related list. In next login attempt, because of Third-Party Account Links Salesforce is able to determine that user already used Auth provider previously, so reuse that information and execute updateUser method.