Salesforce to Salesforce integration using Canvas

After writing this article Salesforce has enabled CSP (Content Security Policy) which restricts adding Salesforce in iFrame. We can add MyDomain URL as CSP whitelisting and it works only if user already logged into other Salesforce instance. However, if user is not logged into other instance , internally OAuth navigates through which is too restrictive and canvas application fails to load.

In this post we will discuss how Canvas can be used to integrate Salesforce with Salesforce. On my blog we have seen many articles and possibilities to integrate Salesforce with another Salesforce instance like this and this post.

Whats is Canvas Canvas SDK from Salesforce allows developers to connect existing legacy system or any web based application with Salesforce using JavaScript and REST API. Canvas applications can be displayed in Chatter, Salesforce Mobile Cards or Visualforce page.

Why we are accessing another Salesforce instance as Canvas app

To get hands on with Canvas, most of article are around creating Heroku applications. I understand there are few developers who are not comfortable with Heroku. So to keep learning curve less, lets use Visualforce page to be exposed as Canvas application after all Visualforce is very advance MVC framework in itself.


For this blog post, we will need two Salesforce Org. One will act as Identity provider and other will act as Service Provider. I have enabled My Domain and below are information

  • – Service Provider
  • – Identity Provider

Enable My Domain

First step is to enable My Domain in Service Provider Organization. I would suggest name your org with suffix like “spProvider” and “ipProvider” to avoid confusion.

Enable and setup SSO in Service provider Org

You can read this article for more detail on using Salesforce as IDp and SP. Assuming, you already have basic knowledge of SSO, we will jump start.

In Service provider Organization enable SSO by navigating to “Setup | Security Controls | Single Sign-On Settings”.

Download “Self Signed Certificate” from Identity provider by navigating to “Setup | Security Controls | Certificate and Key Management | Create Self Signed Certificate”.

Below image shows configuration of SSO in Service provider organization, In our case domain “”.

SSO Setting in Service Provider Org
SSO Setting in Service Provider Org

In above image Issuer is URL of identity provider and Entity Id is URL of current org which is Service provider.

Once we informed Service provider Org that SSO is enabled on basis of federation Id, we need to make sure that Federation Id on user records on both Org must match else SSO will not work and those users will not able to use Canvas application.

Create Canvas application in Identity provider Org

Navigate to “Setup | App Setup | Create | Apps | Connected Apps | New” Canvas application Configuration Canvas application Configuration

As you can see in above setting, Canvas application is enabled for Chatter and Mobile navigation and it uses Visualforce page of Service provider Organization.

Entity Id and ACS URL is copied from SSO settings of Service provided organization.

Creating Visualforce page using Canvas SDK in Service Provider Organization

Instead of using any Heroku or external web based application, we will be using Visualforce page with Canvas SDK. For this, we need to download Canvas SDK from this Github repository and upload it as static resource. In below Visualforce page, we are simply reading Signed request from Identity provider Organization showing capabilities of Canvas SDK as well as we are displaying SessionId, OAuth token and refresh token of Service provider Organization.

As Canvas application is configured to view from Chatter tab, Output will look like : Canvas Application Demo with Complete Source code Canvas Application Demo with Complete Source code

Source code for Canvas in Salesforce

<apex:page showHeader="false">
    <script type="text/javascript" src="{!URLFOR($Resource.CanvasSDK,'SalesforceCanvasJavascriptSDK-master/js/canvas-all.js')}" />
    <script type="text/javascript">
        var sid="{!GETSESSIONID()}".substr(1,30) +'...';
    	function refreshSR(){
                if(data.status == 200){
                	var signedRequest = data.payload.response;
                    var part = signedRequest.split('.')[1];
                    var obj = JSON.parse(Sfdc.canvas.decode(part));
                    updateDisplay(obj) ;

    function updateDisplay(obj){
    	setValue('spSessionId', sid);
        setValue('ipOAuth', obj.client.oauthToken.substr(1,30)+'...');
        setValue('ipUser', obj.context.user.fullName);
        setValue('ipRefresh', obj.client.refreshToken.substr(1,30)+'...');

    function setValue(eleId,val)
       	var domEl = document.getElementById(eleId);
        	domEl.innerHTML = val;


        <b> <u> Service Provider Org </u></b>
        I am Canvas App from Salesforce Domain <b> </b>
        User : {!$User.FirstName} {!$User.LastName}
        Org : {!$Organization.Name}
        Session Id : <span id="spSessionId"></span>    

<hr />

        <b> <u> Identity Provider Org  - Current Org </u> </b>
        User : <span id="ipUser"></span>
         Org : <span id="ipOrg"></span>
         OAUth Token : <span id="ipOAuth"></span>
        Refresh Token : <span id="ipRefresh"></span>






Related Posts


13 responses to “Salesforce to Salesforce integration using Canvas”

  1. Harshit Pandey Avatar

    With canvas, I had few issues, specially using SAML and Identity placing through SSO. We use OKTA as Identity provider to integrate Tableau with Salesforce. I learned when you are logged in to remote server through canvas via SSO provider, the cookie for remote application persist on your browser, on logging out from Salesforce/OKTA(SSO provider) Tableau cookie won’t get deleted, which opens up terminal for anybody to navigate third part app like Tableau in this case. If you came across this issue let me know.

    This was thing, i was about to discuss with you in Dreamforce after you session !

    1. Jitendra Zaa Avatar

      That interesting to know.. I didn’t faced this but thanks for note, I will keep in mind about testing cookies of external sites

  2. Sami Avatar

    Everything is working properly. But im only getting service provider information but not getting identity provider informations and the session id. Please tell me what should i do to get?

    1. Jitendra Zaa Avatar

      Please check if you are able to access it from Canvas preview app, if not then screen shot of javascript will be helpful to identify issue.

  3. Ajay K Dixit Avatar
    Ajay K Dixit

    While setting up canvas app, can we use OpenAM as Identity provider to authenticate the canvas app using SAML.I mean where we specify Entity ID, ACS url etc for WEB App setting, can we use OpenAM values there.
    We want to integrate On premise Java application which should be authenticated via SAML and then should be authorized to use Salesforce.

    1. Jitendra Zaa Avatar

      If you can get Connected App working then I dont see any problem.

  4. dinesh moundekar Avatar
    dinesh moundekar

    Hi I am not able to get Identity provider ORG information, Currently getting following error:
    {“status”:400,”statusText”:”Bad Request”,”payload”:”client.instanceId or client.targetOrigin not supplied”}

  5. Temp Temp Avatar
    Temp Temp

    Everything is working properly. But i am getting service provider information and session id but not getting identity provider information. Please tell me what should i do to get? and it is invoked the sfdc.canvas.onready() function also but remaining part was not invoked please help me. what should i do for this? and how to fetch data from one instance to another instance and also how to inserting/updating data.

    you are my inspiration boss….

  6. Temp Temp Avatar
    Temp Temp

    i am integrating salesforce to .net application. it is working properly i am fetching salesforce information in .net application. but my problem is how to insert the .net data into salesforce and one more problem is my .net application is password protected on whenever i refreshed it is saying unauthorized credentials please help me what should i do for this?
    how to write life cycle for this?

  7. Karti Avatar

    Hi – Thanks for the wonderful post. Eventhough I was able to follow the steps, at certain points, I get into trouble learning how the configuration internally works. Can you please advise some study path that will give me enough informaiton that will help me understand the concept better.?

    Thanks in advance

  8. Jeeva Avatar

    When I implemented all of the above. I see a salesforce website opening up when I click on Canvas S2S. How can I display the Visualforce page ?

  9. Poulami Banerjee Avatar
    Poulami Banerjee

    Hi ,

    I followed your instruction and the visualforce page is opening as expected. But i want to open the other salesforce application in the canvas and not the visualforce page.
    When i try to change the Canvas URL to the Target URL , i am getting the error as “ refused to connect”.
    Please help me to open the Third Party Application in Canvas App.

  10. Pradeep Avatar

    It worked for me, thank you. Its a good learning

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Jitendra Zaa

Subscribe now to keep reading and get access to the full archive.

Continue Reading