Salesforce - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide
Configure RSA Cloud Authentication Service
Perform these steps to configure RSA Cloud Authentication Service as Relying Party to Salesforce.Procedure
- Sign into RSA Cloud Administration Console.
- Click Authentication Clients > Relying Parties.
- On the My Relying Parties page, click Add a Relying Party.
- In Relying Party Catalog, click Add for Generic OIDC.
- On the Basic Information page, enter a name for the Service Provider in the Name field.
- Click Next Step.
- On the Authentication page, choose SecurID Access manages all authentication.
- In the Primary Authentication Method list, select your desired login method as either Password or SecurID.
- In the Access Policy list, select a policy that was previously configured.
- Click Next Step.
- Under Connection Profile, provide the following details as required.
-
- Authorization server Issuer URL is auto-populated. This URL is used in Salesforce to form the Callback URL, Token endpoint URL, and Authorize endpoint URL.
- The Redirect URL is obtained from Salesforce (see the next section).
- Provide a Client ID.
- Select a Client Authentication Method.
- Provide a client secret or generate it.
- Provide the scope as OpenID (scopes should be added in advance. See the Notes section).
- Click Save and Finish.
- Click Publish Changes.
Notes
To add scopes, click Access > OIDC Claims & Scopes.Configure Salesforce
- Sign into Salesforce admin console https://login.salesforce.com.
- Click Switch to Lightning Experience if you are using Salesforce Classic.
- Click the gear icon in the upper-right corner and click Service Setup.
- In the left pane, click Identity > Auth Providers and in the right pane, click New.
- Perform the following steps:
- For the Provider Type, select OpenID Connect.
- Enter the Name for the provider.
- Enter the URL suffix, which is used in the client configuration URLs.
- For Consumer Key, use the Client ID from the RSA connector configuration.
- For Consumer Secret, use the Client Secret from the RSA connector configuration.
- For Authorize Endpoint URL, enter the Authorization Server Issuer URL from the RSA connector. Make sure that /auth is appended at the end.
- For Token Endpoint URL, enter the Authorization Server Issuer URL from the RSA connector. Make sure that /token is appended at the end.
- For User Endpoint URL, enter the Authorization Server Issuer URL from the RSA connector. Make sure that /userinfo is appended at the end.
- Click Automatically create a registration handler under Registration Handler.
- Search for the administrator in Execute Registration As.
- Click Save.
- Click the Registration Handler link and edit the file. This code can be changed according to the requirement.
Code Snippet
//TODO:This autogenerated class includes the basics for a Registration //Handler class. You will need to customize it to ensure it meets your needs and //the data provided by the third party. global class AutocreatedRegHandler1662762939351 implements Auth.RegistrationHandler{ global User createUser(Id portalId, Auth.UserData data){ //The user is authorized, so create their Salesforce user User u = new User(); String username = data.identifier; List<User> userList = [Select Id, Name, Email, UserName From User Where ( UserName =: username) AND isActive = true ]; if(userList != null && userList.size() > 0) { u = userList.get(0); } return u; } global void updateUser(Id userId, Id portalId, Auth.UserData data){ User u = new User(id=userId); update(u); } } - Copy the Callback URL and use it as the Redirect URL in the connector (in RSA).
- Click My Domain under Company Settings.
- Under Authentication Configuration, click edit and select the auth provider created.
- Click Save.
Return to the main page.
