This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Outbound Provisioning with Salesforce

Owned by Former user (Deleted)
Last updated: Apr 04, 2016 by Former user (Deleted)
7 min read

The WSO2 Identity Server has the ability to provision users into different domains like Salesforce, Google, Facebook, etc., using its identity provisioning framework. This topic provides instructions on how to configure Salesforce as the Identity Provider to provision the users from WSO2 Identity Server.

Configuring Salesforce

  1. Sign up as a Salesforce developer.
    1. Fill out the relevant information found in the following URL: https://developer.salesforce.com/signup

    2. Click Sign me up.
    3. You will receive a security token by email to confirm your new account. If you did not receive the email successfully, you will be able to reset it by following the steps given here.
  2. Log in with your new credentials as a Salesforce developer. Do this by clicking Login link in the top right hand side of https://developer.salesforce.com/.
  3. Click Allow to enable Salesforce to access your basic information.
  4. Once you are logged in, add a connected app. See the following steps for instructions on how to do this. Also see here for a more detailed information.
    1. In the Administer section of the left navigation menu, click Apps under Create.
    2. In the window that appears, click New under Connected Apps.

    3. Fill in the form that appears with relevant details.
      The following items in the form need special consideration.

      Form LabelDescription
      Connected App NameThe name of the connected app.
      API NameThe API name matches the name of the connected app. This defaults to a version of the name without spaces. Only letters, numbers, and underscores are allowed, so you must edit the default name if the original app name contains any other characters. 
      Contact EmailThe email address used by the connected app.
      Enable OAuth SettingsMake sure this checkbox is selected to enable OAuth settings for your configurations to work.
      Callback URLThe Callback URL is used for redirection. This is typically the URL that a user’s browser is redirected to after successful authentication. Use the following value here as an example: https://login.salesforce.com/services/oauth2/token
      Selected OAuth ScopesChoose Full access (full) from the Available OAuth Scopes and click the button under Add. This gives the necessary permissions when accessing this App.
    4. Click Save to add the connected app.
  5. The resulting screen displays key information that you will need to configure the Identity Server to Salesforce.
    Make a note of the following details as you will need them in upcoming configurations. 
    1. Consumer Key
    2. Consumer Secret (Click the Click to reveal link to view the consumer secret)
    3. Callback URL

  6. Add your connected app to the profile you are going to use. This is necessary as this profile is used when you add users in to Salesforce from the Identity Server. 

    1. A list of existing profiles can be viewed in the Profiles section under Manage Users

    2. As an example, if you use the profile “Chatter Free User”, click Edit and select the connected app you created to configure with the Identity Server using the provided checkbox.

    3. Click Save. Make a note of the profile ID (or address URL) of the Chatter Free User profile. This should be: https://identityprovisioning-dev-ed.my.salesforce.com/00e90000001aV2o
  7. Get the public certificate for Salesforce. Do the following in order to achieve this.
    1. Click Setup at the top of the screen.
    2. In the left navigation pane, click Certificate and Key Management under Security Controls.
    3. Click Create Self-Signed Certificate.
    4. Enter the Label and a Unique Name and click Save. The certificate is generated.
    5. Click the Download Certificate button to download the certificate.

Configuring the Identity Server

Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in the form of rules and roles, and other tasks such as provisioning of resources associated with enabling new users.

  1. Download the WSO2 Identity Server from here and run it.
  2. Log in to the Management Console as an administrator.
  3. When you log into Salesforce, you normally use an email address. So, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps found in the Using Email Address as the Username topic.
  4. Restart the Identity Server.

Now that you are done with configuring the email address for use in authentication, configure the identity provider and the service provider.

Configuring the identity provider

This section includes steps on how to register Salesforce as an Identity provider.

  1. Start the WSO2 Identity Server if it is not started up already and log in using the email you configured in the realm as instructed in the Using Email Address as the Username topic.
  2. On the Management Console, click on Add under Identity Providers.
  3. In the form that appears, provide a name for your identity provider by filling in the Identity Provider Name. You can use "Salesforce.com" as an example, but this can be any name you choose. See Configuring an Identity Provider for information on registering and configuring an identity provider.
  4. Upload the Salesforce public certificate that you generated and saved in step 7 under Configuring Salesforce. Do this by clicking the Choose File button next to Identity Provider Public Certificate.
  5. Expand the Claim Configuration section of the form, followed by the Basic Claim Configuration section, and select Define Custom Claim Dialect

  6. Click Add Claim Mapping and add the following claims.

    Identity Provider Claim URILocal Claim URI
    Aliashttp://wso2.org/claims/givenname
    Emailhttp://wso2.org/claims/emailaddress
    EmailEncodingKeyhttp://wso2.org/claims/otherphone
    LanguageLocaleKeyhttp://wso2.org/claims/dob
    LastNamehttp://wso2.org/claims/lastname
    LocaleSidKeyhttp://wso2.org/claims/primaryChallengeQuestion
    ProfileIdhttp://wso2.org/claims/role
    TimeZoneSidKeyhttp://wso2.org/claims/challengeQuestion1
    UserPermissionsCallCenterAutoLoginhttp://wso2.org/claims/telephone
    UserPermissionsMarketingUserhttp://wso2.org/claims/mobile
    UserPermissionsOfflineUserhttp://wso2.org/claims/country
    Usernamehttp://wso2.org/claims/emailaddress

  7. Expand the Advanced Claim Configuration section.
  8. Select the Claim URI you added from the Provisioning Claim Filter dropdown and click Add Claim.

  9. For each Claim URI, enter a default value as shown in the following sample image.

    Tip: The ProfileId value refers to the ID of the profile you created in Salesforce (step 6 of Configuring Salesforce). If it is the Chatter Free User profile you created, navigate to the profile in Salesforce to find the profile ID. You can do this by clicking Profiles under Manage Users in Salesforce and clicking Chatter Free User. You can get the profile ID in the URL. For example, 00e90000001aV2o is the ProfileId for https://identityprovisioning-dev-ed.my.salesforce.com/00e90000001aV2o.

  10. Expand the Outbound Provisioning Connectors section followed by the Salesforce Provisioning Configuration section.
  11. Do the following configurations for Salesforce provisioning.
    1. Select Enable Connector to enable the Salesforce connector.
    2. Enter the API version. This is the version of the API you are using in Salesforce. To obtain this, log into https://developer.salesforce.com/ and click Setup. On the left navigation pane, click API under Develop. Generate one of those APIs to check the version. This should be entered in the following format: v32.0.
    3. Enter the Domain. If you do not have a Salesforce domain, you can create a domain by logging into https://developer.salesforce.com/ and clicking Setup. On the left navigation pane, click My Domain under Domain Management. Make sure you enter the domain with an HTTPS prefix so that it resembles a URL. For example, https://identityprovisioning-dev-ed.my.salesforce.com.
    4. Enter the Client ID. This is the Consumer Key obtained in step 5 when configuring Salesforce.
    5. Enter the Client Secret. This is the Consumer Secret obtained in step 5 when configuring Salesforce.
    6. Enter the Username. This is the Salesforce username.

    7. Enter the Password. This is the Salesforce password and must be entered along with the security token. So you would enter this in the following format: <password><security_token>

      Tip: For example, if your password is "testpassword" and your security token is "37f37f4433123", the value you would enter here is "testpassword37f37f4433123".

  12. Click Register.

Configuring the service provider

For this scenario, the Identity Server acts as the service provider, so we need to add it as a resident service provider.

  1. In the Main menu under the Identity section, click List under Service Providers. The list of service providers you added appears.
  2. Click the Resident Service Provider link and expand the Outbound Provisioning Configuration in the screen that appears.

  3. Select the identity provider you configured and select salesforce from the dropdown list.

    If we enable Blocking, Identity Server will wait for the response from the Identity Provider to continue.

  4. Click Update.

Working with users

The next step is to check if Salesforce is configured properly with the Identity Server. If you add a user to the Identity Server via the management console, this user should also appear in Salesforce.

  1. On the Main tab in the Management Console, click Add under Users and Roles.
  2. Click Users. This link is only visible to users with the Admin role. 
  3. Click Add New User.
  4. Enter the username in the form of an email and enter the password.
     
  5. Assign a role to the user.

  6.  Click Finish.
  7. In Salesforce, log into https://developer.salesforce.com/ and clicking Setup. On the left navigation pane, click Users under Manage Users. You will see that the user you created in the Identity Server has been added to Salesforce as well.

You can also add users to Salesforce using SCIM. If you use SCIM you must do the following. 

  1. In the Main menu under the Identity section, click List under Identity Providers. The list of identity providers you added appears.
  2. Click the Resident Identity Provider link and expand the Inbound Provisioning Configuration in the screen that appears.
  3. Select the correct User Store Domain.

The following is a sample CURL command to add users.

 curl -v -k --header "Content-Type:application/json" --user samuel@wso2.com:password --data '{"schemas":     ["urn:scim:schemas:core:1.0"],"userName":"samuel@wso2.com","password":"test25","name":{"familyName":"Gnaniah"},"emails":     ["samuel@wso2.com"],"entitlements":     [{"value":"00e90000001aV2o","display":"ChatterFreeUser"}]}' https://localhost:9463/wso2/scim/Users