/
Outbound Provisioning with Salesforce

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Outbound Provisioning with Salesforce

Apr 04, 2016

The WSO2 Identity Server has the ability to provision users into different domains like Salesforce, Google, Facebook, etc., using its identity provisioning framework. This topic provides instructions on how to configure Salesforce as the Identity Provider to provision the users from WSO2 Identity Server.

Configuring Salesforce

  1. Sign up as a Salesforce developer.

    1. Fill out the relevant information found in the following URL: https://developer.salesforce.com/signup



    2. Click Sign me up.

    3. You will receive a security token by email to confirm your new account. If you did not receive the email successfully, you will be able to reset it by following the steps given here.

  2. Log in with your new credentials as a Salesforce developer. Do this by clicking Login link in the top right hand side of https://developer.salesforce.com/.

  3. Click Allow to enable Salesforce to access your basic information.

  4. Once you are logged in, add a connected app. See the following steps for instructions on how to do this. Also see here for a more detailed information.

    1. In the Administer section of the left navigation menu, click Apps under Create.

    2. In the window that appears, click New under Connected Apps.

    3. Fill in the form that appears with relevant details.

      The following items in the form need special consideration.

    4. Click Save to add the connected app.

  5. The resulting screen displays key information that you will need to configure the Identity Server to Salesforce.

    Make a note of the following details as you will need them in upcoming configurations. 

    1. Consumer Key

    2. Consumer Secret (Click the Click to reveal link to view the consumer secret)

    3. Callback URL

  6. Add your connected app to the profile you are going to use. This is necessary as this profile is used when you add users in to Salesforce from the Identity Server. 

    1. A list of existing profiles can be viewed in the Profiles section under Manage Users

    2. As an example, if you use the profile “Chatter Free User”, click Edit and select the connected app you created to configure with the Identity Server using the provided checkbox.

    3. Click Save. Make a note of the profile ID (or address URL) of the Chatter Free User profile. This should be: https://identityprovisioning-dev-ed.my.salesforce.com/00e90000001aV2o

  7. Get the public certificate for Salesforce. Do the following in order to achieve this.

    1. Click Setup at the top of the screen.

    2. In the left navigation pane, click Certificate and Key Management under Security Controls.

    3. Click Create Self-Signed Certificate.

    4. Enter the Label and a Unique Name and click Save. The certificate is generated.

    5. Click the Download Certificate button to download the certificate.

Configuring the Identity Server

Provisioning is the process of coordinating the creation of user accounts, e-mail authorizations in the form of rules and roles, and other tasks such as provisioning of resources associated with enabling new users.

  1. Download the WSO2 Identity Server from here and run it.

  2. Log in to the Management Console as an administrator.

  3. When you log into Salesforce, you normally use an email address. So, to integrate this with the Identity Server, you need to configure WSO2 IS to enable users to log in using their email addresses. In order to do that, follow the steps found in the Using Email Address as the Username topic.

  4. Restart the Identity Server.

Now that you are done with configuring the email address for use in authentication, configure the identity provider and the service provider.

Configuring the identity provider

This section includes steps on how to register Salesforce as an Identity provider.

  1. Start the WSO2 Identity Server if it is not started up already and log in using the email you configured in the realm as instructed in the Using Email Address as the Username topic.

  2. On the Management Console, click on Add under Identity Providers.

  3. In the form that appears, provide a name for your identity provider by filling in the Identity Provider Name. You can use "Salesforce.com" as an example, but this can be any name you choose. See Configuring an Identity Provider for information on registering and configuring an identity provider.

  4. Upload the Salesforce public certificate that you generated and saved in step 7 under Configuring Salesforce. Do this by clicking the Choose File button next to Identity Provider Public Certificate.

  5. Expand the Claim Configuration section of the form, followed by the Basic Claim Configuration section, and select Define Custom Claim Dialect

  6. Click Add Claim Mapping and add the following claims.

  7. Expand the Advanced Claim Configuration section.

  8. Select the Claim URI you added from the Provisioning Claim Filter dropdown and click Add Claim.

  9. For each Claim URI, enter a default value as shown in the following sample image.

  10. Expand the Outbound Provisioning Connectors section followed by the Salesforce Provisioning Configuration section.

  11. Do the following configurations for Salesforce provisioning.

    1. Select Enable Connector to enable the Salesforce connector.

    2. Enter the API version. This is the version of the API you are using in Salesforce. To obtain this, log into https://developer.salesforce.com/ and click Setup. On the left navigation pane, click API under Develop. Generate one of those APIs to check the version. This should be entered in the following format: v32.0.

    3. Enter the Domain. If you do not have a Salesforce domain, you can create a domain by logging into https://developer.salesforce.com/ and clicking Setup. On the left navigation pane, click My Domain under Domain Management. Make sure you enter the domain with an HTTPS prefix so that it resembles a URL. For example, https://identityprovisioning-dev-ed.my.salesforce.com.

    4. Enter the Client ID. This is the Consumer Key obtained in step 5 when configuring Salesforce.

    5. Enter the Client Secret. This is the Consumer Secret obtained in step 5 when configuring Salesforce.

    6. Enter the Username. This is the Salesforce username.

    7. Enter the Password. This is the Salesforce password and must be entered along with the security token. So you would enter this in the following format: <password><security_token>

  12. Click Register.

Configuring the service provider

For this scenario, the Identity Server acts as the service provider, so we need to add it as a resident service provider.