Logging in to Salesforce with Facebook

This topic provides instructions on how to log into Salesforce using your Facebook credentials. In this use case Salesforce is the service provider while Facebook is the Identity Provider. If a user needs to log in to Salesforce, WSO2 Identity Server sends the user details to Facebook. Facebook authenticates the user credentials and if the user exits in Facebook, the user is allowed to log in to Salesforce.

Let's get started!

1. Sign up as a Salesforce developer if you don't have an account. If you already have an account, move on to step 2 and log in to Salesforce.

   1. Fill out the relevant information found in the following URL:  https://developer.salesforce.com/signup

   2. Click Sign me up.

   3. You will receive a security token by email to confirm your new account. If you did not receive the email successfully, you will be able to reset it by following the steps given here.

2. Log in with your new credentials as a Salesforce developer. Do this by clicking the Login link in the top right hand side of https://login.salesforce.com/.

3. Click Allow to enable Salesforce to access your basic information.

4. Once you are logged in, create a new domain and access it. 

   To do this, do the following steps.

5. On the left navigation menu, search for Single Sign-On Settings, and click it.

6. In the page that appears, click Edit and then select the SAML Enabled check box to enable federated single sign-on using SAML.
   

   Open

   

7. Click Save to save this configuration change.

8. Obtain the Salesforce certificate. You need to upload it to the Identity Server later on. Follow the steps given below to obtain the certificate.

   1. On the left navigation menu, go to Security Controls and click Certificate and Key Management.

   2. If you have not done so already, you must create the certificate first. Do the following steps to create this.

      1. Click Create Self-Signed Certificate.

      2. Enter the Label and a Unique Name, and click Save. The certificate is generated.

   3. Click the Download Certificate button to download the certificate.

9. Click New under SAML Single Sign-On Settings. The following screen appears. 
   
   Ensure that you configure the following properties.

10. Click Save to save your configurations.

11. Search for My Domain in the search bar that is on the left navigation pane and click My Domain.

12. Go to Domain Management in the left navigation pane and click My Domain.
    

    Open

    

13. Click Deploy to Users. Click Ok to the confirmation message that appears.

14. In the page that appears, you must configure the Authentication Configuration section. Scroll down to this section and click Edit.
    

    Open

    

15. Under Authentication Service, select SSO and deselect Login Page.
    

16. Click Save.

1. Sign in. Enter your username and password to log on to the management console. 

2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.

3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field and we use Salesforce as the name for this example.
   

   Open

   

4. Click Register.

5. Configuring claim mapping for Salesforce:

   1. Expand the Claim Configuration section.

   2. Select the Define Custom Claim Dialect option under Select Claim mapping Dialect.

   3. Click Add Claim URI to add custom claim mappings as follows.
      Add the following claim URIs.

   4. Select all of these claims as Requested Claims.
      

      Select email from the Subject Claim URI dropdown. The Subject Claim URI is important to define as it is the unique value used to identify the user. In cases where you have a user store connected to the Identity Server, this Subject Claim URI value is used to search for the user in the user store.
      
      Open

      

      
      For more information about claim mapping, see Claim Management.

6. Expand the Inbound Authentication Configuration and the SAML2 Web SSO Configuration and click Configure.

7. In the form that appears, fill out the following configuration details required for single sign-on.
   See the following table for details.

8. Click Register to save your configurations.

Now you have to configure WSO2 Identity Server by adding Facebook as a new identity provider.

1. Log in to the management console as an administrator.

2. In the Identity section under the Main tab of the management console, click Add under Identity Providers.

3. Give a suitable name as the Identity Provider Name. In this case we can have Facebook as the identity provider name for clarity.

4. Choose the salesforce certificate you downloaded in step8 under Configuring Salesforce for Identity Provider Public Certificate.

5. Configuring claim mapping for Facebook:

   1. Expand Claim Configuration, go to Basic Claim Configuration.

   2. Select the Define Custom Claim Dialect option under Select Claim mapping Dialect. 

   3. Click Add Claim Mapping to add custom claim mappings as follows.
      

      Do the following mappings as shown in the above image.

      You can retrieve all the public information of the user and the email address. The following are some common attribute names.

      More information is available from the following link: https://developers.facebook.com/docs/facebook-login/permissions/v2.0. You can map these attributes to any Local Claim URI that is suitable.
      For more information about claim mapping, see Claim Management.

6. Go to Facebook Configuration under Federated Authenticators. 

7. Select both check-boxes to Enable Facebook Authenticator and make it the Default.

8. Enter the App ID and App Secret values from the Facebook app you created in the Client ID and Client Secret fields respectively.

   Open

   

9. Click Register. 

You have now added the identity provider.

The next step is to configure the federated authenticator for the service provider. In this case, the service provider is Salesforce

1. Return to the management console.

2. In the Identity section under the Main tab, click List under Service Providers.

3. Go to the service provider that you created and click Edit.

4. Go to Local and Outbound Authentication Configuration section.

5. Select the Identity Provider you created from the dropdown list under Federated Authentication. 

6. Ensure that the Federated Authentication radio button is selected and select Facebook from the dropdown. This is the name of the identity provider that you configured.

   Open

   

7. Click  Update  to save the changes.

You have now added the identity provider as the federated authenticator for Salesforce.

Do the following steps to test out the configurations for a new user in Salesforce and the Identity Server.

1. Create a user in Salesforce. This user should have the same email address as your Facebook account.

   1. Log in to the Salesforce developer account: https://login.salesforce.com/.

   2. On the left navigation pane, click Users under Manage Users.

   3. On the page that appears, click the New User button to create a new user.

   4. Create a user with the same email address as the user on Facebook. 

   5. Click Save to save your changes. An email will be sent to the email address you provided for the user.

2. Logout of Salesforce.

3. Access your Salesforce login URL on an incognito or private browser.

   You are directed to the Facebook Login screen.
   

4. Log in using your Facebook credentials. You are then redirected back to Salesforce.
   Remember to use the same email address as the user in the Salesforce account.

Now you have successfully configured WSO2 Identity server so you can login to Salesforce using Facebook as the Identity Provider.