This example is explained how to configure Salesforce as the Identity Provider to provision the users from WSO2 Identity Server.
Configure Salesforce :
- To sign up for Salesforce developer account please follow the link below :
- Once you create a developer account you should have your own developer login URL.
- You will be getting a security token by email once you create the account. If you couldn't find it, you will be able to reset it by following the steps given in the following link.
- Login in to Salesforce Dev account and then you should create a connected app to in salesforce to define Service Providers as SAML-Enabled Connected Apps. For more information please check in https://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&language=en_US
- Following is a screenshot of a connected app created to configure WSO2 IS.
Figure 1 : Connected App
- Once you create the connected app, you will be getting the Consumer Key and the Consumer Secret of the app.
Figure 2 : keys
- Next you should select the your connected app to the profile you are going to use to assign when you add users in to Salesforce.
- This can be viewed in the Manage Profile sections in the setup page. When you click on that, it will list down the existing profiles.
Figure 3 : Profiles
- As an example, if we are going to use the profile “Chatter Free User” click on edit mode and select the connected app you created to configure with WSO2 IS as given in the following screen.
Figure 4 : Profile and select the connected app
- Mean time you should also note down the profile id which is in the address URL. E.g., 00e90000001P171 for Chatter Free User Profile.
- Now we have done the required configurations needed in Salesforce side.
Configure WSO2 IS :
- This feature is introduced with WSO2 IS 5.0.0.
- Therefore first of all you need to download WSO2 IS 5.0.0 from the following location.
- To learn more about provisioning and Identity Server please refer the link below:
- Salesforce user login is an email address. Therefore you need to configure WSO2 IS to enable email address for user login. In order to do that follow the below steps :
If the user store is MySQL :
- Step1 : Open carbon.xml in IS_HOME/repository/conf and uncomment
<EnableEmailUserName>true</EnableEmailUserName>
- Step2 : Open user-mgt.xml in IS_HOME/repository/conf and uncomment JDBC configurations org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager And Comment default LDAP user store manager configurations.
org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager
- Step3 : Please add following property under folowing configuration.
org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager
<Property name="UsernameWithEmailJavaScriptRegEx">^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$</Property>
* Using above property, you can change
the pattern of your email address.
- Step4 : Restart the server
Configure Identity Provider in WSO2 IS :
- Now you have to first register Salesforce as an Identity provider. In order to d that install WSO2 server and start it up. Then when you go to home page, click on the Add Identity provider and register identity provider and save it. E.g., Salesforce.com”
- Then you click on the the IDP and provide the basic information as given in the following image.
Figure 5 : Create IDP in WSO2 IS
- Identity Provider Public certificate can be downloaded from the salesforce when you click Setup → Security Controls → Certificate and Key Management.
- Then you have to fill in the basic information as given in the screenshot.
Figure 6 : Basic Information - Claims
- Claim mapping should be done for the following mandatory fields. Alias, Email, EmailEncodingKey, LanguageLocaleKey, LastName, LocaleSidKey, ProfileId, TimeZoneSidKey, Username
- Advance configurations can be filled in as follows.
Figure 7 : Advance Configurations
- Then click on the Outbound provisioning Connectors section and configure for Saleforce as below :
Figure 8 : Configure Salesforce Connector
- Values :
- API version : Salesforce API version
- Domain Name : Your developer environment domain URL
- Client ID : Client ID got from the Connected app which is created
- Client Secret : Client secret got from the Connected app created
- username : Username of your salesforce developer account
- password : This should be the password followed by the security token received by the email.
E.g., <password><security
token> (passwordJYn8OLa9pC8CbQWrepGQpxxcu)
Configure Service Provider in WSO2 IS :
- If you are going to use WSO2 IS user management console to add users, you can configure the resident service provider as the service provider in WSO2 IS. Following is an illustration.
Figure 9 : Configure Resident Service Provider
- Select the IDP configured and select the salesforce as the connector from the drop down and save it.
Add users in WSO2 IS :
- This is the normal process of adding users through WSO2 IS administration UI. user should provide an email address as the username.
- Create a user via UI and check whether the user is provisioned to Salesforce as follows. You will be able to see the users added.
Figure 10 : Provisioned users in salesforce
Via SCIM and Ouath bearer token:
- If you are going to add users via SCIM and Oauth you will need to add a service provider in WSO2 IS and configure it for the added IDP and Salesforce connector as below.
Figure 11 : Configure Service provider for SCIM and Ouath bearer token
- If you use SCIM you have to select the correct User Store Domain under Resident IDP -> Inbound Provisioning Configuration
- To get the bearer token you will need to follow the steps in :
- Sample Requests :
Add User Via SCIM :
curl -v -k --header "Content-Type:application/json" --user ushani@wso2.com:password --data '{"schemas": ["urn:scim:schemas:core:1.0"],"userName":"sfuser24@wso2.com","password":"ush anisf25","name":{"familyName":"Ushanisf24"},"emails": ["sfuser24@wso2.com"],"entitlements": [{"value":"00e90000001STRnAAO","display":"ChatterFreeUser"}]}' https://localhost:9463/wso2/scim/Users
Via bearer token
curl -v -k --header "Content-Type:application/json" --header 'Authorization: Bearer c648fcae8b7b75e7b3287e31d5886e3' --data '{"schemas": ["urn:scim:schemas:core:1.0"],"userName":"ushani002@scimdemo.org", "password":"ushani0012", "na me":{"familyName":"Ushani12"},"emails": ["ushani12@gmail.com"],"entitlements": [{"value":"00e90000001P171","display":"ChatterFreeUser"}]}' https://localhost:9463/wso2/scim/Users
