1. 技术文章
  2. Configure Azure AD B2C as Auth Provider in Salesforce

Configure Azure AD B2C as Auth Provider in Salesforce

前提是你 提交于 2020-06-01 07:27:06

问题


I am trying to configure Azure AD B2C as auth provider to Salesforce. I followed the instructions in http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg (instead of google used Azure AD B2C).

When I click on the test-only initialization URL I get the following error

My B2C set up is very basic. I just have an email provider and an out-of-the-box sign-in sign-up policy.

Any help will be greatly appreciated.


回答1:


I'm late to the party but I wanted to post here in case anyone else can use this information. We followed the below steps with an ordinary Custom Policy returning a JWT token. Notice steps 4-5 under Create an Azure AD B2C Application and step 8 under Configure Salesforce Auth. Provider, these will pull back an Access Token from Azure AD B2C.

Create an Azure AD B2C Application

  1. Log into the Azure AD B2C instance you wish to connect to.
  2. Go to Applications. Click + Add.
  3. Add https://www.salesforce.com as a Reply URL. Click Create.
  4. Select the new app you just created. Save the Application ID.
  5. Click Published Scope. Add read as a scope. Click Save.
  6. Save the Full Scope Value.
  7. Click API access. Click + Add. Under Select API, select the name of the application. Under Select Scopes, ensure read and user_impersonation are selected.
  8. Click OK. Select Keys from the left nav. Click + Generate key. Click Save.
  9. Check the value of the generated App key. If it contains “/”, “?”, “&”, or “%” (there may be more invalid characters), delete the generated key and repeat steps 8 and 9 until a valid key is generated. Save the valid key.

Configure Salesforce Auth. Provider

  1. Log into Salesforce. Go to Setup. In the Quick Find box, type Auth. Select Auth. Providers.
  2. Click New.
  3. Under Provider Type, select Open ID Connect.
  4. Add an informative Name. This will be displayed to users as an option when signing in. Salesforce will generate a URL Suffix.
  5. Place the Application ID, from Step 4 of “Create an Azure AD B2C Application”, in Consumer Key. Place the App key, from Step 9 of “Create an Azure AD B2C Application”, in Consumer Secret.
  6. Retrieve the OpenID Connect discovery endpoint of the Azure AD B2C Custom Policy you wish to integrate with. This discovery endpoint can be found at https://{tenant-id}.b2clogin.com/{tenant-id}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-id}.
  7. Use the authorization_endpoint field in the discovery endpoint as the Authorize Endpoint URL in Salesforce. Use the token_endpoint field in the discovery endpoint as the Token Endpoint URL in Salesforce. Use the issuer field in the discovery endpoint as the Token Issuer in Salesforce.
  8. Place the Full Scope Value, from Step 6 of “Create an Azure AD B2C Application”, in Default Scopes. Add “ read” to the end. (The final value should look something like this: https://{tenant-id}.onmicrosoft.com/{application-name}/read openid)
  9. For Registration Handler, follow Step 11 from these directions: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5 a. Note, in case that link changes. You can create a new Registration Handler using the code in this GitHub repository: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls. You may need to add u.CompanyName = 'CompanyName'; in the prepareUserData method.
  10. Pause here, we’ll come back from Token Issuer.

Setup a Dummy User Info Endpoint

  1. Salesforce requires a User Info endpoint. Azure AD B2C does not provide one. You can use the code in this GitHub repository to create a version of a user info endpoint: https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info
  2. This code will only return the claims present on the user’s token. We settled on modifying the code to run in an Azure Function.
  3. Whatever your solution, you should end up with a REST endpoint. Place that REST endpoint in the Token Issuer field of the Auth. Provider in Salesforce.
  4. Click Save.

Authorize the Callback URL in Azure AD B2C Application

  1. Click on the Auth Provider configured in the above steps.
  2. Under Salesforce Configuration, save the Single Logout URL.
  3. Expand Communities and save the Callback URL of the Community in which you want to enable SSO.
  4. Return to Azure AD B2C. Navigate to App registrations (Preview). Click All applications.
  5. Select the application created in “Create an Azure AD B2C Application”. Click Authentication.
  6. Click Add URI. Add the Callback URL from Step 3. Update the Logout URL with the Single Logout URL from Step 2. Click Save.



回答2:


Are you able to test this login endpoint in your terminal using curl, to ensure it is returning the token?

curl -v https://<Azure login endpoint> -d "grant_type=password"  -d "username=user@login.demo" -d "password=password"

You may need to add additional parameters to the curl command for Azure (perhaps add a client id & client secret?



来源:https://stackoverflow.com/questions/55248144/configure-azure-ad-b2c-as-auth-provider-in-salesforce

标签
salesforce
openid-connect
azure-ad-b2c
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!