Salesforce as an Open ID Connect Identity Provider: CAS Come and See Video

Salesforce as an Open ID Connect Identity Provider: CAS Come and See Video

Did you know that you can use Salesforce as an open ID connect identity provider? You can use a production instance of Salesforce as the identity provider for a sandbox; when you do UAT testing, consistently keeping sandboxes refreshed and trying to get all those users into all those orgs on a regular basis, it becomes a lot of maintenance. So this is a really nice trick for getting a user to log directly into a sandbox from a production instance without needing a URL without needing to enter a username and password or verify emails.

…and while you’re here: if you’re having Salesforce user adoption challenges, we have a brand new guide that takes you step by step through the principles of teaching adults technology, and drives you to develop a plan for implementation. It’s got room for you to make your own plan – check it out:…

Contact us with your Salesforce challenges at – we love to help!

Cloud Adoption Solutions is a 100% woman-owned registered Salesforce partner, specializing in implementation, integration, and optimization for Technology, Healthcare/ Life Sciences, and Financial Services/ Professional Services organizations in the small and mid-commercial sectors.


global class AuthRegHandler implements Auth.RegistrationHandler{

global User createUser(Id portalId, Auth.UserData data){
User u = [SELECT Id FROM User WHERE FederationIdentifier =];
return u;

global void updateUser(Id userId, Id portalId, Auth.UserData data){




Cheyenne Carpenter

Cheyenne Carpenter
Hi, everybody, this is Cheyenne with cloud adoption solutions. And today we’re gonna go over how to use Salesforce as an open ID connect identity provider. So for my specific use case, I am using a production instance of Salesforce as the identity provider for a sandbox. I do a lot of UA T testing, we’ve got a lot of different users and a lot of different works. And when we’re consistently keeping sandboxes, refreshed and trying to get all those users into all those orgs on a regular basis, it becomes a lot of maintenance. So this is a really nice trick for logging, getting a getting a user to log directly into a sandbox from a production instance, without needing a URL without needing to enter a username and password or verify emails maybe like that. So the first thing you are going to need is an apex class for an auth registration handler, this is this primarily consists of just three things a, an Auth provider, a connected app, and this Apex class. And I will put this code in the description. But just so you have an idea of what it looks like. This is the apex class, you can copy and paste this directly into the sandbox.

Okay, so the first thing I’m going to do is set this up from a sandbox environment. And for this demo, I am in two sandboxes. But let’s pretend that this this sandbox is like acting as our production instance. So it’s called showcase. And then we have showcase Dev. So this is what we’re is going to be acting as our sandbox today. So in your sandbox environment, go ahead and open up your setup.

And we’re going to navigate to auth providers.

And we’re going to create a new one, your provider type here is going to be Salesforce for this use case, and we’ll call it showcase dev demo. Okay, you will need just a temporary key and secret here. It does not matter what you put in, because we’ll be coming back to this and in a few minutes, the key and the secret are going to come from that connected up these endpoint URLs, you’ll want to reuse most of them. But instead of test here, you’ll want to put in the domain of your of your identity provider, your production instance, which in my case is showcase dot sandbox. That my Okay, so it’s going to alter slightly. And I just have these ready ahead of time. But you’ll notice the end of this URL is going to be the same slash services slash a walk to slash Authorize. So that’s my new endpoint URL. This is the domain of my production instance. And I’ll do the same with this token endpoint URL. We’ll just swap the domain keeping the last portion of this

and then we also want to pull in that registration handler that I showed at the beginning this video

and you will need to execute the registration as a user

Okay, and then we will click Save and come back to this in a moment. What what we need from this is the single sign on initialization URL at the bottom, as well as as well as carp callback URL. So we’re going to flip over to our, quote unquote production instance. Technically, I’m using a sandbox for this. But the identity provider in my case would be this the sandbox, which is, would be your your production environment. And something that’s not a demo like I’m giving today. Okay. So in our production environment, let’s click setup

and go to our connected apps.

App managers the correct location. And over in the top right corner, click New connected app. Okay, so I’m going to name this whatever you name this, just keep in mind, it’s what’s going to show up in the app manager when you when you search for it in the app manager to log into the sandbox, so it makes sense to name it after the sandbox, we’ll call it showcase dev demo. Sandbox, kind of along me. Okay, I’ll just use my email there. If we keep scrolling, we do need to enable this OAuth settings checkbox. Okay, and this callback URL comes from our Auth provider from our sandbox. So let’s go grab that

copy and paste and then the scopes you’ll need here are the two scopes with identity in the name this one and this one, access the identity URL service and access unique user identifiers

All right.

We’ll go ahead and save this so that we can get our consumer key and secret

if you go into manage consumer details

Okay, now we can copy our consumer key. And this is going into our Auth provider. So once again, we’re in production, getting the key and secret and then transferring that to our Auth provider in our sandbox. We’ll just copy this key go back to our Auth provider and then we’ll edit those that temporary key we put into place same thing with the secret

and safe

Unknown Speaker

Cheyenne Carpenter
so let’s go back to our connected app for a moment. Go get it I’m looking for a setting that I forgot to mention.

Believe it’s under me Manage edit policies? Yes, here it is. So we went to the connected app, manage edit policies. And we need to enter two things, we need the start URL, and probably edit this permitted users. So instead of letting all users self authorized, I’m just going to select Admin approved users. And then the start URL comes from our Auth provider.

It’s the single sign on initial initialization URL. So I’m going to copy this from our Auth provider in our sandbox. Paste it into our start URL from within production.

Neon safe.


So from your connected app, you can specify profiles or permission sets. That will help you manage what users are going to be able to log in from production to sandbox, and see your connected app that we’ve just built. So for simplicity sake, I will just use the system administrator profile for this demo.

Alright, one, one key piece of information here. So we’re pretty much done with the setup. But there is one thing that is necessary for this to work. And that is the Federation ID needs to be filled out for your users in your sandbox environment. So if we go to our sandbox environment and we search for some users.

I’ll show you that this one has the Federation ID here. And your federation Id just matches the email address. This is imperative. So you could do this manually. When you’re creating a sandbox, you could write an apex class to run and do this for you. Whenever you create a sandbox, you could do this with a flow or anything like that. But this, your users do have to have their Federation ID filled out within the sandbox. Okay. So let’s go ahead and test this out. And we’ll see how we did. Let me log out of the developer environment, the sandbox environment so that we can truly test this.

All right. So from within our production instance, I’m going to go to the App Manager and search for the name of my connected app, which is showcase dev demo sandbox. We’ll click this and it should take us directly into our sandbox environment. Yes, great. And there is no need for the user to enter another username or anything like that. They’ll just get right in. So that is the bulk of this demo. Let me know if you have any questions or if something wasn’t clear. And I hope you try this out and implement it yourself. Thank you.

Don’t miss this event!

The ONLY Conference for Sales, Marketing, RevOps, and Commercial Executives in the Life Sciences Industry.

Follow Us

Related Posts