How to
Using Salesforce as your OpenID Connect identity provider for Single sign-on (SSO)
Single sign-on (SSO) is an authentication method that allows users to sign into multiple applications using one, central, set of credentials.
The credentials are stored and maintained in one system, known as the Identity Provider.
Customers who use Salesforce as their Identity Provider can use SSO to log into their Pendula tenant, by creating a Salesforce Connected App.
This document describes how to create the Connected App, and information you’ll need to supply to Pendula in order for us to enable SSO for your Salesforce org.
Salesforce Connected App
A Salesforce connected app is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as SAML, OAuth, and OpenID Connect.
Pendula use OpenID Connect (OIDC) as the protocol for SSO.
The Connected App handles the authentication between OAuth and Salesforce, allowing Salesforce users to log into the Pendula app using their Salesforce credentials.
How to create a Salesforce Connected App for Pendula OIDC SSO
Salesforce documentation for creating a Connected App for OIDC SSO is available at the following link:
Follow the Salesforce documentation, and select the Pendula specific settings for OIDC as described below. These are found in the API (Enable OAuth Settings) section of the connected app.
-
Select Enable OAuth Settings to view the OAuth settings.
Callback URL
Enter the Callback URL supplied to you by Pendula as part of your request to enable SSO.
OAuth scopes
Select the following OAuth scopes.
- Access the identity URL service (id, profile, email, address, phone)
-
Access unique user identifiers (openid)
-
Clear the checkbox for Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows
-
Select Require Secret for Web Server Flow
-
Select Require Secret for Refresh Token Flow
-
Select Enable Authorization Code and Credentials Flow
-
Select Require user credentials in the POST body for Authorization Code and Credentials Flow
The rest of the settings in the API (Enable OAuth Settings) section can be left empty.
Salesforce profile updates
After the Connected App is created, access can be granted to any Salesforce user by updating their Profile.
Access is provided by enabling the Connected App Access Profile setting that matches the Connected App.
Requesting Salesforce OIDC SSO
The following information must be supplied to Pendula so we can configure your Pendula tenant to use Salesforce as the identity provider for OIDC SSO.
Client ID and Client Secret
The Client ID and Client Secret values are available by clicking the Manage Consumer Details button on the Manage Connected Apps page for the selected app.
To access this page, type apps into the search box in Salesforce Setup, select App Manager, then select View from the drop-down button on the right of the app name.
Clicking Manage Consumer Details opens a new tab, where you will be required to provide authentication before viewing the Consumer Key and Consumer Secret values.
These values must only be shared with Pendula via a secure method like 1Password.
Issuer URL
The Issuer URL can be obtained by navigating to the OpenID Connect discovery endpoint in Salesforce. The URL for this is
<https://MyDomainName.my.salesforce.com/.well-known/openid-configuration>
Replace MyDomainName with the url for your Salesforce org.
Navigating to this URL returns a range of information about the connection. Copy the URL for “issuer” and share it with Pendula.
After SSO is enabled
Pendula will use the information you supply to enable OIDC SSO for your Pendula tenant. After it is enabled, you can log into your Pendula tenant by either
- navigating to the URL of your Pendula tenant and entering your Salesforce credentials
- logging into Salesforce, and then navigating to the URL of your Pendula tenant in a new browser tab.