Identity and Access Management

Terms in this set (25)

All types of OAuth 2.0 flows, except for the SAML Assertion flow, require that you define a connected app.

A connected app integrates an application with Salesforce using APIs. Connected apps use standard SAML and OAuth protocols to authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs.
The developer creates the connected app and defines the API integration, providing OAuth metadata about the app, such as:

Basic descriptive and contact information for the connected app
The OAuth scopes and callback URL for the connected app

The admin defines policies for the app, including:

Optional IP ranges where the connected app can run
Optional information about mobile policies that the connected app can enforce

The connected app wizard walks you through the steps to create a connected app. To configure OAuth settings, select Enable OAuth Settings to open the API section and supply the required metadata, including the callback URL.

The callback URL is an endpoint in your application to which Salesforce can redirect the user's browser with an authentication code or access token. To protect the token, the only hostname allowed with an HTTP callback URL is localhost. Other hosts must use HTTPS. Alternatively, you can specify a URI with a custom URI scheme. This approach is often used in a User-Agent flow to pass control back to a native application. If you're using the JWT Bearer Token or SAML Bearer Assertion flows, select Use Digital Signatures and upload a signing certificate.

After you save the connected app definition, you are provided an OAuth client ID key and client secret for the connected app.
For B2C Communities, it often makes sense to let visitors self-register.

The self-registration user flow is as follows:
The visitor clicks or gets redirected to the Self-Registration page
The visitor fills in the form and submits his information
Salesforce creates Contact and User records
If the user profile has been previously added to the community, the user gets instant access to the community
Optionally, he receives an email (option needs to be selected in setup)

Self-Registration can be set up in three steps:

1. Enable Self-Registration in the Community
Go to the Communities setup overlay, select the "Login Page" tab, and enable Self-Registration. Optionally, select a default profile to assign to self-registered users. Only profiles that were previously added to the community are shown.

2. Customize Self-Registration Code
Edit the CommunitiesSelfRegController to include the Account ID you want to associate self-registered users with. This step is mandatory.

If you're creating a user associated to a license that does not have roles (e.g.: Customer Community), you're done. Otherwise, you need to assign a role to the new user. Note that there's a known issue that forces all self-registered users to be associated with the lowest role in the hierarchy.

In this example, we did not assign a profile ID to profileID because we've already associated a profile in the Self-Reg Communities setup. Setting a value in the controller will overwrite the default Self-Reg profile.

3. Customize Self-Registration pages
We provide a default Self-Registration page called CommunitiesSelfReg that you can customize and brand as needed.
If a user doesn't create a password during self-registration—either because they left the password field blank or your organization customized the self-registration form to omit the password field—the CommunitiesSelfRegConfirm page and CommunitiesSelfRegConfirm controller confirm that a password reset email has been sent. Users landing on this page can't log in until they reset their password.