将Azure AD B2C配置为Salesforce中的身份验证提供程序 [英] Configure Azure AD B2C as Auth Provider in Salesforce
问题描述
我正在尝试将Azure AD B2C配置为Salesforce的身份验证提供程序.我按照 http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg 中的说明进行操作的Google使用了Azure AD B2C).
I am trying to configure Azure AD B2C as auth provider to Salesforce. I followed the instructions in http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg (instead of google used Azure AD B2C).
当我单击仅测试的初始化URL时,出现以下错误
When I click on the test-only initialization URL I get the following error
我的B2C设置非常基础.我只有一个电子邮件提供商和一个现成的登录注册策略.
My B2C set up is very basic. I just have an email provider and an out-of-the-box sign-in sign-up policy.
任何帮助将不胜感激.
Any help will be greatly appreciated.
推荐答案
我参加聚会很晚,但是我想在这里发帖,以防其他人可以使用此信息.我们遵循以下步骤,使用普通的自定义策略返回JWT令牌.请注意创建Azure AD B2C应用程序下的步骤4-5和配置Salesforce身份验证下的步骤8.提供商,它们将从Azure AD B2C撤回访问令牌.
I'm late to the party but I wanted to post here in case anyone else can use this information. We followed the below steps with an ordinary Custom Policy returning a JWT token. Notice steps 4-5 under Create an Azure AD B2C Application and step 8 under Configure Salesforce Auth. Provider, these will pull back an Access Token from Azure AD B2C.
- 登录到您希望连接的Azure AD B2C实例.
- 转到应用.点击 +添加.
- 将 https://www.salesforce.com 添加为回复网址.点击创建.
- 选择刚创建的新应用.保存应用程序ID .
- 点击发布范围.添加 read 作为范围.点击保存.
- 保存全范围值.
- 点击 API访问权限.点击 +添加.在选择API 下,选择应用程序的名称.在选择作用域下,确保选择读取和用户假冒.
- 点击确定.从左侧导航栏中选择键.点击 +生成密钥.点击保存.
- 检查所生成的应用密钥的值.如果它包含"/",?",&"或%"(可能还有更多无效字符),请删除生成的密钥并重复步骤8和9,直到生成有效密钥为止.保存有效密钥.
- Log into the Azure AD B2C instance you wish to connect to.
- Go to Applications. Click + Add.
- Add https://www.salesforce.com as a Reply URL. Click Create.
- Select the new app you just created. Save the Application ID.
- Click Published Scope. Add read as a scope. Click Save.
- Save the Full Scope Value.
- Click API access. Click + Add. Under Select API, select the name of the application. Under Select Scopes, ensure read and user_impersonation are selected.
- Click OK. Select Keys from the left nav. Click + Generate key. Click Save.
- Check the value of the generated App key. If it contains "/", "?", "&", or "%" (there may be more invalid characters), delete the generated key and repeat steps 8 and 9 until a valid key is generated. Save the valid key.
配置Salesforce身份验证.提供程序
- 登录到Salesforce.转到设置.在快速查找框中,键入 Auth .选择身份验证.提供者.
- 点击新建.
- 在提供商类型下,选择 Open ID Connect .
- 添加内容丰富的名称.登录时,这将作为选项显示给用户.Salesforce将生成URL后缀.
- 将创建Azure AD B2C应用程序"的第4步中的应用程序ID 放在消费者密钥中.将创建Azure AD B2C应用程序"的第9步中的应用程序密钥放在消费者机密" 中.
- 检索要与之集成的Azure AD B2C自定义策略的OpenID Connect发现端点.可以在https://{tenant-id} .b2clogin.com/{tenant-id} .onmicrosoft.com/v2.0/.well-known/openid-configuration?p = {policy-id }.
- 使用发现端点中的authorization_endpoint字段作为Salesforce中的授权端点URL .将发现端点中的token_endpoint字段用作Salesforce中的令牌端点URL .将发现端点中的颁发者字段用作Salesforce中的令牌颁发者.
- 在"默认范围"中,放置创建Azure AD B2C应用程序"的步骤6中的完整范围值.在末尾添加"read". (最终值应如下所示:https://{tenant-id} .onmicrosoft.com/{application-name}/read openid)
- 对于注册处理程序,请按照以下说明执行步骤11: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5 一种.请注意,以防链接更改.您可以使用以下GitHub存储库中的代码创建新的注册处理程序: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls .您可能需要添加u.CompanyName ='CompanyName';在prepareUserData方法中.
- 在这里暂停,我们将返回令牌发行人.
- Log into Salesforce. Go to Setup. In the Quick Find box, type Auth. Select Auth. Providers.
- Click New.
- Under Provider Type, select Open ID Connect.
- Add an informative Name. This will be displayed to users as an option when signing in. Salesforce will generate a URL Suffix.
- Place the Application ID, from Step 4 of "Create an Azure AD B2C Application", in Consumer Key. Place the App key, from Step 9 of "Create an Azure AD B2C Application", in Consumer Secret.
- Retrieve the OpenID Connect discovery endpoint of the Azure AD B2C Custom Policy you wish to integrate with. This discovery endpoint can be found at https://{tenant-id}.b2clogin.com/{tenant-id}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-id}.
- Use the authorization_endpoint field in the discovery endpoint as the Authorize Endpoint URL in Salesforce. Use the token_endpoint field in the discovery endpoint as the Token Endpoint URL in Salesforce. Use the issuer field in the discovery endpoint as the Token Issuer in Salesforce.
- Place the Full Scope Value, from Step 6 of "Create an Azure AD B2C Application", in Default Scopes. Add " read" to the end. (The final value should look something like this: https://{tenant-id}.onmicrosoft.com/{application-name}/read openid)
- For Registration Handler, follow Step 11 from these directions: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5 a. Note, in case that link changes. You can create a new Registration Handler using the code in this GitHub repository: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls. You may need to add u.CompanyName = 'CompanyName'; in the prepareUserData method.
- Pause here, we’ll come back from Token Issuer.
设置虚拟用户信息端点
- Salesforce需要一个用户信息端点. Azure AD B2C不提供一个.您可以使用此GitHub存储库中的代码创建用户信息端点的版本: https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info
- 此代码将仅返回用户令牌上显示的声明.我们决定修改代码以在Azure函数中运行.
- 无论采用哪种解决方案,都应以REST终结点结束.将该REST端点放置在Auth的令牌颁发者字段中. Salesforce中的提供商.
- 点击保存.
- Salesforce requires a User Info endpoint. Azure AD B2C does not provide one. You can use the code in this GitHub repository to create a version of a user info endpoint: https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info
- This code will only return the claims present on the user’s token. We settled on modifying the code to run in an Azure Function.
- Whatever your solution, you should end up with a REST endpoint. Place that REST endpoint in the Token Issuer field of the Auth. Provider in Salesforce.
- Click Save.
授权Azure AD B2C应用程序中的回调URL
- 单击在上述步骤中配置的身份验证提供程序.
- 在 Salesforce配置下,保存单一注销URL .
- 展开社区,并保存要在其中启用SSO的社区的回调URL .
- 返回到Azure AD B2C.导航至应用注册(预览).点击所有应用.
- 选择在创建Azure AD B2C应用程序"中创建的应用程序.点击身份验证.
- 点击添加URI .在步骤3中添加回调URL .在步骤2中使用单个注销URL 更新注销URL .点击保存.
- Click on the Auth Provider configured in the above steps.
- Under Salesforce Configuration, save the Single Logout URL.
- Expand Communities and save the Callback URL of the Community in which you want to enable SSO.
- Return to Azure AD B2C. Navigate to App registrations (Preview). Click All applications.
- Select the application created in "Create an Azure AD B2C Application". Click Authentication.
- Click Add URI. Add the Callback URL from Step 3. Update the Logout URL with the Single Logout URL from Step 2. Click Save.
这篇关于将Azure AD B2C配置为Salesforce中的身份验证提供程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!