将Azure AD B2C配置为Salesforce中的身份验证提供程序 [英] Configure Azure AD B2C as Auth Provider in Salesforce

查看:221
本文介绍了将Azure AD B2C配置为Salesforce中的身份验证提供程序的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试将Azure AD B2C配置为Salesforce的身份验证提供程序.我按照 http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg 中的说明进行操作的Google使用了Azure AD B2C).

I am trying to configure Azure AD B2C as auth provider to Salesforce. I followed the instructions in http://salesforce.vidyard.com/watch/kcgTXQytUb6INIs2g3faKg (instead of google used Azure AD B2C).

当我单击仅测试的初始化URL时,出现以下错误

When I click on the test-only initialization URL I get the following error

我的B2C设置非常基础.我只有一个电子邮件提供商和一个现成的登录注册策略.

My B2C set up is very basic. I just have an email provider and an out-of-the-box sign-in sign-up policy.

任何帮助将不胜感激.

Any help will be greatly appreciated.

推荐答案

我参加聚会很晚,但是我想在这里发帖,以防其他人可以使用此信息.我们遵循以下步骤,使用普通的自定义策略返回JWT令牌.请注意创建Azure AD B2C应用程序下的步骤4-5和配置Salesforce身份验证下的步骤8.提供商,它们将从Azure AD B2C撤回访问令牌.

I'm late to the party but I wanted to post here in case anyone else can use this information. We followed the below steps with an ordinary Custom Policy returning a JWT token. Notice steps 4-5 under Create an Azure AD B2C Application and step 8 under Configure Salesforce Auth. Provider, these will pull back an Access Token from Azure AD B2C.

  1. 登录到您希望连接的Azure AD B2C实例.
  2. 转到应用.点击 +添加.
  3. https://www.salesforce.com 添加为回复网址.点击创建.
  4. 选择刚创建的新应用.保存应用程序ID .
  5. 点击发布范围.添加 read 作为范围.点击保存.
  6. 保存全范围值.
  7. 点击 API访问权限.点击 +添加.在选择API 下,选择应用程序的名称.在选择作用域下,确保选择读取用户假冒.
  8. 点击确定.从左侧导航栏中选择.点击 +生成密钥.点击保存.
  9. 检查所生成的应用密钥的值.如果它包含"/",?",&"或%"(可能还有更多无效字符),请删除生成的密钥并重复步骤8和9,直到生成有效密钥为止.保存有效密钥.
  1. Log into the Azure AD B2C instance you wish to connect to.
  2. Go to Applications. Click + Add.
  3. Add https://www.salesforce.com as a Reply URL. Click Create.
  4. Select the new app you just created. Save the Application ID.
  5. Click Published Scope. Add read as a scope. Click Save.
  6. Save the Full Scope Value.
  7. Click API access. Click + Add. Under Select API, select the name of the application. Under Select Scopes, ensure read and user_impersonation are selected.
  8. Click OK. Select Keys from the left nav. Click + Generate key. Click Save.
  9. Check the value of the generated App key. If it contains "/", "?", "&", or "%" (there may be more invalid characters), delete the generated key and repeat steps 8 and 9 until a valid key is generated. Save the valid key.

配置Salesforce身份验证.提供程序

  1. 登录到Salesforce.转到设置.在快速查找框中,键入 Auth .选择身份验证.提供者.
  2. 点击新建.
  3. 提供商类型下,选择 Open ID Connect .
  4. 添加内容丰富的名称.登录时,这将作为选项显示给用户.Salesforce将生成URL后缀.
  5. 将创建Azure AD B2C应用程序"的第4步中的应用程序ID 放在消费者密钥中.将创建Azure AD B2C应用程序"的第9步中的应用程序密钥放在消费者机密" 中.
  6. 检索要与之集成的Azure AD B2C自定义策略的OpenID Connect发现端点.可以在https://{tenant-id} .b2clogin.com/{tenant-id} .onmicrosoft.com/v2.0/.well-known/openid-configuration?p = {policy-id }.
  7. 使用发现端点中的authorization_endpoint字段作为Salesforce中的授权端点URL .将发现端点中的token_endpoint字段用作Salesforce中的令牌端点URL .将发现端点中的颁发者字段用作Salesforce中的令牌颁发者.
  8. 在"默认范围"中,放置创建Azure AD B2C应用程序"的步骤6中的完整范围值.在末尾添加"read". (最终值应如下所示:https://{tenant-id} .onmicrosoft.com/{application-name}/read openid)
  9. 对于注册处理程序,请按照以下说明执行步骤11: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5 一种.请注意,以防链接更改.您可以使用以下GitHub存储库中的代码创建新的注册处理程序: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls .您可能需要添加u.CompanyName ='CompanyName';在prepareUserData方法中.
  10. 在这里暂停,我们将返回令牌发行人.
  1. Log into Salesforce. Go to Setup. In the Quick Find box, type Auth. Select Auth. Providers.
  2. Click New.
  3. Under Provider Type, select Open ID Connect.
  4. Add an informative Name. This will be displayed to users as an option when signing in. Salesforce will generate a URL Suffix.
  5. Place the Application ID, from Step 4 of "Create an Azure AD B2C Application", in Consumer Key. Place the App key, from Step 9 of "Create an Azure AD B2C Application", in Consumer Secret.
  6. Retrieve the OpenID Connect discovery endpoint of the Azure AD B2C Custom Policy you wish to integrate with. This discovery endpoint can be found at https://{tenant-id}.b2clogin.com/{tenant-id}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={policy-id}.
  7. Use the authorization_endpoint field in the discovery endpoint as the Authorize Endpoint URL in Salesforce. Use the token_endpoint field in the discovery endpoint as the Token Endpoint URL in Salesforce. Use the issuer field in the discovery endpoint as the Token Issuer in Salesforce.
  8. Place the Full Scope Value, from Step 6 of "Create an Azure AD B2C Application", in Default Scopes. Add " read" to the end. (The final value should look something like this: https://{tenant-id}.onmicrosoft.com/{application-name}/read openid)
  9. For Registration Handler, follow Step 11 from these directions: https://help.salesforce.com/articleView?id=sso_provider_openid_connect.htm&type=5 a. Note, in case that link changes. You can create a new Registration Handler using the code in this GitHub repository: https://github.com/salesforceidentity/social-signon-reghandler/blob/master/SocialRegHandler.cls. You may need to add u.CompanyName = 'CompanyName'; in the prepareUserData method.
  10. Pause here, we’ll come back from Token Issuer.

设置虚拟用户信息端点

  1. Salesforce需要一个用户信息端点. Azure AD B2C不提供一个.您可以使用此GitHub存储库中的代码创建用户信息端点的版本: https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info
  2. 此代码将仅返回用户令牌上显示的声明.我们决定修改代码以在Azure函数中运行.
  3. 无论采用哪种解决方案,都应以REST终结点结束.将该REST端点放置在Auth的令牌颁发者字段中. Salesforce中的提供商.
  4. 点击保存.
  1. Salesforce requires a User Info endpoint. Azure AD B2C does not provide one. You can use the code in this GitHub repository to create a version of a user info endpoint: https://github.com/azure-ad-b2c/samples/tree/master/policies/user_info
  2. This code will only return the claims present on the user’s token. We settled on modifying the code to run in an Azure Function.
  3. Whatever your solution, you should end up with a REST endpoint. Place that REST endpoint in the Token Issuer field of the Auth. Provider in Salesforce.
  4. Click Save.

授权Azure AD B2C应用程序中的回调URL

  1. 单击在上述步骤中配置的身份验证提供程序.
  2. Salesforce配置下,保存单一注销URL .
  3. 展开社区,并保存要在其中启用SSO的社区的回调URL .
  4. 返回到Azure AD B2C.导航至应用注册(预览).点击所有应用.
  5. 选择在创建Azure AD B2C应用程序"中创建的应用程序.点击身份验证.
  6. 点击添加URI .在步骤3中添加回调URL .在步骤2中使用单个注销URL 更新注销URL .点击保存.
  1. Click on the Auth Provider configured in the above steps.
  2. Under Salesforce Configuration, save the Single Logout URL.
  3. Expand Communities and save the Callback URL of the Community in which you want to enable SSO.
  4. Return to Azure AD B2C. Navigate to App registrations (Preview). Click All applications.
  5. Select the application created in "Create an Azure AD B2C Application". Click Authentication.
  6. Click Add URI. Add the Callback URL from Step 3. Update the Logout URL with the Single Logout URL from Step 2. Click Save.

这篇关于将Azure AD B2C配置为Salesforce中的身份验证提供程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆