Salesforce SSO JIT with AXIOM

In this blog, I am going to explain the how to configure the Just-in-Time Provisioning for SAML with AXIOM. With just-in-time provisioning, the end user identity is provisioned (created or updated) at the service provider the first time the end user tries to access the service provider’s service—without the need for prior identity provisioning activity between the identity provider and the service provider. With Salesforce Just-In-Time provisioning you can create both portal users and regular users.

1. Enabled My Domain

To enable the custom domain
Go to setup –> Administer ->Domain Management->My Domain –> create your domain and deploy user. If you have already custom domain you can ignore this step.

2. Download the certification from Idp.

In order to configure the salesforce SSO, you need certificate from the IDP . in Our case Axiom is the IDP go to the below UR

download the Download the Identity Provider Certificate

3. Federated Single Sign-On Using SAML

Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.

4  SAML Single Sign-On Settings

Now you need to configure the SAML Single Sign-On Settings. go to setting ->Security Controls ->Single Sign-On Settings->SAML Single Sign-On Settings-> Click New

Complete the details as describes below

1.Name :- < Any Name is fine > . In this example Axiom Just IN
2.API Name :- < Auto populate from Name >
3.SAML Version :- Default 2.0 Salesforce won’t support SAML 1.0
5.Entity Id:-
6.Identity Provider Certificate: – Upload the Axiom Certificate which is downloaded in step 2
7.SAML Identity Type: – Select Assertion contains the Federation ID from the User object
8.SAML Identity Location : – Select Identity is in the NameIdentifier element of the Subject statement
9.Service Provider Initiated Request Binding: – Select Http Post
10.Identity Provider Login URL:-

11. Under “Just-in-time User Provisioning” section

Check “User Provisioning Enabled” checkbox and select User Provisioning Type as standard.

After saving the configuration looks below




5: Configured IDP (Axiom )

go to expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP

1.SAML Version:- 2.0
2.Username OR Federated ID: – TestUserforDemo
3.User ID Location: – Subject
5.Entity Id:-
6.SSO Start Page:-

7.Recipient URL:-
8.User Type: – Standard

9. in “Additional Attributes” add the User information to create a salesforce user on the fly.

Note :

– If you are creating JIT Provisioning for Comunity you need to pass other “Additional Attributes” like Contact and Account details

After completing its looks as shown below.


Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,”  you will see output as shown below


Now to test the SSO Click on “Login ” Button. It will create a new user in the salesforce upon login on the fly.


Salesforce Apex Setup Audit trail

Starting with Winter ’16, Salesforce allowing access Setup Audit Trail object via API. Which is having access audit trail data more than 6 months but no official confirmation on how much you can go into history

SetupAuditTrail is not a supported standard controller. Its support only queries and retrieve API calls.
You can use SOQL joins to get the information you need more quickly. For example, running SELECT CreatedBy.Name FROM SetupAuditTrail returns the first and last names of the people to make changes in Setup.
You can use where Cause and Order By Cause to perform an operation on data retrieval.
SELECT CreatedDate, CreatedBy.Username, Display, Section, Action, DelegateUser FROM SetupAuditTrail WHERE CreatedDate >= 2016-09-10T00:00:00Z AND CreatedDate <= 2016-10-01T00:00:00Z ORDER BY CreatedDate DESC.
Aggregate queries aren’t supported on SetupAuditTrail object.
Fields Supported: –
SetupAuditTrail Objects supports these fields namely Action, DelegateUser, Display, Section,
Examples: –
List listAudits = [SELECT Id,  Action, CreatedBy.Name, CreatedDate,Display,Section FROM SetupAuditTrail WHERE CreatedBy.Email LIKE ‘’];
Another Example with Last few years information.
            SELECT Id,Action,CreatedBy.Name,CreatedDate,Display,Section FROM SetupAuditTrail WHERE CreatedDate = LAST_N_YEARS:8 Order By CreatedDate DESC   Limit 10
Here is the visual force page UI

Here is Github URL for the complete example.

Salesforce Auth Provider – Twitter

In this blog post, we are going to see how to configure the twitter as auth provider to login into Salesforce.

1.Registering new OAuth app in Twitter

1: go to
2: Click on create a new app and fill the details under application details.
3.Name –<any meaning full name is fine >
4.Description * – <description about your application >
5.Website * – < your application web site >
6.Callback URL – < leave it blank at this stage. we need to update this one with Salesforce callback URL
7.Click on “Developer Agreement” terms and conditions then click on Create your twitter application.
After saving applications look as shown below.

Now go to your application click on Keys and Access tokens tab to get your Consumer Key and Consumer Secret which is required to configure in Salesforce auth provider.

2.Configuring Auth Provider in Salesforce

Now you need to configure the Twitter auth provider in Salesforce.

Login into Salesforce , Go to –> Setup –>Security Controls –> Auth. Providers –> Click on New from the Provider Type select Twitter. Fill the details as shown below.
1.Name – give it as Twitter
2.URL Suffix – give it as Twitter
3.Consumer Key – which your got from Keys and Access tokens tab from twitter application
4.Consumer Secret – which your got from Keys and Access tokens tab from twitter application
5.Custom Error URL leave it blank
6.Custom Logout URL leave it blank
7.Registration Handler – Click on Auto Generate
8.Execute Registration As Any System admin user
9.Portal – Leave it blank
10 .Icon URL – Leave it blank


3.Updating call back URL in the Twitter application:-

now you need to update the callback URL in twitter application which got it from Salesforce.go to twitter application which you created earlier -> click on Settings tabs -> update the callback URL with the sales force callback URL as shown below. then click on update settings.

4.Configure Auth Provider in My domain

Go to Setup -> Domain Management -> My Domain under
“Authentication Configuration” setting Click edit check twitter in “Authentication Service” then save it. Now go to your Salesforce domain login URL you can option to login using twitter as shown below

Once click on Login using twitter it will redirect to the twitter authentication page, click on sign in it will redirect to Salesforce.


Issue 1: – Twitter OAuth won’t share the user email as part of the OAuth API request. To solve this follow these steps

Go to
Select “I need access to special permissions”
Enter Application Name and ID. These can be obtained via — the application ID is the numeric part in the browser’s address bar after you click your app.
Permissions Request: “Email address”
Submit & wait for response
After your request is granted, an additional permission setting is added in your twitter app’s “Permission” section. Go to “Additional Permissions” and just tick the check box for “Request email addresses from users”.

Issue 2: –
The Twitter won’t support refresh token as per the document.



Salesforce Auth Provide – LinkedIn

In this blog, I am going to explain how to configure Salesforce social sign on with LinkedIn. Salesforce has a number of social sign-on options like Google, Facebook, and LinkedIn etc.Salesforce social sign gives users the option to sign-up and log in on salesforce using their account on a social network like Facebook, Twitter, or Google+. Social Sign has a number of advantages like Pre-Validated Email, rich user profile date, One Click experiences and etc. . . .

How does Social Login work?

Social Login is a simple process, with the following steps.

1. The user enters your application and selects the desired social network provider.
2. A login request is sent to the social network provider.
3. Once the social network provider confirms the user’s identity, a current user will get access to your application.
4. A new user will be registered as a new user and then logged into the application.


Custom Domain should be created and enabled for users.

 1: Creating LinkedIn Application.

Now we will see how to create LinkedIn Application. In order to enable the LinkedIn application first, log into the LinkedIn Developer Console and create a new LinkedIn Application by clicking the “Create Application” button and fill the information as explained below.

Name The name of your application.
Application Use Pick the intended use of your application.
Website URL The base URL of Salesforce. Click “Submit” to finish creating the new application.

 2: Enable LinkedIn permissions

In order to use the new LinkedIn Application with Salesforce, you need to enable the correct LinkedIn permissions.Under the “Default Application Permissions” section, enable the r_basicprofile and the r_emailaddress, rw_company_admin permissions. These permissions allow Salesforce to access the basic profile properties like email and first, middle, and last name.

Please take note of Client Id and Client Secret which will be used in Salesforce auth provides creation process.

We will be updating LinkedIn OAuth Setting later after creating auth providers in Salesforce

3: Defining LinkedIn Auth Provider in Salesforce

To Setup auth Provide in Salesforce Go to Setup->Security Control->Auth. Providers select LinkedIn in the provider and fill the information as shown below.

1.Name: Desire name as you wish, but good to keep as Auth Provider name i.e LinkedIn
2.URL Suffix: Auto Populated based on Name
3.Consumer Key: Consumer key which you got in LinkedIn Application
4.Consumer Secret: Consumer key which you got in LinkedIn Application
5.Authorize Endpoint URL: Optional, leave it blank.Authorization URL from Linked
6.Token Endpoint URL: Optional, leave it blank OAuth token URL from LinkedIn.
7.User Info Endpoint URL: Optional, leave it blank.URL to change the values requested from LinkedIn’s profile API.
8.Default Scopes: Optional, leave it blank. Default Scopes to enter a supported value or several space-separated values that represent the information you get from LinkedIn.
9.Custom Error URL: Optional, leave it blank.Custom Error URL for the provider to use to report any errors.

10.Custom Logout URL: Optional, leave it blank. Custom Logout URL to provide a specific destination for users after they log out if they authenticated using the SSO flow.
11 .Registration Handler: Apex class as the Registration Handler class. Or click Automatically create a registration handler template to create an Apex class template for the registration handler. Later we are going to edit this class
12 .Execute Registration As select the user that runs the Apex handler class. The user must have the “Manage Users” permission.
13.Portals: Include in any portals in you wish to
14.Icon URL: field to add a path to an icon to display as a button on the login page for a community.

After saving Salesforce will generate several Configuration URL

Test-Only Initialization URL—Admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs into the third party, and is redirected back to Salesforce with a map of attributes. You will able to see sample data as shown below.

Single Sign-On Initialization URL—Use this URL to perform SSO into Salesforce from a third party (using third-party credentials).

Existing User Linking URL—Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs into the third party, signs into Salesforce and approves the link

OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token.

Callback URL—Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the callback URL with information for each client configuration URL

4: Updating OAuth URL in Previously created LinkedIn Application

Copy the Callback URL and then go back to the LinkedIn application. Paste it in the OAuth 2.0 redirect URLs value as shown below the update the application.

5: Configure Auth Provides as Login Options.

You can configure the Auth Provide from Communities or from your Domain Page.
Here we are going to see how to configure form Domain Page.

Go to Setup –> Domain Management — My Domain. Edit Authentication Configuration then select the LinkedIn Check box and save it.

6: Login into Salesforce with LinkedIn Auth Provider

Go to your Domain login page to log in with LinkedIn as shown below.

Now Click Log in by using LinkedIn. You will see an error like below. No worries, It expected behavior.

Let’s fix it now.

7: Understanding and Updating System generated Registration Handler

To Set up Sign sign on you need to implement Auth. RegistrationHandler interface which is having the definition to create or update the user data appropriately.

Update the AuthRegigisration handler with the below code.


Now You can able to login into Salesforce with LinkedIn. Once you log in with Linked In , it’s going to create a new user as per the above code

Salesforce Auth Provide – Facebook

In this blog, I am going to explain how to configure Salesforce social sign on with Facebook.
Custom Domain should be created and enabled for users.
Create a Facebook application:-

First, log into the Facebook Developer Site and create a new Facebook App. You can do this by clicking the “My Apps” menu at the top of the screen and then click on the “Add a New App” button. You should see something like the following:

Enter a “Display Name” (the name of your app), and choose a category for your app. Once you’ve done this, click the “Create App ID” button.
Next, click on Settings on the left side, and make note of the App ID and App Secret. You’ll need those later when you connect your Facebook Application to Salesforce. Click “Submit” to finish creating the new application. Your App Id and App Secret looks as shown below

Configure Facebook authentication provider in your Salesforce:-

Now we are going to configure your sales force login by using the facebook. To do this , go to setup ->Security Controls ->Auth Providers -> New –>Select Facebook as Provider Type as shown below

1.Enter a Name for the provision as Facebook or you can choose your any desired name wish to have
2.Enter Consumer Key and Consumer Secret from the App Id and App Secret which you got from the Facebook application.
3.Authorize Endpoint URL and Token Endpoint URL, User Info Endpoint URL are optional and leave it as of now. ‘Automatically create a registration handler template’.this is going to create a new Apex Class which will handle the user login by using facebook. If the User is not there in salesforce it’s going to create a new user or if exists it’s going to update the user
5.Select Execute Registration As any System admin User. Make sure user is having Manage users permission

Salesforce generated Registration handler looks as shown below. you can update the Registration handler with your own logic.


Map the Callback URL in Facebook

Now you have to go back the Facebook application which you created earlier, then associated your Callback URL in Facebook as shown below.Go back to your facebook application you just created in last steps. Click on Settings in left option bar. Click on Add Platform.

Select Platform as Web Platform. Update the Salesforce callback URL in Site URL as shown below

Testing Application:-

You can test your application by simply pasting Test-Only Initialization URL in browser it will redirect to the Facebook login page.

Adding the Facebook login to My Domain:-

To available Facebook login for all the user, you must need to add it to my domain in Salesforce as shown below.Go to Setup –> Domain Management –> My Domain.go to Authentication Configuration Click edit then Select Facebook as shown below.Save it

After adding it my domain you can able to login into Salesforce by directly using your facebook from your domain login page as shown below.

Now you can able to login into Salesforce by using Facebook. once you select the facebook login it will redirect to the Facebook for login. Up success login in facebook, you will be redirected to Salesforce homepage.