Salesforce SSO JIT with AXIOM

In this blog, i am going to explain the how to configure the Just-in-Time Provisioning for SAML with AXIOM. With just-in-time provisioning, the end user identity is provisioned (created or updated) at the service provider the first time the end user tries to access the service provider’s service—without the need for prior identity provisioning activity between the identity provider and the service provider. With salesforce Just-In-Time provisioning you can create both portal users and regular users.

Step 1: – Enabled My Domain

To enable the custom domain
Go to setup –> Administer ->Domain Management->My Domain –> create your domain and deploy user. If you have already custom domain you can ignore this step.

Step 2: – Download the certification from Idp.

In order to configure the salesforce SSO, you need certificate from the IDP . in Our case Axiom is the IDP go to the below UR

download the Download the Identity Provider Certificate

Step 3: Federated Single Sign-On Using SAML

Navigate to “Setup | Security Controls | Single Sign-On Settings” and check “SAML Enabled” option.

Step 4: – SAML Single Sign-On Settings

Now you need to configure the SAML Single Sign-On Settings. go to setting ->Security Controls ->Single Sign-On Settings->SAML Single Sign-On Settings-> Click New

Complete the details as describes below

1.Name :- < Any Name is fine > . In this example Axiom Just IN
2.API Name :- < Auto populate from Name >
3.SAML Version :- Default 2.0 Salesforce won’t support SAML 1.0
5.Entity Id:-
6.Identity Provider Certificate: – Upload the Axiom Certificate which is downloaded in step 2
7.SAML Identity Type: – Select Assertion contains the Federation ID from the User object
8.SAML Identity Location : – Select Identity is in the NameIdentifier element of the Subject statement
9.Service Provider Initiated Request Binding: – Select Http Post
10.Identity Provider Login URL:-

11. Under “Just-in-time User Provisioning” section

Check “User Provisioning Enabled” checkbox and select User Provisioning Type as standard.

After saving the configuration looks below




Step 5: – Configured IDP (Axiom )
go to expand “SAML Identity Provider & Tester ” section. Click on the “generate a SAML Response” link to configure the IDP

1.SAML Version:- 2.0
2.Username OR Federated ID: – TestUserforDemo
3.User ID Location: – Subject
5.Entity Id:-
6.SSO Start Page:-

7.Recipient URL:-
8.User Type: – Standard

9. in “Additional Attributes” add the User information to create a salesforce user on the fly.

Note :

– If you are creating JIT Provisioning for Comunity you need to pass other “Additional Attributes” like Contact and Account details

After completing its looks as shown below.


Click On “Request SAML response” to see the to generate SAML response. After Click on “Request SAML response,”  you will see output as shown below


Now to test the SSO Click on “Login ” Button. It will create a new user in the salesforce upon login on the fly.



-: Salesforce Apex Setup Audit trail: –

Starting with Winter ’16, Salesforce allowing access Setup Audit Trail object via API. Which is having access audit trail data more than 6 months but no official confirmation on how much you can go into history.
SetupAuditTrail is not a supported standard controller. Its support only queries and retrieve API calls.
You can use SOQL joins to get the information you need more quickly. For example, running SELECT CreatedBy.Name FROM SetupAuditTrail returns the first and last names of the people to make changes in Setup.
You can use where Cause and Order By Cause to perform an operation on data retrieval.
SELECT CreatedDate, CreatedBy.Username, Display, Section, Action, DelegateUser FROM SetupAuditTrail WHERE CreatedDate >= 2016-09-10T00:00:00Z AND CreatedDate <= 2016-10-01T00:00:00Z ORDER BY CreatedDate DESC.
Aggregate queries aren’t supported on SetupAuditTrail object.
Fields Supported: –
SetupAuditTrail Objects supports these fields namely Action, DelegateUser, Display, Section,
Examples: –
List listAudits = [SELECT Id,  Action, CreatedBy.Name, CreatedDate,Display,Section FROM SetupAuditTrail WHERE CreatedBy.Email LIKE ‘’];
Another Example with Last few years information.
            SELECT Id,Action,CreatedBy.Name,CreatedDate,Display,Section FROM SetupAuditTrail WHERE CreatedDate = LAST_N_YEARS:8 Order By CreatedDate DESC   Limit 10
Here is the visual force page UI

Here is Github URL for the complete example.

Salesforce Auth Provider – Twitter

In this blog post, we are going to see how to configure the twitter as auth provider to login into salesforce.

Registering new OAuth app in Twitter:-

1: go to
2: Click on create a new app and fill the details under application details.
3.Name –<any meaning full name is fine >
4.Description * – <description about your application >
5.Website * – < your application website >
6.Callback URL – < leave it blank at this stage. we need to update this one with salesforce callback URL
7.Click on “Developer Agreement” terms and conditions then click on Create your twitter application.
After saving applications looks as shown below.

Now go to your application click on Keys and Access tokens tab to get your Consumer Key and Consumer Secret which are required to configure in salesforce auth provider.

Configuring Auth Provider in Salesforce:-

Now you need to configure the Twitter auth provider in salesforce.

Login into salesforce , Go to –> Setup –>Security Controls –> Auth. Providers –> Click on New from the Provider Type select Twitter. Fill the details as shown below.
1.Name – give it as Twitter
2.URL Suffix – give it as Twitter
3.Consumer Key – which your got from Keys and Access tokens tab from twitter application
4.Consumer Secret – which your got from Keys and Access tokens tab from twitter application
5.Custom Error URL leave it blank
6.Custom Logout URL leave it blank
7.Registration Handler – Click on Auto Generate
8.Execute Registration As Any System admin user
9.Portal – Leave it blank
10 .Icon URL – Leave it blank


Updating call back URL in the Twitter application:-

now you need to update the callback URL in twitter application which got it from salesforce

go to twitter application which you created earlier -> click on Settings tabs -> update the callback URL with the salesforce callback URL as shown below. then click on update settings.

Configure Auth Provider in My domain:-

Go to Setup -> Domain Management -> My Domain under
“Authentication Configuration” setting Click edit check twitter in “Authentication Service” then save it.

Now go to your salesforce domain login URL you can option to login using twitter as shown below

Once click on Login using twitter it will redirect to the twitter authentication page, click on sign in it will redirect to salesforce.


Issue 1: – Twitter OAuth won’t share the user email as part of the OAuth API request. To solve this follow these steps

Go to
Select “I need access to special permissions”
Enter Application Name and ID. These can be obtained via — the application ID is the numeric part in the browser’s address bar after you click your app.
Permissions Request: “Email address”
Submit & wait for response
After your request is granted, an addition permission setting is added in your twitter app’s “Permission” section. Go to “Additional Permissions” and just tick the check box for “Request email addresses from users”.

Issue 2: –
The Twitter won’t support refresh token as per the document.



Salesforce Auth Provide – LinkedIn

In this blog, I am going to explain how to configure salesforce social sign on with LinkedIn. Salesforce has a number of social sign-on options like google, Facebook, and LinkedIn etc.Salesforce social sign gives users the option to sign-up and login on salesforce using their account on a social network like Facebook, Twitter, or Google+. Social Sign has a number of advantages like Pre-Validated Email, rich user profile date, One Click experiences and etc. . . .

How does Social Login work?

Social Login is a simple process, with the following steps.

1. The user enters your application and selects the desired social network provider.
2. A login request is sent to the social network provider.
3. Once the social network provider confirms the user’s identity, a current user will get access to your application.
4. A new user will be registered as a new user and then logged into the application.

Custom Domain should be created and enabled for users.

Step 1: Creating LinkedIn Application.

Now we will see how to create LinkedIn Application. In order to enable the LinkedIn application first, log into the LinkedIn Developer Console and create a new LinkedIn Application by clicking the “Create Application” button and fill the information as explained below.

Name The name of your application.
Application Use Pick the intended use of your application.
Website URL The base URL of salesforce.

Click “Submit” to finish creating the new application.
Step 2: Enable LinkedIn permissions

In order to use the new LinkedIn Application with Salesforce, you need to enable the correct LinkedIn permissions.Under the “Default Application Permissions” section, enable the r_basicprofile and the r_emailaddress, rw_company_admin permissions. These permissions allow salesforce to access the basic profile properties like email and first, middle, and last name.

Please take note of Client Id and Client Secrete which will be used in Salesforce auth provides creation process.

We will be updating LinkedIn OAuth Setting later after creating auth providers in Salesforce

Step 3: Defining LinkedIn Auth Provider in Salesforce

To Setup auth Provide in Salesforce Go to setup->Security control->Auth. Providers select LinkedIn in the provider and fill the information as shown below.

1.Name: Desire name as you wish, but good to keep as Auth Provider name i.e LinkedIn
2.URL Suffix: Auto Populated based on Name
3.Consumer Key: Consumer key which you got in LinkedIn Application
4.Consumer Secret: Consumer key which you got in LinkedIn Application
5.Authorize Endpoint URL: Optional, leave it blank.Authorization URL from Linked
6.Token Endpoint URL: Optional, leave it blank OAuth token URL from LinkedIn.
7.User Info Endpoint URL: Optional, leave it blank.URL to change the values requested from LinkedIn’s profile API.
8.Default Scopes: Optional, leave it blank. Default Scopes to enter a supported value or several space-separated values that represent the information you get from LinkedIn.
9.Custom Error URL: Optional, leave it blank.Custom Error URL for the provider to use to report any errors.

10.Custom Logout URL: Optional, leave it blank. Custom Logout URL to provide a specific destination for users after they log out if they authenticated using the SSO flow.
11 .Registration Handler: Apex class as the Registration Handler class. Or click Automatically create a registration handler template to create an Apex class template for the registration handler. Later we are going to edit this class
12 .Execute Registration As select the user that runs the Apex handler class. The user must have the “Manage Users” permission.
13.Portals: Include in any portals in you wish to
14.Icon URL: field to add a path to an icon to display as a button on the login page for a community.

After saving salesforce will generate several Configuration URL

Test-Only Initialization URL—Admins use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs into the third party, and is redirected back to Salesforce with a map of attributes. You will able to see sample data as shown below.

Single Sign-On Initialization URL—Use this URL to perform SSO into Salesforce from a third party (using third-party credentials).

Existing User Linking URL—Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs into the third party, signs into Salesforce and approves the link

OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token.

Callback URL—Use the callback URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider has to redirect to the callback URL with information for each client configuration URL

Step 4: Updating OAuth URL in Previously created LinkedIn Application

Copy the Callback URL and then go back to the LinkedIn application. Paste it in the OAuth 2.0 redirect URLs value as show below the update the application.

Step 5: Configure Auth Provides as Login Options.

You can configure the Auth Provide from Communities or from your Domain Page.
Here we are going to see how to configure form Domain Page.

Go to Setup –> Domain Management — My Domain. Edit Authentication Configuration then select the LinkedIn Check box and save it.

Step 6: Login into Salesforce with LinkedIn Auth Provider

Go to your Domain login page to login with LinkedIn as shown below.

Now Click Log in by using LinkedIn. You will see an error like below. No worries, It expected behavior.

Let’s fix it now.

Step 7: Understanding and Updating System generated Registration Handler

To Set up Sign sign on you need to implement Auth. RegistrationHandler interface which is having the definition to create or update the user date appropriately.

Update the AuthRegigisration handler with the below code.

// This Class is template
// TODO : Modify create and update user logic based requirement
// TODO : Account and Contact Updated based on requirement .
global class AutocreatedRegHandler1486767418304 implements Auth.RegistrationHandler{

global User createUser(Id portalId, Auth.UserData data){

if (data.provider==’LinkedIn’) {
// Create Account
Account a= new Account(name = ‘LinkedIn’);
insert a ;
// Create contact
Contact c = new Contact();
c.accountId = a.Id;
c.firstName = data.firstName;
c.lastName = data.lastName;
insert c;

// Create User
User u = new User();
Profile p =[SELECT Id FROM profile WHERE name = ‘Marketing User’];
u.username = data.firstName+data.lastName+’’; =;
u.lastName = data.lastName;
u.firstName = data.firstName;
u.alias = data.firstName.substring(0, Math.min(data.firstName.length(), 5));
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = ‘UTF-8’;
u.timeZoneSidKey = ‘America/Los_Angeles’;
u.profileId = p.Id;

return u;
return null ;



global void updateUser(Id userId, Id portalId, Auth.UserData data){
User u = new User(id = userId);
u.lastName = data.lastName;
u.firstName = data.firstName;
update u;
Now You can able to login into Salesforce with LinkedIn . Once you login with Linked in ,its going to create a new user as per the above code