Salesforce Single Sign-On
Set up Salesforce
To use Salesforce as your IdP, you will first need to register an OAuth application with your Salesforce tenant. This guide will walk you through the most basic setup via the "Salesforce Classic Experience".
In the
Setup
page, underBuild
click the dropdown next toCreate
and selectApps
.Under
Connected Apps
at the bottom of the page, click onNew
at the top.Fill in the following fields with whichever values you want:
- Connected App Name
- API Name
- Contact Email
Under
API (Enable OAuth Settings)
check the box next toEnable OAuth Settings
.Fill in the
Callback URL
section withhttps://{{AMBASSADOR_HOST}}/.ambassador/oauth2/redirection-endpoint
.Under
Selected OAuth Scopes
you must select theopenid
scope value at the minimum. Select any other scope values you want to include in the response as well.Click
Save
andContinue
to create the application.Record the
Consumer Key
andConsumer Secret
values from theAPI (Enable OAuth Settings)
section in the newly created application's description page.
After waiting for salesforce to register the application with their servers, you should be ready to configure Ambassador Edge Stack to Salesforce as an IdP.
Set up the Ambassador Edge Stack
After configuring an OAuth application in Salesforce, configuring Ambassador Edge Stack to make use of it for authentication is simple.
Create an OAuth Filter with the credentials from above:
apiVersion: getambassador.io/v2kind: Filtermetadata:name: salesforcespec:OAuth2:# Salesforce's generic OpenID configuration endpoint at https://login.salesforce.com/ will work but you can also use your custom Salesforce domain i.e.: http://datawire.my.salesforce.comauthorizationURL: https://login.salesforce.com/# Consumer Key from aboveclientID: {{Consumer Key}}# Consumer Secret from abovesecret: {{Consumer Secret}}# The protectedOrigin is the scheme and Host of your Ambassador endpointprotectedOrigins:- origin: https://{{AMBASSADOR_HOST}}Create a FilterPolicy to use the
Filter
created aboveapiVersion: getambassador.io/v2kind: FilterPolicymetadata:name: oauth-policyspec:rules:# Requires authentication on requests from any hostname- host: "*"# Tells Ambassador Edge Stack to apply the Filter only on request to the quote /backend/get-quote/ endpointpath: /backend/get-quote/# Identifies which Filter to use for the path and hose abovefilters:- name: salesforce# Any additional scope values granted in step 6 above can be requested with the arguments field# arguments:# scope:# - refresh_tokenApply both the
Filter
andFilterPolicy
above withkubectl
kubectl apply -f salesforce-filter.yamlkubectl apply -f oauth-policy.yaml
Now any requests to https://{{AMBASSADOR_URL}}/backend/get-quote/
will require authentication from Salesforce.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.