If you're using Salesforce Communities, you can create a Salesforce Community integration to provide access to a Community subset of the Salesforce instance and provision Community users as external users.
When a new Community user is provisioned, Okta creates a new contact in Salesforce associated with the Salesforce account. This new contact contains the user's name and email address. This contact is necessary because Community users in Salesforce must be associated with a contact.
Secure Web AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. (SWAAn acronym for Secure Web Authentication. SWA is a SSO system developed by Okta to provide single sign-on for apps that don't support proprietary federated sign-on methods or SAML. Users can enter their credentials for these apps on their homepage. These credentials are stored such that users can access their apps without entering their credentials each time. When users first sign-in to a SWA app from their homepage, they see a pop-up message asking if they were able to sign-in successfully.) login is not supported for communities.
- On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Applications.
- In the search field, enter Salesforce and click Salesforce.com.
- Click the General tab, click Edit and then select Salesforce Community User from the User Profile & Type drop-down.
Optional. Edit other settings and click Save.
Configure SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0 to allow Community users to automatically log in to Salesforce:
- Click the Sign On tab and click Edit in the Settings section.
- Click View Setup Instructions, and follow the SAML setup instructions.
On the Salesforce Single Sign-On Settings page under Endpoints set the login URL to the Community Login URL for your Community.
Click the ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications. tab and select To AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. in the SETTINGS list.
- Click Edit, select the Create Users check box, and enter the ID of the Salesforce account in the Salesforce Account ID field.
- Click Save.
- Select To Okta in the SETTINGS list.
- Click Edit and select either the Import "Customer" users or the Import "Partner" users check boxes or both.
- Click Save.