Sunday, May 25, 2014

Configuring Salesforce outbound provisioning with WSO2 IS

Provisioning is a simple way to provision users in to different domains with new Identity Provisioning framework.
This example is explained how to configure Salesforce as the Identity Provider to provision the users from WSO2 Identity Server.

Configure Salesforce :

  • Following is a screenshot of a connected app created to configure WSO2 IS.
Figure 1 : Connected App


  • Once you create the connected app, you will be getting the Consumer Key and the Consumer Secret of the app.
Figure 2 : keys


  • Next you should select the your connected app to the profile you are going to use to assign when you add users in to Salesforce.
  • This can be viewed in the Manage Profile sections in the setup page. When you click on that, it will list down the existing profiles.
Figure 3 : Profiles


  • As an example, if we are going to use the profile “Chatter Free User” click on edit mode and select the connected app you created to configure with WSO2 IS as given in the following screen.
Figure 4 : Profile and select the connected app 

  • Now we have done the required configurations needed in Salesforce side.

Configure WSO2 IS :


  • This feature is introduced with WSO2 IS 5.0.0.
  • Salesforce user login is an email address. Therefore you need to configure WSO2 IS to enable email address for user login. In order to do that follow the below steps :
If the user store is MySQL :

  • Step1 : Open carbon.xml in IS_HOME/repository/conf and uncomment
 <EnableEmailUserName>true</EnableEmailUserName>  

  • Step2 : Open user-mgt.xml in IS_HOME/repository/conf and uncomment JDBC configurations org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager And Comment default LDAP user store manager configurations.
 org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager  

  • Step3 : Please add following property under folowing configuration.  
 org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager   


 <Property name="UsernameWithEmailJavaScriptRegEx">^[_A-Za-z0-9-\+]+(\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\.[A-Za-z0-9]+)*(\.[A-Za-z]{2,})$</Property>  

* Using above property, you can change the pattern of your email address.

  • Step4 : Restart the server

Configure Identity Provider in WSO2 IS :

  • Now you have to first register Salesforce as an Identity provider. In order to d that install WSO2 server and start it up. Then when you go to home page, click on the Add Identity provider and register identity provider and save it. E.g., Salesforce.com”
  • Then you click on the the IDP and provide the basic information as given in the following image.
Figure 5 : Create IDP in WSO2 IS

  • Then you have to fill in the basic information as given in the screenshot.
Figure 6 :  Basic Information - Claims

  • Claim mapping should be done for the following mandatory fields. Alias, Email, EmailEncodingKey, LanguageLocaleKey, LastName, LocaleSidKey, ProfileId, TimeZoneSidKey, Username
  • Advance configurations can be filled in as follows.
Figure 7 : Advance Configurations

  • Then click on the Outbound provisioning Connectors section and configure for Saleforce as below :
Figure 8 : Configure Salesforce Connector

  • Values :
      - API version : Salesforce API version
      - Domain Name : Your developer environment domain URL
      - Client ID : Client ID got from the Connected app which is created
      - Client Secret : Client secret got from the Connected app created
      - username : Username of your salesforce developer account 
      - password : This should be the password followed by the security token received by the email.
E.g., <password><security token> (passwordJYn8OLa9pC8CbQWrepGQpxxcu)



Configure Service Provider in WSO2 IS :


  • If you are going to use WSO2 IS user management console to add users, you can configure the resident service provider as the service provider in WSO2 IS. Following is an illustration.
Figure 9 : Configure Resident Service Provider


  • Select the IDP configured and select the salesforce as the connector from the drop down and save it.



Add users in WSO2 IS :


  • This is the normal process of adding users through WSO2 IS administration UI. user should provide an email address as the username.
  • Create a user via UI and check whether the user is provisioned to Salesforce as follows. You will be able to see the users added.
Figure 10 : Provisioned users in salesforce



Via SCIM and Ouath bearer token:

  • If you are going to add users via SCIM and Oauth you will need to add a service provider in WSO2 IS and configure it for the added IDP and Salesforce connector as below.
Figure 11 : Configure Service provider for SCIM and Ouath bearer token

  • If you use SCIM you have to select the correct User Store Domain under Resident IDP -> Inbound Provisioning Configuration
  • Sample Requests :

Add User Via SCIM :


 curl -v -k --header "Content-Type:application/json" --user ushani@wso2.com:password --data '{"schemas":     ["urn:scim:schemas:core:1.0"],"userName":"sfuser24@wso2.com","password":"ush     anisf25","name":{"familyName":"Ushanisf24"},"emails":     ["sfuser24@wso2.com"],"entitlements":     [{"value":"00e90000001STRnAAO","display":"ChatterFreeUser"}]}' https://localhost:9463/wso2/scim/Users  


Via bearer token


 curl -v -k --header "Content-Type:application/json" --header 'Authorization: Bearer c648fcae8b7b75e7b3287e31d5886e3' --data '{"schemas":     ["urn:scim:schemas:core:1.0"],"userName":"ushani002@scimdemo.org", "password":"ushani0012", "na     me":{"familyName":"Ushani12"},"emails":     ["ushani12@gmail.com"],"entitlements":     [{"value":"00e90000001P171","display":"ChatterFreeUser"}]}' https://localhost:9463/wso2/scim/Users