This page describes how to configure the Salesforce Connector for use with Single Sign On (SSO).
Here, you’ll use the Identity Service with Salesforce and Alfresco Content Services. There are two parts to this configuration - first configure SSO for the Salesforce Connector, and then configure your Salesforce domain to use the Identity Service as SSO.
Before you begin ensure you’ve installed:
- Alfresco Content Services 6.2.1 or above
- Alfresco Content Connector for Salesforce 2.2 or above
- Identity Service 1.3 or above
There are two parts to this configuration: configure SSO between Content Services and the Salesforce Connector and configure SSO for Salesforce
Configure SSO in Alfresco products
To configure Single Sign On (SSO) between Content Services and the Salesforce Connector, you must add your Identity Service URL to
JAVA_OPTS, and also configure your X-Frame-Options and Content Security Policy in the Identity Service.
Ensure you have the prerequisites installed and configured first.
Stop Alfresco Content Services.
JAVA_OPTS=%JAVA_OPTS% -Dsfdc.config.trustedOrigins=<Identity Service URL>in:
For Linux based users:
For Microsoft Windows users:
Navigate to your Identity Service and login as an Administrator.
Login to the Administration Console.
Select the Alfresco realm from the drop list on the top left.
Go to Realm Settings > Security Defenses tab.
ALLOW-FROM <Your Salesforce URL>to the X-Frame-Options field.
frame-src 'self' <Your Salesforce URL>to the Content-Security-Policy field.
<Your Salesforce URL>can take two different forms. For the Classic view the URL will take the form
visual.force.com. For the Lightning view the URL will take the form
Configure SSO for Salesforce
To configure Single Sign On (SSO) for use with Salesforce you must create a new Auth. Provider in Salesforce, create a Salesforce domain, configure a Custom Logout URL for Salesforce, and update the Apex Code.
To create an Auth. Provider, navigate to Salesforce and login as an Administrator.
Go to Setup Tab > Identity > Auth Providers and click New.
Select Open ID Connect from the Provider Type drop down list.
The table represents the fields on the Auth. Provider Edit window.
Auth Provider create fields Value/Description Provider Type OpenID Connect Name Enter a name for the authentication service. URL Suffix Automatically filled in based on the name you enter. Consumer Key To find this key go to Identity Service > Alfresco Realm > Clients and the client ID you have configured for Alfresco Content Services. The key is usually
Consumer Secret 1. Go to the Identity Service > Alfresco Realm > Realm Settings > Keys Tab.
2. Click Public key next to the algorithm that has one.
3. Copy and paste the key.
Authorize Endpoint URL 1. Go to the Identity Service > Alfresco Realm > Realm Settings.
2. Click the link in the Endpoints field.
3. Copy and paste the JSON output into a reader to make it more readable.
4. Find the value for
5. Copy and paste the value.
Note: Keep the JSON file because it will be used to find other URLS for other fields.
Token Endpoint URL 1. Find the value for
token_endpointin the JSON file.
2. Copy and paste the value.
User Info Endpoint URL 1. Find the value for
userinfo_endpointin the JSON file.
2. Copy and paste the value.
Token Issuer 1. Find the value for
issuerin the JSON file.
2. Copy and paste the value.
Default Scopes OpenID email
Note: See Use the Scope URL Parameter for more on the use of OpenID.
Send access token in header Selected Send client credentials in header Not Selected Include Consumer Secret in API Responses Selected Custom Error URL Leave Empty Custom Logout URL Leave Empty
Note: The Custom Logout URL will be configured later on in the configuration steps.
Registration Handler Select Automatically create a registration handler template.
Note: This creates the Apex code.
Execute Registration As Select an Admin user. Portal None Icon URL Optional. Enter a URL where an image can be found.
Enter your information in the fields and click Save.
To create your domain go back to Setup Tab > Company Settings > My Domain.
Enter the name of the domain you want to use and click Check Availability.
Click Register Domain if its available.
You will see a notice that tells you the domain is registering. This process may take 60 minutes.
Once the domain is registered you can test it. Use the Login button to login and test the domain.
Click Deploy to Users to deploy your domain.
Click Edit under the Authentication Configuration heading.
Select the Auth. Provider service you have created under the Authentication Service heading and click Save.
To add your Custom Logout URL copy your domain name as it appears next to Your domain name is.
Go back to Setup Tab > Identity > Auth Providers and edit the Auth. Provider you created earlier.
Paste your domain URL into the Custom Logout URL field.
Navigate to the JSON file you used earlier and find the value of
end_session_endpointand also paste it into the Custom Logout URL field.
?redirect_uri=between your domain URL and the
end_session_endpointvalue and click Save.
It should take the form of
To update the Apex code, on the Auth. Providers window click the link next to Registration Handler to open the Apex classes window.
Click Edit and change the Global Class to something more meaningful such as
Comment out the global boolean
canCreateUser(Auth.UserData data)method and all references to it.
If you don’t comment this out you will not be able to log in because a new user will not be automatically created.
Change the value of
@myDomain.comto be your domain within the section where you create a regular standard user. To do this within the Apex code find
u.username = data.username + '@myDomain.com'and add your domain instead.
By doing this when a user is created your domain name is used by default instead of
Note: The Apex code can be configured in lots of different ways to suit your organization. See the Apex documentation at Salesforce for more: What is Apex?.