Salesforce - SCIM Configuration - RSA Ready Implementation Guide
a year ago

This article describes the configuration steps involved in integrating Salesforce with RSA Cloud Authentication service using SCIM. RSA Cloud Authentication Service will serve as the SCIM client with Salesforce acting as a SCIM server providing an endpoint for the SCIM client to connect.

  

Configure RSA Cloud Authentication Service as a SCIM Client

Perform these steps to configure RSA Cloud Authentication Service as a SCIM client. 
Procedure

  1. Sign in to the RSA Cloud Administration Console.
  2. Navigate to Applications > Application Catalog and choose salesforce.com.
  3. On the Basic Information page, provide a name for the Salesforce app and an optional description.
  4. If an integration for Salesforce using SAML or OIDC is needed, refer to the articles listed in the Integration Configuration section of Salesforce - RSA Ready Implementation Guide. If only fulfillment is needed, proceed to the next step.
  5. Navigate to the Fulfillment page in the left pane.
  6. Enable the fulfillment service by using the toggle button and choose the Approver Type from: None, Manager, Application Owner, Manager, and Application Owner.
  7. In the Fulfillment Configuration Type drop-down list, choose SCIM Endpoint and enter the required details.
    1. Base URI: https:// <your-salesforce-instance>.salesforce.com/services/scim/v2
    2. API Key: The refresh token obtained from step 13 in the Salesforce configuration section.
    3. Groups Object ID: (From Salesforce: Users > Profiles. Click the profile that you want the provisioned user to have and copy the ID from the URL). For example: https:// <your-salesforce-instance>.salesforce.com/<Profile_ID>
      Note: In Salesforce, profiles are an essential part of the system's security and access model. A profile defines a user's permissions, settings, and access to objects, fields, and records in Salesforce.
  8. Enable OAuth 2.0 and fill in the following details:
    1. OAuth 2.0 URL: https:// <your-salesforce-instance>.salesforce.com/services/oauth2/token
    2. Client ID: The consumer key obtained from step 9 in Salesforce configuration section.
    3. Client Secret: The consumer secret obtained from step 9 in the Salesforce configuration section.
  9. Click Save and Finish and publish the changes. 

  

Configure Salesforce as a SCIM Server

Perform these steps to configure Salesforce as a SCIM server. 
Procedure

  1. Sign in to Salesforce with an administrator account.
  2. On the Setup menu, navigate to Platform Tools > Apps > App Manager.
  3. In the main pane, choose New Connected App
    Note: Connected App will be the SCIM client that will gain access to Salesforce’s SCIM API with credentials obtained. 
  4. On the Create a Connected App page, choose Create a Connected App.
  5. In the Basic Information section, fill in the App Name, API Name, and Contact Email for the New Connected App.
  6. Under API (Enable OAuth Settings) section:
    1. Select Enable OAuth Settings.
    2. Callback URLhttps://login.salesforce.com/
    3. Under Selected OAuth Scopes, add:
      1. Manage user data via APIs (api)
      2. Perform requests at any time (refresh_token, offline_access)
    4. Clear the Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows checkbox.
  7. Click Continue to save and confirm creating the connected app.
  8. On the newly created connected app settings page, under the API (Enable OAuth Settings) section, click Manage Consumer Details.
  9. Take note of the Consumer Key (Client ID) and Consumer Secret (Client Secret).
  10. Use the following URL which contacts the authorization server of Salesforce to obtain the authorization code: 
    https://<your-salesforce-instance>.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<Consumer_Key>&redirect_uri=<Callback_URL>&scope=api+refresh_token
    1. Replace <your-salesforce-instance>with your own instance from salesforce. You can obtain the instance URL by clicking on your profile icon on the page and the URL is displayed under your name.
    2. Replace the <Consumer_Key> with the one in the previous step.
    3. Replace <Callback_URL> with the URL configured in Salesforce.
  11. You will be prompted by the consent to allow access and for the permissions that were earlier identified by the Scope in the OAuth2.0 Settings. Click Allow.
  12. In the URL of your browser, the authorization code can be seen after the part “code=”. Take note of this code. 
  13. Exchange the authorization code obtained from the previous step from the Authorization Server of Salesforce to get the access token and a refresh token by running the following command after replacing the relevant values.
    curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \ -d
    "grant_type=authorization_code" \ -d
    "code=<Authorization_Code>" \ -d
    "client_id=<Consumer_Key>" \ -d
    "client_secret=<Consumer_Secret>" \ -d
    "redirect_uri=<Callback_URL>" \ https://<your-salesforce-instance>.salesforce.com/services/oauth2/token
  14. Store both tokens securely. The refresh token will be used to obtain the Access Token automatically without having the Admin manually change the Access Token when it expires in RSA Cloud Authentication Service. 

 

The configuration is complete.

Return to Salesforce - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?