Salesforce

Keyless passwordless biometric authentication can address any MFA requirement to authenticate to Salesforce Portal.

This guide provides a step-by-step introduction to configure Salesforce Portal to authenticate using Keyless passwordless biometric authentication. In this guide Keyless will be set up as an authentication provider to Salesforce at a high assurance level to address any MFA requirements. Also we'll configure Keyless enrollment features to provide the ability for Salesforce users to register and or enrol for Keyless authentication.

Authentication: Configure Keyless as an Authentication Provider

To enable authentication into Salesforce via Keyless, you need to add Keyless as an authentication provider in Salesforce.

As part of the onboarding process you’ll receive the following pieces of information from Keyless to complete an authentication provider configuration in Salesforce:

All configuration steps outlined below need to be performed on Salesforce portal with administrative privileges.

1. Create an OIDC Auth Provider

   • Identity → Auth Providers → New

   • Select Open Id Connect as provider type
2. Populate the configuration parameters from the information provided by Keyless team to complete Auth provider configuration as shown below
3. Make a note of the URLs under Salesforce Configuration section

   • Callback URL: Need to be provided to Keyless team to complete authentication provider configuration on Keyless end

   • Existing User Linking URL: Use this URL to link existing Salesforce users to their respective Keyless account

• Following is a sample Registration handler code

  Copy

  // Example Registration Handler
  global class KLRegHandler101 implements Auth.RegistrationHandler{
  
  
  global User createUser(Id portalId, Auth.UserData data){
  
      //The user is authorized, so create their Salesforce user
      User u = new User();
      Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
      //TODO: Customize the username. Also check that the username doesn't already exist and
      //possibly ensure there are enough org licenses to create a user. Must be 80 characters
      //or less.
      for(string key : data.attributeMap.keySet())
          {
              system.debug('Create Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
          }
      u.username = data.username;
      u.email = data.email;
      u.lastName = data.lastName;
      u.firstName = data.firstName;
      String alias = data.username;
  
      if(alias.length() > 8) {
          alias = alias.substring(0, 8);
      }
      u.alias = alias;
      u.languagelocalekey = UserInfo.getLocale();
      u.localesidkey = UserInfo.getLocale();
      u.emailEncodingKey = 'UTF-8';
      // u.timeZoneSidKey =  UserInfo.getTimeZone();
      u.profileId = p.Id;
      return u;
  }
  
  global void updateUser(Id userId, Id portalId, Auth.UserData data){
      User u = new User(id=userId);
      //TODO: Customize the username. Must be 80 characters or less.
      //u.username = data.username + '@myorg.com';
      for(string key : data.attributeMap.keySet())
          {
              system.debug('Updt Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
          }
  
      system.debug('Updt Pre Username: ' + u.username );
      system.debug('Updt Pre Email: ' + u.email);
      system.debug('Updt Pre SN: ' + u.lastName);
      system.debug('Updt Pre Email: ' + u.alias);
      system.debug('Updt Pre Profile: ' + u.profileId);
      system.debug('Updt Pre First Name: ' + u.firstName);
      system.debug('Updt Pre Email Enc: ' + u.emailEncodingKey );
  
      update(u);
  }
  }

1. Update Domain Configuration to Enable Keyless Authentication Option on Logon Page

   • Company Settings → My Domain

   • Edit Authentication Configuration

   • Enable Keyless
2. Configure Keyless as High Assurance authentication mechanism
3. Send the Callback URL to the Keyless team to complete authentication.

Keyless authentication is now enabled.

enrollment: Salesforce Configuration

To enable enrollment of Salesforce users with Keyless we’ll need to configure Salesforce as an OIDC Identity Provider and Keyless as OIDC Relying Party/ Service Provider.

Make sure you have the following information from Keyless before proceeding with the configuration:

We’ll configure SFDC as a OIDC IdP and Keyless as OIDC RP

1. On Salesforce go to Settings → Identity → Identity Provider and enable Identity Provider and save. Make a note of the Issuer URL, you'll need to send it to Keyless to configure the Keyless enrollment server.

   • Click on Service Provider link at the bottom to create a Connected App/ Service Provider

   • Check Enable OAuth Settings to configure OAuth/OIDC parameters

   • Enter the callback URLs of Keyless Enrollment Server (these are Login/Redirect URL, Post Logout Redirect URL & Keyless Enrollment URL as described in the table at the beginning of this section)
2. Click Save. Make a note of the Client ID & Client Secret for Keyless OIDC RP, you'll need to send it to Keyless to configure the Keyless enrollment server.

3. Click New to add a Custom Attribute

This completes configuration on Salesforce end the following table is a summary of the 3-pieces of information that Keyless team will need to complete configuration of Keyless Enrollment service:

Post Configuration Walkthrough

Once we have completed the steps above, we are now in a position to step though the entire process of enrolling a user to Keyless and then continue with Keyless authentication going forward.

Keyless Enrollment

Make sure you have a compatible mobile (android/iOS) device with Keyless Authenticator App installed. See the installation docs.

1. Create a new Salesforce user from SFDC dashboard (e.g. demouser@myorg-demo.com)

2. Enrol the newly created user to Keyless (if this account is not enrolled already)

3. From a web browser go to Keyless Enrol Site: https://<your-keylelss-registration-URL> (provided by Keyless team)

4. Authenticate to SFDC Portal with Userid/Password (following redirect from Keyless Enrollment page)

5. Click on Enrol link & Scan the QR Code using Keyless Authenticator App on you mobile device

6. Complete the registration process on your mobile device as guided by Keyless Authenticator App

7. Registered account will appear on Keyless Authenticator App on the mobile device

8. Log out from Salesforce browser session and this completes Keyless enrollment

Salesforce Account Linking to Keyless

1. Link Salesforce User to their registered Keyless account

2. Log on to SFDC with account linking URL

3. Account Linking URL can be found on Salesforce Setup -> Auth Provider -> Salesforce Configuration section, which will look like the following: https://<your-salesforce-tenant>.my.salesforce.com/services/auth/link/keyless

4. Authenticate with Keyless via Keyless Authenticator App on your mobile device

5. After a successful authentication with Keyless Salesforce portal will prompt you to Sign In with userID and password to link an SFDC user to the authenticated Keyless account. That completes the account linking between SFDC and Keyless account

Keyless biometric authentication to Salesforce

1. From a browser access your Salesforce portal: https://<your-salesforce-tenant>.my.salesforce.com

2. Log on to SFDC via Keyless: Click on SignIn with Keyless button as opposed to providing uid/password

3. Authenticate via Keyless Mobile Authenticator. That completes keyless authentication to SFDC