Salesforce
Enable Keyless passwordless biometric authentication to Salesforce.
Keyless passwordless biometric authentication can address any MFA requirement to authenticate to Salesforce Portal.
This guide provides a step-by-step introduction to configure Salesforce Portal to authenticate using Keyless passwordless biometric authentication. In this guide Keyless will be set up as an authentication provider to Salesforce at a high assurance level to address any MFA requirements. Also we'll configure Keyless enrolment fetaures to provide the ability for Salesforce users to register/enrol for Keyless authentication.
Following is a short video to showcase Keyless authentication experience to Salesforce.

Authentication: Configure Keyless as an Authentication Provider

In order to enable your users to authenticate into Salesforce portal/dashboard via Keyless youโ€™ll need to configure Keyless as an authentication provider in Salesforce.
As part of the onboarding process youโ€™ll receive the following pieces of information from Keyless to complete an authentication provider configuration in Salesforce:
Paramater
Description
Example
Login Icon URI
Can be used as an logon icon for Keyless authentication on logon page
https://<your-keyless-tenant>/static/keyless.svg
Token Issuer
OIDC Issuer
https://<your-keyless-tenant>
Token Endpoint URL
Token OIDC Endpoint URL
https://<your-keyless-tenant>/connect/token
Authorize Endpoint URL
OIDC Authorization Endpoint URL
https://<your-keyless-tenant>/connect/authorize
User Info Endpoint URL
OIDC User Info Endpoint URL
https://<your-keyless-tenant>/connect/userinfo
Scope
OIDC Scope
openid profile email
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
All configuration steps outlined below need to be performed on Salesforce portal with administrative privileges.
  • Create an OIDC Auth Provider
    • Identity โ†’ Auth Providers โ†’ New
    • Select Open Id Connect as provider type
OIDC Authentication Provider
  • Populate the configuration parameters from the information provided by Keyless team to complete Auth provider configuaration as shown below
Configure Keyless Auth Provider
  • Make a note of the URLs under Salesforce Configuration section
    • Callback URL: Need to be provided to Keyless team to complete authentication provider configuration on Keyless end
    • Existing User Linking URL: Use this URL to link existing Salesforce users to their respective Keyless account
  • Following is a sample Registration handler code
1
// Example Registration Handler
2
global class KLRegHandler101 implements Auth.RegistrationHandler{
3
โ€‹
4
โ€‹
5
global User createUser(Id portalId, Auth.UserData data){
6
7
//The user is authorized, so create their Salesforce user
8
User u = new User();
9
Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
10
//TODO: Customize the username. Also check that the username doesn't already exist and
11
//possibly ensure there are enough org licenses to create a user. Must be 80 characters
12
//or less.
13
for(string key : data.attributeMap.keySet())
14
{
15
system.debug('Create Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
16
}
17
u.username = data.username;
18
u.email = data.email;
19
u.lastName = data.lastName;
20
u.firstName = data.firstName;
21
String alias = data.username;
22
23
if(alias.length() > 8) {
24
alias = alias.substring(0, 8);
25
}
26
u.alias = alias;
27
u.languagelocalekey = UserInfo.getLocale();
28
u.localesidkey = UserInfo.getLocale();
29
u.emailEncodingKey = 'UTF-8';
30
// u.timeZoneSidKey = UserInfo.getTimeZone();
31
u.profileId = p.Id;
32
return u;
33
}
34
โ€‹
35
global void updateUser(Id userId, Id portalId, Auth.UserData data){
36
User u = new User(id=userId);
37
//TODO: Customize the username. Must be 80 characters or less.
38
//u.username = data.username + '@myorg.com';
39
for(string key : data.attributeMap.keySet())
40
{
41
system.debug('Updt Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
42
}
43
44
system.debug('Updt Pre Username: ' + u.username );
45
system.debug('Updt Pre Email: ' + u.email);
46
system.debug('Updt Pre SN: ' + u.lastName);
47
system.debug('Updt Pre Email: ' + u.alias);
48
system.debug('Updt Pre Profile: ' + u.profileId);
49
system.debug('Updt Pre First Name: ' + u.firstName);
50
system.debug('Updt Pre Email Enc: ' + u.emailEncodingKey );
51
52
update(u);
53
}
54
}
Copied!
  • Update Domain Configuration to Enable Keyless Authentication Option on Logon Page
    • Company Settings โ†’ My Domain
    • Edit Authentication Configuration
    • Enable Keyless
    โ€‹
  • Configure Keyless as High Assurance authentication mechanism
  • Keyless authentication is now enabled
Keyless Authentication to Salesforce

Enrolment: Salesforce Configuration

To enable enrolment of Salesforce users with Keyless weโ€™ll need to configure Salesforce as an OIDC Identity Provider and Keyless as OIDC Relying Party/ Service Provider. Parameters required to create the client/connected application on Salesforce are provided in your Keyless onboarding package. Once the application is configured youโ€™ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.
Following are the pieces of information from Keyless required to configure Salesforce Connected Application:
Parameter
Description
Example
Login /Redirect URL
OIDC RP Configuration
https://<your-keyless-enrolment-server>/signin-oidc
Post Logout Redirect URL
OIDC RP Configuration
https://<your-enrolment-server>/signout/callback
Keyless Enrolment URL
Keyless Enrolment server
https://<your-keyless-enrolment-server>
โ€‹
Weโ€™ll configure SFDC as a OIDC IdP and Keyless as OIDC RP
  • On Salesforce go to Settings โ†’ Identity โ†’ Identity Provider and enable Identity Provider and save
    • Make a note of the Issuer URL: Issuer URL needs to be sent to Keyless to configure Keyless enrolment server.
Enable Identity Provider
โ€‹
  • Click on Service Provider link at the bottom to create a Connected App/ Service Provider
  • Check Enable OAuth Settings to configure OAuth/OIDC parameters
  • Enter the callback URLs of Keyless Enrolment Server (these are Login/Redirect URL, Post Logout Redirect URL & Keyless Enrolment URL as described in the table at the beginning of this section)
OIDC Client App (Keyless) Configuration
โ€‹
  • Click Save
    • Make a note of the Client ID & Client Secret (for Keyless OIDC RP, these two parameters need to be sent back to Keyless for configuration of the Keyless enrolment server)
    • Click New to add a Custom Attribute
Custom Attribute
This completes configuration on Salesforce end the following table is a summary of the 3-pieces of information that Keyless team will need to complete configuration of Keyless Enrolment service:
Parameter
Description
Example
Issuer URL
OIDC IdP
https://<your-salesforce-tenant>.my.salesforce.com
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-

Post Configuration Walkthrough

Once we have completed the steps above, we are now in a position to step though the entire process of enrolling a user to Keyless and then continue with Keyless authentication going forward.

Keyless Enrolment

  • Prerequisite is to have a compatible mobile (android/iOS) device with Keyless Authenticator App installed: Installation instructions are located here https://docs.keyless.io/userguide/install-mobile-appโ€‹
  • Create a new Salesforce user from SFDC dashboard (e.g. [email protected])
  • Enrol the newly created user to Keyless (if this account is not enrolled already)
    • From a web browser go to Keyless Enrol Site: https://<<your-keylelss-registration-URL>> (provided by Keyless team)
    • Authenticate to SFDC Portal with Userid/Password (following redirect from Keyless Enrolment page)
    • Click on Enrol link & Scan the QR Code using Keyless Authenticator App on you mobile device
    • Complete the registration process on your mobile device as guided by Keyless Authenticator App
    • Registered account will appear on Keyless Authenticator App on the mobile device
    • Log out from Salesforce browser session and this completes Keyless enrolment

Salesforce Account Linking to Keyless

  • Link Salesforce User to his/her registered Keyless account
    • Log on to SFDC with account linking URL
    • Account Linking URL can be found on Salesforce Setup -> Auth Provider -> Salesforce Configuration section which will look like the following: https://<your-salesforce-tenant>.my.salesforce.com/services/auth/link/keyless
    • Authenticate with Keyless via Keyless Authenticator App on your mobile device
    • After a successful authentication with Keyless Salesforce portal will prompt you to Sign In with userID and password to link an SFDC user to the authenticated Keyless account
    • that completes the account linking between SFDC and Keyless account

Keyless biometric authentication to Salesforce

  • From a browser access your Salesforce portal: https://<your-salesforce-tenant>.my.salesforce.com
  • Log on to SFDC
    • via Keyless: Click on SignIn with Keyless button as opposed to providing uid/password
    • Authenticate via Keyless Mobile Authenticator
  • That completes keyless authentication to SFDC