Salesforce

Enable Keyless passwordless biometric authentication to Salesforce.

Keyless passwordless biometric authentication can address any MFA requirement to authenticate to Salesforce Portal.
This guide provides a step-by-step introduction to configure Salesforce Portal to authenticate using Keyless passwordless biometric authentication. In this guide Keyless will be set up as an authentication provider to Salesforce at a high assurance level to address any MFA requirements. Also we'll configure Keyless enrolment fetaures to provide the ability for Salesforce users to register/enrol for Keyless authentication.
Following is a short video to showcase Keyless authentication experience to Salesforce.
Authentication: Configure Keyless as an Authentication Provider
In order to enable your users to authenticate into Salesforce portal/dashboard via Keyless you’ll need to configure Keyless as an authentication provider in Salesforce.
As part of the onboarding process you’ll receive the following pieces of information from Keyless to complete an authentication provider configuration in Salesforce:
Paramater
Description
Example
Login Icon URI
Can be used as an logon icon for Keyless authentication on logon page
https://<your-keyless-tenant>/static/keyless.svg
Token Issuer
OIDC Issuer
https://<your-keyless-tenant>
Token Endpoint URL
Token OIDC Endpoint URL
https://<your-keyless-tenant>/connect/token
Authorize Endpoint URL
OIDC Authorization Endpoint URL
https://<your-keyless-tenant>/connect/authorize
User Info Endpoint URL
OIDC User Info Endpoint URL
https://<your-keyless-tenant>/connect/userinfo
Scope
OIDC Scope
openid profile email
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
All configuration steps outlined below need to be performed on Salesforce portal with administrative privileges.
Create an OIDC Auth Provider
Identity → Auth Providers → New
Select Open Id Connect as provider type
OIDC Authentication Provider
Populate the configuration parameters from the information provided by Keyless team to complete Auth provider configuaration as shown below
Configure Keyless Auth Provider
Make a note of the URLs under Salesforce Configuration section
Callback URL: Need to be provided to Keyless team to complete authentication provider configuration on  Keyless end
Existing User Linking URL: Use this URL to link existing Salesforce users to their respective Keyless account
Following is a sample Registration handler code
// Example Registration Handler
global class KLRegHandler101 implements Auth.RegistrationHandler{
​
​
global User createUser(Id portalId, Auth.UserData data){
    
    //The user is authorized, so create their Salesforce user
    User u = new User();
    Profile p = [SELECT Id FROM profile WHERE name='Standard User'];
    //TODO: Customize the username. Also check that the username doesn't already exist and
    //possibly ensure there are enough org licenses to create a user. Must be 80 characters
    //or less.
    for(string key : data.attributeMap.keySet())
        {
            system.debug('Create Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
        }
    u.username = data.username;
    u.email = data.email;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    String alias = data.username;
    
    if(alias.length() > 8) {
        alias = alias.substring(0, 8);
    }
    u.alias = alias;
    u.languagelocalekey = UserInfo.getLocale();
    u.localesidkey = UserInfo.getLocale();
    u.emailEncodingKey = 'UTF-8';
    // u.timeZoneSidKey =  UserInfo.getTimeZone();
    u.profileId = p.Id;
    return u;
}
​
global void updateUser(Id userId, Id portalId, Auth.UserData data){
    User u = new User(id=userId);
    //TODO: Customize the username. Must be 80 characters or less.
    //u.username = data.username + '@myorg.com';
    for(string key : data.attributeMap.keySet())
        {
            system.debug('Updt Incoming Attr Map key: [' + key + '] value: [' + data.attributeMap.get(key)+ ']');
        }
    
    system.debug('Updt Pre Username: ' + u.username );
    system.debug('Updt Pre Email: ' + u.email);
    system.debug('Updt Pre SN: ' + u.lastName);
    system.debug('Updt Pre Email: ' + u.alias);
    system.debug('Updt Pre Profile: ' + u.profileId);
    system.debug('Updt Pre First Name: ' + u.firstName);
    system.debug('Updt Pre Email Enc: ' + u.emailEncodingKey );
    
    update(u);
}
}
Update Domain Configuration to Enable Keyless Authentication Option on Logon Page
Company Settings → My Domain
Edit Authentication Configuration
Enable Keyless
​
Configure Keyless as High Assurance authentication mechanism
Keyless authentication is now enabled
Keyless Authentication to Salesforce
Enrolment: Salesforce Configuration
To enable enrolment of Salesforce users with Keyless we’ll need to configure Salesforce as an OIDC Identity Provider and Keyless as OIDC Relying Party/ Service Provider. Parameters required to create the client/connected application on Salesforce are provided in your Keyless onboarding package. Once the application is configured you’ll need to send some configuration information back to Keyless to complete the configuration on Keyless end.
Following are the pieces of information from Keyless required to configure Salesforce  Connected Application:
Parameter
Description
Example
Login /Redirect URL
OIDC RP Configuration
https://<your-keyless-enrolment-server>/signin-oidc
Post Logout Redirect URL
OIDC RP Configuration
https://<your-enrolment-server>/signout/callback
Keyless Enrolment URL
Keyless Enrolment server
https://<your-keyless-enrolment-server>
​
We’ll configure SFDC as a OIDC IdP and Keyless as OIDC RP
On Salesforce go to Settings → Identity → Identity Provider and enable Identity Provider and save
Make a note of the Issuer URL: Issuer URL needs to be sent to Keyless to configure Keyless enrolment server.
Enable Identity Provider
​
Click on Service Provider link at the bottom to create a Connected App/ Service Provider
Check Enable OAuth Settings to configure OAuth/OIDC parameters
Enter the callback URLs of Keyless Enrolment Server (these are Login/Redirect URL, Post Logout Redirect URL & Keyless Enrolment URL as described in the table at the beginning of this section)
OIDC Client App (Keyless) Configuration
​
Click Save
Make a note of the Client ID & Client Secret (for Keyless OIDC RP, these two parameters need to be sent back to Keyless for configuration of the Keyless enrolment server)
Click New to add a Custom Attribute
Custom Attribute
This completes configuration on Salesforce end the following table is a summary of the 3-pieces of information that Keyless team will need to complete configuration of Keyless Enrolment service:
Parameter
Description
Example
Issuer URL
OIDC IdP 
https://<your-salesforce-tenant>.my.salesforce.com
Consumer Key
OIDC Client ID
-
Consumer Secret
OIDC Client Secret
-
Post Configuration Walkthrough
Once we have completed the steps above, we are now in a position to step though the entire process of enrolling a user to Keyless and then continue with Keyless authentication going forward.
Keyless Enrolment
Prerequisite is to have a compatible mobile (android/iOS) device with Keyless Authenticator App installed: Installation instructions are located here https://docs.keyless.io/userguide/install-mobile-app​
Create a new Salesforce user from SFDC dashboard (e.g. [email protected])
Enrol the newly created user to Keyless (if this account is not enrolled already)
From a web browser go to Keyless Enrol Site: https://<<your-keylelss-registration-URL>> (provided by Keyless team)
Authenticate to SFDC Portal with Userid/Password (following redirect from Keyless Enrolment page)
Click on Enrol link & Scan the QR Code using Keyless Authenticator App on you mobile device
Complete the registration process on your mobile device as guided by Keyless Authenticator App
Registered account will appear on Keyless Authenticator App on the mobile device
Log out from Salesforce browser session  and this completes Keyless enrolment
Salesforce Account Linking to Keyless
Link Salesforce User to his/her registered Keyless account
Log on to SFDC with account linking URL 
Account Linking URL can be found on Salesforce Setup -> Auth Provider -> Salesforce Configuration section which will look like the following: https://<your-salesforce-tenant>.my.salesforce.com/services/auth/link/keyless
Authenticate with Keyless via Keyless Authenticator App on your mobile device
After a successful authentication with Keyless Salesforce portal will prompt you to Sign In with userID and password to link an SFDC user to the authenticated Keyless account
that completes the account linking between SFDC and Keyless account
Keyless biometric authentication to Salesforce
From a browser access your Salesforce portal: https://<your-salesforce-tenant>.my.salesforce.com
Log on to SFDC
via Keyless: Click on SignIn with Keyless button as opposed to providing uid/password
Authenticate via Keyless Mobile Authenticator
That completes keyless authentication to SFDC
🏁
Post Integration

Paramater	Description	Example
Login Icon URI	Can be used as an logon icon for Keyless authentication on logon page	https://<your-keyless-tenant>/static/keyless.svg
Token Issuer	OIDC Issuer	https://<your-keyless-tenant>
Token Endpoint URL	Token OIDC Endpoint URL	https://<your-keyless-tenant>/connect/token
Authorize Endpoint URL	OIDC Authorization Endpoint URL	https://<your-keyless-tenant>/connect/authorize
User Info Endpoint URL	OIDC User Info Endpoint URL	https://<your-keyless-tenant>/connect/userinfo
Scope	OIDC Scope	openid profile email
Consumer Key	OIDC Client ID	-
Consumer Secret	OIDC Client Secret	-

Parameter	Description	Example
Login /Redirect URL	OIDC RP Configuration	https://<your-keyless-enrolment-server>/signin-oidc
Post Logout Redirect URL	OIDC RP Configuration	https://<your-enrolment-server>/signout/callback
Keyless Enrolment URL	Keyless Enrolment server	https://<your-keyless-enrolment-server>

Parameter	Description	Example
Issuer URL	OIDC IdP	https://<your-salesforce-tenant>.my.salesforce.com
Consumer Key	OIDC Client ID	-
Consumer Secret	OIDC Client Secret	-

PingOne SSO

Next - VPN

Fortinet FortiClient

Last modified 7mo ago