Logging into Salesforce with Google Apps

Dan Fowlie January 3, 2014

The Winter 14 Salesforce release came with one great feature--allowing you to use any third-party web application that implements the server side of the OpenID Connect protocol. This allows you to use authentication providers like Google.

Why is this useful?
If you’re a power gmail user like me and live in your email, then you always have a tab open with your email. Between email, calendar and docs I find I always have an active Google Apps session. This makes Google Apps the perfect service to delegate your Salesforce authentication to.

The goal of this guide
Salesforce provides documentation on setting up an OpenID Connect provider which describes all the steps you need to take on the Salesforce side. However it makes no assumptions about what OpenID Connect provider you will use. Similarly with the documentation that Google provides. Unfortunately in some cases the terminology on each side can be slightly different.

My goal with this blog post to provide a specific and comprehensive guide to setting up Google as a OpenID Connect Provider for Salesforce.com

Getting Started - Create your Salesforce My Domain
A while back Salesforce enabled My Domain which allowed you to have your own custom sub-domain to login to Salesforce. The format is https://.my.salesforce.com

For a partner like us it was great, as sessions are tied to a domain and My Domain allowed us to be logged into our own Salesforce org, and a clients org at the same time.

For this exercise, My Domain allows us to control our users login experience and add buttons to the login page for new authentication providers.

To set this up the process is reasonably simple.

  1. In Salesforce go to Setup -> Domain Management -> My Domain
  2. Choose a domain, check it’s availability, and click the Register button

3. You can optionally update some of the Login Branding once you’ve got your domain registered by adding a logo or customising what is displayed on the right hand frame.

Create a project in Google Cloud Console
The first step is to register a new project in Google’s new Cloud Console.

  1. Login to the Cloud Console and make sure you are logged in with your Google Apps account and not a personal gmail account.
  2. Click New Project and call it Salesforce OpenID
  3. On the left hand navigation click on APIs and Auth and then Credentials
  4. Click Create a new Client Id. Select Web Application and remove example.com from the Authorized Javascript Origins.
  5. Take note of the Client ID and Client Secret

Create a Registration Handler
Salesforce requires some configuration for matching a Salesforce user with the user being presented by Google Apps. I’ve made a simple registration handler available on Github.

This code can be modified to match your requirements. Alternatively you can install this unmanaged package directly into your salesforce org.

Define the OpenID Provider in your Salesforce Org
Next up we need to tell Salesforce which authentication provider we want to use.

  1. In Salesforce go to Setup -> Security Controls -> Auth Providers
  2. Click New and select OpenID Connect as the Provider Type
  3. Enter Google Apps as the name
  4. Enter Google_Apps as the URL Suffix
  5. Enter the CLIENT ID from Step 5 of setting up the Google Project as the Consumer Key in Salesforce
  6. Enter the CLIENT SECRET from Step 5 of setting up the Google project as the Consumer Secret in Salesforce
  7. Enter https://accounts.google.com/o/oauth2/auth as the Authorize Endpoint URL
  8. Enter https://accounts.google.com/o/oauth2/token as the Token Endpoint URL
  9. Enter https://www.googleapis.com/oauth2/v3/userinfo as the User Info
  10. Endpoint URL
  11. Enter email as the Default Scopes
  12. Set the Apex Class as a Registration Handler. If you’ve installed the example from earlier this will be GoogleAppsRegistrationHandler.
  13. Set a System Admin as the Execute Registration As
  14. Save
  15. Take note of the Callback URL in the Client Configuration section.

Update the Google Project with the Callback URL

1. Return to the Google Cloud Console and the Credentials section.

2. Click Edit Settings under Client Id for web application and paste the Callback URL from Step 14 into the Redirect URI and Save.

Add a Google button to your login page
We are nearly there! Now we can add a new button to the home page to enable the process.

Return to where we started in the My Domain Setup.

  1. In Salesforce go to Setup -> Domain Management -> My Domain
  2. Click Edit in the Login Page branding section
  3. Now you should be able to see our Auth Provider as an option. Selecting this will add a button to the login page.
  4. You can also upload a logo.

 Enjoy!

Dan Fowlie

Dan Fowlie

With more than a decade in the ecosystem, Dan lives and breathes Salesforce. He applies business acumen to client challenges to come up with solutions that extracts the most value out of the platform. Outside of work, Dan embraces "Kaizen" and likes to hack his day to day life as much as possible.