Salesforce (OIDC)
Last reviewed: 4 months ago
This guide covers how to configure Salesforce ↗ as an OpenID Connect (OIDC) application in Cloudflare Zero Trust.
Prerequisites
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Salesforce account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust ↗, go to Access > Applications.
- Select SaaS.
- For Application, select Salesforce.
- For the authentication protocol, select OIDC.
- Select Add application.
- In Scopes, select the attributes that you want Access to send in the ID token.
- In Redirect URLs, enter the callback URL obtained from Salesforce (
https://<your-domain>.my.salesforce.com/services/authcallback/<URL Suffix>
). Refer to Add a SSO provider to Salesforce for instructions on obtaining this value. - (Optional) Enable Proof of Key Exchange (PKCE) ↗ if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
- Copy the following values:
- Client ID
- Client Secret
- Authorization endpoint
- Token endpoint
- User info endpoint
- (Optional) configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering
https://<your-domain>.my.salesforce.com
. - Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Add a SSO provider to Salesforce
- In Salesforce, go to Setup.
- In the Quick Find box, enter
auth
and select Auth providers. - Select New.
- For the provider type, select OpenID Connect.
- Enter a name for the SSO provider (for example,
Cloudflare Access
). - Fill in the following fields with values obtained from Cloudflare Access:
- Consumer Key: Client ID
- Consumer Secret: Client Secret
- Authorize Endpoint URL: Authorization endpoint
- Token endpoint URL: Token endpoint
- User Info Endpoint URL: User info endpoint
- Token Issuer: Issuer
- (Optional) Enable Use Proof Key for Code Exchange if you enabled it in Access.
- In Default Scopes, enter a space-separated list of the scopes you configured in Access (for example,
openid email profile groups
). - Select Save.
- Copy the Callback URL:
- In Zero Trust, paste the Callback URL into the Redirect URL field.
To test the integration, open an incognito browser window and go to the Test-Only Initialization URL ( https://<your-domain>.my.salesforce.com/services/auth/test/<URL Suffix>
)
3. Enable Single Sign-On in Salesforce
-
Enable Cloudflare Access as an identity provider on your Salesforce domain:
- In the Quick Find box, enter
domain
and select My Domain. - In Authentication Configuration, select Edit.
- In Authentication Service, turn on the Cloudflare Access provider.
- In the Quick Find box, enter
- (Optional) To require users to login with Cloudflare Access:
- In the Quick Find box, enter
single sign-on
and select Single Sign-On Settings. - Turn on Disable login with Salesforce credentials.
- In the Quick Find box, enter
To test, open an incognito browser window and go to your Salesforce domain (https://<your-domain>.my.salesforce.com
).