New Authorization Mechanism
Intro
The new app authorization mechanism allows us to securely connect 3B Forms, 3B CLM, 3B WFM, 3B Onboarding and 3B Portals & Mobile Apps with Salesforce and the mechanism replaces the old Username + Password + Token mechanism.
The benefits of the new mechanism are:
- If a user's password expires or is reset, the connection would continue to work without disruption
- A more reliable connection and better error messaging
- A server-to-server connection ensures highest level of security
- A single setup for all 3B applications as opposed to a set up per application
Setup
Follow these steps to successfully setup the new authorization mechanism.
Get your My Domain
Go to Setup -> My Domain and copy your "My Domain" which should look something like this: https://customer-name.develop.my.salesforce.com/
Create a Connected App
Go to Setup -> App Manager and click on "New Connected App". Populate the fields as per the table below:
| Field | Value |
|---|---|
| Connected App Name | 3B Authorization App |
| API Name | X3B_Authorization_App |
| Contact Email | orgs+auth@3b4sf.com |
| Enable OAuth Settings | true |
| Callback URL | https://login.salesforce.com (we will change this later) |
| Selected OAuth Scopes | full, refresh_token, offline_access |
Leave all other fields as defaulted.
Hit Save and then click on "Manage Consumer Details" button. Take note of the Consumer Key and Consumer Secret
Create an Auth. Provider
Go to Setup -> Auth. Providers and click on "New". Populate the fields as per the table below:
| Field | Value |
|---|---|
| Provider Type | Salesforce |
| Name | This Org |
| URL Suffix | This_Org |
| Consumer Key | The Consumer Key from the Connected App |
| Consumer Secret | The Consumer Secret from the Connected App |
| Authorize Endpoint URL | This is your My Domain + /services/oauth2/authorize |
| Token Endpoint URL | This is your My Domain + /services/oauth2/token |
| Default Scopes | refresh_token full |
Leave all other fields as defaulted. Hit Save and once the Auth. Provider is created, take note of the Callback URL which will be your My Domain + /services/authcallback/This_Org
Update the Connected App
Go back to the connected app (Setup -> App Manager), and click on "edit" from the drop down menu. Update the Callback URL field (previously with placeholder https://login.salesforce.com) to the new Callback URL provided by the This_Org Auth. Provider (i.e. My Domain + /services/authcallback/This_Org).
Create a Named Credential
Go to Setup -> Named Credentials and create a new Legacy Named Credential. Populate the fields as per the table below:
| Field | Value |
|---|---|
| Label | AuthorizationService |
| Name | AuthorizationService |
| URL | Paste the My Domain url here |
| Identity Type | Named Principal |
| Authentication Protocol | OAuth 2.0 |
| Authentication Provider | This_Org |
| Scope | refresh_token full |
| Start Authentication Flow on Save | true |
| Generate Authorization Header | true |
| Allow Merge Fields in HTTP Header | false |
| Allow Merge Fields in HTTP Body | true |
Hit Save and you will be re-directed to the login page for the org. Enter your admin's user's credentials and allow access on the next screen.
Once you have completed this process, you will be re-directed back to the Named Credential. Ensure that the field Authentication Status shows as Authenticated as username@domain.com
Update Custom Settings
By now, you have successfully created a secure connection. We now need to tell the 3B app which Authorization Named Credential to use when connecting to Salesforce. Head over to Setup -> Custom Settings -> 3B Forms (or 3B Portals, or 3B Onboarding or 3B CLM or 3B WFM settings) and click on Manage. Under the field Authorization Named Credential enter "AuthorizationService" (this is the name of the Named Credential we created earlier).
Video
You can watch this short video that demoes the setup: https://drive.google.com/file/d/1jiVSP_CriAFUopqANkt-KV0i2-JJ61f2/view?usp=sharing
Support
The following app versions implement this new mechanism:
- 3B Portals - v2.4+