Onboarding Customers via External Authentication

From 3B Knowledge
Jump to navigation Jump to search

Intro

We are introducing a new mechanism for authorizing app communication in 3B, which now relies on a 3B managed authentication server (auth.3b4sf.com).

This change is required due to a Salesforce push to eliminating Connected Apps and the introduction of restrictions as per this article .

Changes

Having authentication handled by a designated server means that we have a server-to-server authentication handshake and never exposing session details in the client. Furthermore, this is the future-proof method for authentication as per Salesforce's guidances.

Usage

3B Authentication is used for:

  • Handling large files in Onboarding (assessments), Forms, CLM & PDF service through the Large Files API
  • Generating PDFs in CLM
  • Reserved for future off-platform customizations

Without the authentication service, CLM will not be able to generate PDFs and large files (> 4mb) will inevitably throw an error - whether it is a form submission, a preview of an assessment or a large PDF document in Sign.

Setup Instructions

There are two steps:

Create External Client App

Navigate to Setup and go to External Client App Manager. Create a new External Client App.

Set the following field values:

  • Basic Information
    • Name - 3B Authentication App
    • API Name - X3B_Authentication_App
    • Contact Email - orgs+auth@3b4sf.com
  • API (Enable OAuth Settings)
    • Set 'Enable OAuth' to true
    • Callback URL - https://auth.3b4sf.com/oauth/callback
    • OAuth Scopes -
      • Full access (full)
      • Perform requests at any time (refresh_token, offline_access)
    • Under Security, set 'Require Proof Key for Code Exchange (PKCE) extension for Supported Authorisation Flows to false


Click 'Create'. You will then be landed on the App Policies page. Click 'Edit' on the top right hand side of the page.

  • App Policies
  • OAuth Policies
    • Change Refresh Token Policy to 'Refresh token is valid until revoked'
    • Change IP Relaxation to 'Relax IP restrictions'


Click 'Save'

Onboard Org

Once you have created an ECA, get the client secret and client id, My Domain and complete the details on https://auth.3b4sf.com/ You will be asked to confirm access and permissions by salesforce and at the end of the workflow, you will see a success message.

Revoke

You can disable the ECA to revoke access.

Notes

  • Only one ECA per ORG is required, even if multiple apps are installed.
Retrieved from ‘https://3bknowhow.com/index.php?title=Onboarding_Customers_via_External_Authentication&oldid=2524