Salesforce

BlokSec can be configured as an inbound federation identity provider for your Salesforce tenant, and can also be integrated to support just-in-time (JIT) provisioning for automatic user creation in Salesforce. The following guide covers the full process for configuring passwordless authentication and provisioning.

The integration uses the OpenID Connect (OIDC) protocol. Configuration is split across the BlokSec admin console, the Salesforce admin console, and a final return to BlokSec to complete the configuration with callback URLs.

Prerequisites

• A BlokSec admin account with permission to create applications
• A Salesforce org with admin access and the ability to configure Auth. Providers and Apex Classes

Setup

1. Create the Salesforce application in BlokSec

1. Sign in to the BlokSec admin console as a user with admin privileges
2. From the dashboard, click + Add Application and select Create From Template
3. Select the Salesforce template
4. Complete the application details:

Field	Value
Name	Salesforce (or your preferred name)
Session Length	60 minutes (default)
Redirect URIs	Leave blank for now
Post Logout Redirect URIs	Leave blank for now

5. Click Submit to save the configuration
6. Click Generate App Secret, then note the Application ID and Application Secret — both are required in the Salesforce OIDC configuration below

2. Create the registration handler in Salesforce

The registration handler is an Apex class that manages just-in-time user creation and updates when a user authenticates via BlokSec for the first time.

1. Sign in to Salesforce as a user with admin privileges
2. Navigate to Platform Tools → Custom Code → Apex Classes
3. Click New and paste the following into the Apex Class editor:

global class BlokSecRegHandler implements Auth.RegistrationHandler {

  global boolean canCreateUser(Auth.UserData data) {
    return (data != null
      && data.email != null
      && data.lastName != null
      && data.firstName != null
      && data.username != null);
  }

  global User createUser(Id portalId, Auth.UserData data) {
    List<User> l = [SELECT Id, UserName, FirstName, LastName, Email
                    FROM User WHERE UserName = :data.username];
    if (l.size() > 0) {
      User u = l[0];
      u.Email = data.email;
      u.LastName = data.lastName;
      u.FirstName = data.firstName;
      update(u);
      return u;
    }

    if (!canCreateUser(data)) { return null; }

    User u = new User();
    Profile p = [SELECT Id FROM profile WHERE name='Chatter Free User'];
    u.username = data.username;
    u.email = data.username;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    String alias = data.username;
    if (alias.length() > 8) { alias = alias.substring(0, 8); }
    u.alias = alias;
    u.localesidkey = UserInfo.getLocale();
    u.languagelocalekey = 'en_US';
    u.emailEncodingKey = 'UTF-8';
    u.timeZoneSidKey = 'America/Los_Angeles';
    u.profileId = p.Id;
    return u;
  }

  global void updateUser(Id userId, Id portalId, Auth.UserData data) {
    User u = new User(id=userId);
    u.email = data.email;
    u.lastName = data.lastName;
    u.firstName = data.firstName;
    u.username = data.username;
    update(u);
  }

}

4. Click Save

Tip

The registration handler above assigns new users the Chatter Free User profile by default. Update the profile lookup on the [SELECT Id FROM profile WHERE name='Chatter Free User'] line to assign a different profile that matches your org’s access requirements.

3. Configure the OIDC authentication provider in Salesforce

1. In Salesforce, navigate to Settings → Identity → Auth. Providers
2. Click New and select Open ID Connect from the dropdown
3. Complete the configuration with the following values:

Field	Value
Name	Salesforce Passwordless Login (or your preferred name)
URL Suffix	Keep the auto-generated value or customize as needed
Consumer Key	Application ID from BlokSec (step 1)
Consumer Secret	Application Secret from BlokSec (step 1)
Authorize Endpoint URL	https://api.bloksec.io/oidc/auth
Token Endpoint URL	https://api.bloksec.io/oidc/token
User Info Endpoint URL	https://api.bloksec.io/oidc/me
Default Scopes	openid email profile
Send access token in header	Checked
Include Consumer Secrets in API Responses	Checked
Custom Logout URL	https://api.bloksec.io/oidc/session/end
Registration Handler	BlokSecRegHandler (use the lookup to select the class created in step 2)
Execute Registration As	A Salesforce user with permission to create, update, and delete users

4. Click Save
5. In the Salesforce configuration section that appears after saving, copy the following URLs — you will need them in the final step:
   • Callback URL
   • SingleLogout URL

4. Enable BlokSec in the Salesforce authentication configuration

1. In Salesforce, navigate to Settings → Company Settings → My Domain
2. Scroll to the Authentication Configuration section and click Edit
3. Check the box for the authentication service created above (for example, Salesforce Passwordless Login)
4. Click Save

5. Complete the BlokSec application configuration

1. Return to the Salesforce application in the BlokSec admin console, click the gear icon in the upper right, and select Edit Application
2. Paste the Callback URL (from step 3) into the Redirect URIs field
3. Paste the SingleLogout URL (from step 3) into the Post Logout Redirect URIs field
4. Click Submit to save

Verifying the integration

1. Open a private/incognito browser window
2. Navigate to your Salesforce org login page
3. Select BlokSec (or your configured authentication service name) as the sign-in method
4. Approve the sign-in on the BlokSec mobile app
5. Confirm you are successfully authenticated into Salesforce

Test before rolling out

Verify the integration with a single user account before communicating the change to your organization. Confirm that JIT provisioning creates the user with the correct profile and that the full sign-in flow completes successfully.