top of page

Manage Salesforce using B2C Identities

We recently came across a customer who wanted

1. Partners to single sign on to salesforce via B2C identities(salesforce is the SP)

2. Manage salesforce identities using B2C.

Note that (1) is different from using Salesforce as the IdP behind B2C. In this case salesforce is the SP(service provider) and B2C is the IdP(identity provider).

For (2) they preferred JIT creation and updating of users.

Salesforce does support OIDC auth providers. One tricky area in integration is that salesforce needs an user info end point. However B2C does not expose a user info end point. But having a custom coded userinfo solves this problem.

App Model in B2C:

Create 2 apps. One for salesforce and the other for userinfo end point. More details for doing this can be found here:

Salesforce calls the user info end point with the access token. B2C access tokens contains all the claims. The userinfo end point, after validating the token, can pass back the token details as output claims.

req.CreateResponse<ResponseContent>( HttpStatusCode.OK, new ResponseContent { version = "1.0.0", status = (int) HttpStatusCode.OK, id =, name =, }, new JsonMediaTypeFormatter(), "application/json"); }

ResponseContent - A class that holds the claims to be sent as response.

access_token_parsed - Parsed token

Host this as an azure app service or function app.

Policy in B2C:

Create a policy that issues the required claims. There are many docs on how to do this. keep the meta data url for the policy handy.

Setting up Salesforce:

Log into salesforce(lightning experience)

Security Controls -> Auth Provider

Click New

Name and url suffix - This is what is displayed to the user at login time. Put an appropriate value.

Consumer key - application id of the salesforce app created in b2c

consumer secret - application secret of the salesforce app created in b2c.

Authorize End point and Token info end point - Copied from the metadata end point.

userinfo end point - userinfoendpoint url

Create a default registration handler. This needs to be edited.

Now saving this will result in few urls showing up.

Copy the callback url and put it in the b2c salesforce app as the reply url.

The claims from user info end point has to be mapped to a salesforce user. This is done in the registration handler.

On the salesforce quicksearch/find textbox type in apex.

Click apex classes. Click on the handler created above.

Replace the method createUser with the following:

global User createUser(Id portalId, Auth.UserData data){ User u = [SELECT ID FROM User Where Email = :]; return u;


Note - The above code can be tweaked to create new users or update existing users as well.

To log into salesforce custom domain has to be setup. There are several articles in the web on how to do that.

Edit the authentication configuration to include the newly created OIDC provider.

Navigating to the custom domain will display the chosen name for the OIDC provider. Clicking on that will result in log in.


It is a good idea to have logging in userinfo endpoint. This will help narrow down the errors.

Recent Posts
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page