Salesforce SSO Provisioning
When onboarding an account, platforms that support SSO (OAuth2) usually have their OAuth config (client credentials, URLs, etc.) submitted in the Onboarding Request form. For Salesforce, the setup is different to support onboarding through the Salesforce AppExchange.
To offer OAuth in the AppExchange app, Deepdesk must register a single application whose client credentials are reused for every installation. Those credentials cannot be shipped with the application, so they must be stored elsewhere. In addition, the onboarding process must use these global credentials instead of only the config from the onboarding form.
Callback
Every OAuth setup includes a callback URL (registered with the OAuth application). The identity provider redirects the user to this URL with an authorization code. Normally the callback is account-specific: https://<account>.deepdesk.com/platform/sso.
For Salesforce, the app is registered globally. Using one callback per account would mean:
- An ever-growing list of allowed callback URLs in Salesforce
- The ability to start an OAuth flow for one account and request redirect to another, enabling OAuth attacks
So for Salesforce we use one generic callback: a redirect endpoint in the Onboarding service that reads the target account from the state parameter and redirects to that account's SSO completion URL.
Process
-
Store global credentials — Client ID, client secret, and scope are stored manually in Platform, on the "salesforce" Platform record.
-
Onboarding — During onboarding we:
- Take account-specific OAuth config (authorization URL, token URL) from the OnboardingRequest
- Take client ID, client secret, and scope from Platform
- Create the new OAuthProvider in Admin using this combined config.
-
Generic redirect — When creating the OAuthProvider for Salesforce, set the flag "Use generic redirect URL" to True.
-
Agent login — Agents then go through the OAuth flow as usual using the configured OAuthProvider; the generic callback in Onboarding redirects them to the correct account based on
state.
Summary
| Source | Used for |
|---|---|
| OnboardingRequest | Authorization URL, token URL (account-specific) |
| Platform ("salesforce") | Client ID, client secret, scope (global) |
| OAuthProvider | "Use generic redirect URL" = True |
See also
- Onboarding Data Model — How
oauth_*from Platform is used for Salesforce to create OAuthProvider - OAuth2 Roles — Role assignment for OIDC and platform-specific flows
- Onboarding Request Fields — Field comparison including Salesforce