Configure a LinkedIn Authentication Provider
Configure LinkedIn as an authentication provider so your users can log in to Salesforce using their LinkedIn credentials.
Required Editions
| Available in: Lightning Experience and Salesforce Classic |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions |
| User Permissions Needed | |
|---|---|
| To view the settings: | View Setup and Configuration |
| To edit the settings: | Customize Application AND Manage Auth. Providers |
To configure LinkedIn as an authentication provider, complete these tasks.
- Set up a registration handler.
- View LinkedIn scopes.
- Set up a LinkedIn app.
- Define a LinkedIn provider in Salesforce.
- Update your LinkedIn app to use the callback URL generated by Salesforce as an entry in the LinkedIn OAuth 2.0 Redirect URLs.
- Test the single sign-on (SSO) connection.
- Add the LinkedIn authentication provider to your login page.
For sandbox use cases, you can skip some of these steps and use the Salesforce-managed LinkedIn app. For production use cases, always create your own LinkedIn app and use its credentials for your authentication provider. The Salesforce-managed app can experience downtime and isn't recommended for production.
Set Up a Registration Handler
To use an authentication provider for single sign-on, you must create a registration handler. The registration handler creates users and updates existing users who access Salesforce via the identity provider. You can set up a registration handler with Apex or Flow Builder. For more information, see Create an Authentication Provider Registration Handler.
Here's an example Apex registration handler for the LinkedIn
authentication provider. This registration handler assumes that the requested scopes
include r_liteprofile and r_emailaddress. It also
assumes that the users are logging in to a customer portal.
GET
https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~)).
//TODO:This auto-generated class includes the basics for a Registration
//Handler class. You will need to customize it to ensure it meets your needs and
//the data provided by the third party.
global class LinkedInRegHandler implements Auth.RegistrationHandler {
//Creates a Standard salesforce or a community user
global User createUser(Id portalId, Auth.UserData data) {
if (data.attributeMap.containsKey('sfdc_networkid')) {
//We have a community id, so create a user with community access
//TODO: Get an actual account
Account a =[SELECT Id FROM account WHERE name = 'LinkedIn Account'];
Contact c = new Contact();
c.accountId = a.Id;
c.email = data.email;
c.firstName = data.firstName;
c.lastName = data.lastName;
insert(c);
//TODO: Customize the username and profile. Also check that the username
//doesn't already exist and possibly ensure there are enough org licenses
//to create a user. Must be 80 characters or less.
User u = new User();
Profile p =[SELECT Id FROM profile WHERE name = 'Customer Portal Manager'];
u.username = data.firstName + '@sfdc.linkedin.com';
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.firstName;
//Alias must be 8 characters or less
if (alias.length() > 8) {
alias = alias.substring(0, 8);
}
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
u.contactId = c.Id;
return u;
} else {
//This is not a community, so create a regular standard user
User u = new User();
Profile p =[SELECT Id FROM profile WHERE name = 'Standard User'];
//TODO: Customize the username. Also check that the username doesn't
//already exist and possibly ensure there are enough org licenses
//to create a user. Must be 80 characters or less
u.username = data.firstName + '@salesforce.com';
u.email = data.email;
u.lastName = data.lastName;
u.firstName = data.firstName;
String alias = data.firstName;
//Alias must be 8 characters or less
if (alias.length() > 8) {
alias = alias.substring(0, 8);
}
u.alias = alias;
u.languagelocalekey = UserInfo.getLocale();
u.localesidkey = UserInfo.getLocale();
u.emailEncodingKey = 'UTF-8';
u.timeZoneSidKey = 'America/Los_Angeles';
u.profileId = p.Id;
return u;
}
}
//Updates the user's first and last name
global void updateUser(Id userId, Id portalId, Auth.UserData data) {
User u = new User(id = userId);
u.lastName = data.lastName;
u.firstName = data.firstName;
update(u);
}
}View LinkedIn Scopes
A scope determines the information you get from LinkedIn about a user during the authorization process. Due to privacy concerns, LinkedIn updated its API to v2 to reduce the amount of member information returned to developer apps when members sign in. In v2, LinkedIn returns only the critical pieces of member data necessary for identification. The LinkedIn v2 Lite Profile replaces the v1 Basic Profile. The Lite Profiles consists of a member’s ID, first name, family name, maiden name, and profile picture. As in v1, a user must first give LinkedIn approval to share the information.
When you set up LinkedIn as an authentication provider, you can view the scopes in the LinkedIn app settings and the Salesforce Auth. Provider settings. You can also view the scopes in a query to LinkedIn’s user info endpoint using field selectors.
- You can leave the scope value blank in the LinkedIn and Salesforce settings. Salesforce contains r_basicprofile, which provides only the most basic user information. It also supplies r_emailaddress, which contains the user’s email address.
- Here’s a request to retrieve the member’s profile in LinkedIn v2:
GEThttps://api.linkedin.com/v2/me. - Salesforce requires a user’s email address. You can make a separate request to
retrieve the user’s email address using r_emailaddress. Here’s a
request to retrieve the member's email address.
GET https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
Set Up a LinkedIn App
Before you can configure LinkedIn for Salesforce, set up an app in LinkedIn.
- Sign in to your developer account on LinkedIn.
- From LinkedIn, click your profile picture at the top, and select My Apps.
- Click Create App.
- Enter the app settings.
- Note the client ID and client secret.
Define a LinkedIn Provider in Your Salesforce Org
To set up a LinkedIn provider, you need the LinkedIn client ID and client secret.
- From Setup, in the Quick Find box, enter Auth. Providers, click Auth. Providers, and then click New.
- For the provider type, select LinkedIn.
- Enter a name for the provider.
- Enter the URL suffix, which is used in the client configuration URLs. For example, if the URL suffix of your provider is MyLinkedInProvider, your SSO URL is similar to https://mydomain_url or community_url /services/auth/sso/MyLinkedInProvider.
- For Consumer Secret, use the LinkedIn client secret.
-
To use an Apex registration handler, take these steps.
- For Registration Handler Type, select Apex.
-
For Registration Handler, select an existing Apex class that implements the
Auth.RegistrationHandlerinterface. Or, to create an template for the registration handler, click Automatically create a registration handler template. Edit this class later, and modify the default content before using it.
-
To use a flow for your registration handler, take these steps.
- For Registration Handler Type, select Flow.
- For Registration Handler, select an existing flow of the Identity User Registration flow type.
-
Select a default profile. A default profile is required to run the registration
handler. If you don't specify a default profile here, set the default profile in the
flow itself.
If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultProfileId variable.
-
Select a default account. If you use your authentication provider for Experience
Cloud sites, this account stores new internal users.
If you use the Authentication Provider User Registration flow template, the profile that you set here is automatically stored in the defaultAccountId variable.
-
For Execute Registration As, select an execution user to run the Apex class or flow.
The user must have the Manage Users permission.
Execute Registration As provides the context in which the registration handler runs. In production, you typically create a system user for the Execute Registration As user. This way, operations performed by the handler are easily traced back to the registration process. For example, if a contact is created, the system user creates it.
-
Optionally, set these fields:
- For Authorize Endpoint URL, enter https://www.linkedin.com/oauth/v2/authorization.
- For Token Endpoint URL, enter the OAuth token URL from LinkedIn. For example, https://www.linked.com/oauth/v2/accessToken. For more information, see Authenticating with OAuth 2.0 Overview.
- To change the values requested from LinkedIn’s profile API, enter the User Info Endpoint URL. For more information, see Profile API. The URL must start with https://api.linkedin.com/v2/me, and the requested fields must correspond to the requested scopes.
- For Default Scopes, enter a supported value or space-separated values that represent the information you get from LinkedIn.
- If you enter a consumer key and consumer secret, the consumer secret is included in SOAP API responses by default. To hide the secret in SOAP API responses, deselect Include Consumer Secret in SOAP API Responses. Starting in November 2022, the secret is always replaced in Metadata API responses with a placeholder value. On deployment, replace the placeholder with your consumer secret as plain text, or modify the value later through the UI.
- For Custom Error URL, enter the URL for the provider to use to report any errors.
- For Icon URL, add a path to an icon to display as a button on the login page for a site. This icon applies to an Experience Cloud site only. It doesn’t appear on your Salesforce login page or My Domain login URL. Users click the button to log in with the associated authentication provider for the site. Specify a path to your own image, or copy the URL for one of our sample icons into the field.
- To use a portal for LinkedIn users, select the portal from the Portal dropdown list.
- To use the Salesforce multi-factor authentication (MFA) functionality instead of your identity provider’s MFA service, select Use Salesforce MFA for this SSO provider. This setting triggers MFA only for users who have MFA applied to them directly. For more information, see Use Salesforce MFA for SSO.
- Save your work.
After you define the authentication provider, Salesforce generates these client configuration URLs.
- Test-Only Initialization URL—Use this URL to ensure that the third-party provider is set up correctly. The admin opens this URL in a browser, signs in to the third party, and is redirected to Salesforce with a map of attributes.
- Single Sign-On Initialization URL—Use this URL to perform SSO into Salesforce from a third party using third-party credentials. The user opens this URL in a browser and signs in to the third party. The third party creates a user or updates an existing user. Then the third party signs the user into Salesforce as that user.
- Existing User Linking URL—Use this URL to link existing Salesforce users to a third-party account. The user opens this URL in a browser, signs in to the third party, signs in to Salesforce, and approves the link.
- OAuth-Only Initialization URL—Use this URL to obtain OAuth access tokens for a third party. Users must authenticate with Salesforce for the third-party service to get a token. This flow doesn’t provide for future SSO functionality.
- Callback URL—Use this URL for the endpoint that the authentication provider calls back to for configuration. The authentication provider must redirect to the callback URL with information for each client configuration URL.
Client configuration URLs support more request parameters that enable you to:
- Direct users to log in to specific sites.
- Obtain customized permissions from the third party.
- Go to a specific location after authenticating.
Update Your LinkedIn App
After you define the LinkedIn authentication provider in Salesforce, go back to LinkedIn. Update your app to use the Salesforce-generated callback URL as the LinkedIn OAuth 2.0 Redirect URLs value.
Test the SSO Connection
In a browser, open the Test-Only Initialization URL on the Auth. Provider Setup page. It redirects you to LinkedIn and asks you to sign in. You’re then asked to authorize your app. After you authorize, you’re redirected to Salesforce.
Add the Authentication Provider to Your Login Page
Configure your login page to show the authentication provider as a login option. Depending on whether you’re configuring SSO for an org or Experience Cloud site, this step is different.
- For orgs, see Add an Authentication Provider to Your Org's Login Page.
- For Experience Cloud sites, see Add an Authentication Provider to Your Experience Cloud Site’s Login Page.
