This application is an example implementation in Node.js of the different SAML and OAuth flows that are supported by Salesforce. Please leverage this repository as learning material, rather than something to be used in production.
When I was preparing for the Salesforce Certified Technical Architect (CTA) certification, Identity & Access Management (IAM) was one of the topics I struggled with. Mainly because I hadn't come into contact with it frequently during any projects I'd worked on.
I knew how to set up Single Sign-On (SSO), but that didn't compare to understanding the more delicate complexities of the different OAuth flows. So I started diving into this topic in detail.
There were two resources that were invaluable to me:
At first, I expanded upon Jitendra's work by adding the flows I struggled with most. After passing the CTA board, I wanted to build it out further to include the majority of OAuth flows so that others could also learn from it.
It took a while but I've finally built it.
You can find a video walkthrough of how to install and set up the application on your personal Heroku environment. Click the below image to launch the video on Youtube.
Step-by-step instructions on how to get the application up and running.
Create a Heroku account if you don't already have one.
If you want to run the application locally, install the Heroku CLI.
Click on the below button to deploy this application on Heroku.
This step can be skipped if you're ok using the private key and public certificate that are stored in this GitHub repository. Be aware that this isn't safe and you should only do this for Salesforce environments that you don't mind getting compromised.
To generate your own private key and public certificate, follow these steps
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out server.crt -days 365 -noencopenssl req -x509 -newkey rsa:2048 -keyout key.pem -out server.crt -days 365 -nodesCreate a Connected App in your Salesforce org. The Connected App should have the following settings:
From the newly created Connected App, click 'Manage', then 'Edit Policies'. Under 'OAuth Policies', selected 'Admin approved users are pre-authorized' for 'Permitted Users'.
After saving, add the correct profile of your user or add a permission set that is assigned to your user.
Update the Config Vars of your Heroku app (Settings > Config Vars) for the following key-value pairs.
You can set "PERSIST" to "true" if you're running the application locally and you'd like to persist the response from the SAML Assertion flow.
Navigate to the Heroku app at https://your-heroku-app.herokuapp.com/. Go to the flow you're interested in, read the description and click the Production / Sandbox button to execute.
There's also a possibility to test a Heroku app locally. If you're taking this approach, execute the following steps:
$ claude mcp add salesforce-iam-flows \
-- python -m otcore.mcp_server <graph>