We use Salesforce, and our staff users log into Salesforce using Entra ID as the IdP. Salesforce isn’t connected to Auth0 at all today.
Separate to this, we have build an external custom API in AWS, which is authenticated using Auth0 as the IdP (and exists as a custom Auth0 API in the Auth0 portal).
We’d like Salesforce to consume this API, but we’d like to store the logged in Salesforce staff User details in our database that backs the API (to act as an audit trail).
We have created a Salesforce application in Auth0 as a M2M application, with appropriate permissions to access the API.
The question:
Is it possible to get the ‘Salesforce staff User’ details (first name / last name claims etc) passed through here to our Auth0 backed API (rather than the ‘M2M user’) without having to send the Salesforce User in the body payload of the API? Is it possible to add this to the M2M Auth Token itself somehow to then extract on the other side? What is best practice here? An Action? Custom token exchange?
Based on your request, what I would recommend as the most straightforward and secure solution, would be to create an OIDC connection inside Auth0 for your custom API for Entra ID and then send the token from Salesforce when making requests. This way, requests will be authorized, and you’ll be able to obtain all the information that you need to log from the token itself.
If you have any other questions for us let us know.
Great, thanks! - to also check - we already have an Enterprise Connection through to ‘Azure AD’ (Entra ID) set up in Auth0, used for a different purpose though (authenticating into a different application). Do we still need the new OIDC connection here to Entra, or could we somehow utilise / repurpose the Enterprise Connection we already have set up here?