I have a project where subdomains are created for each of my users. So, if my project is example.com, a customer of mine might have steve.example.com.
I then added social logins with Google and Facebook. For Google's "Authorized JavaScript origins" and "Authorized redirect URIs", they don't allow wildcard domains. What's the best way to handle this?
Next, it gets more complicated for users that want to load steve.example.com on their own domain via CNAME. So if example2.com's DNS is pointed to steve.example.com, it appears I need to add example2.com to my Authorized Javascript Origins. What's the best way to handle this? Can I add it via API? I can't find any documentation regarding this and I'd rather not have to manually add 1000 subdomains and domains to Google.
Do you want a user to authorize a scope "A" for site 1 and get it auto approved for site 2? Most likely not.
If you use the same client ID (put these all in the same project) that means they should just be approved once by a user. This may be a privacy violation if the sites are different and a user may not want to sign-in to one of those but into another.
To solve this, you should be creating a different client id for each of your customer.
Another good reason to create a project/client id is if for some reason there is abuse and one of the client ID is compromised then other/all customers are not effected.
If you are creating project/client ids for each project then you should add the right subdomain there during the configuration. I also recommend not having all the projects (1000s as you say) in one Google account.
Related
We just had a customer, Acme, request that they be able to create their own app registration to represent our SaaS app. So far we've managed the app registration ourselves and had one definition that's then shared with all customers.
They requested this for a couple for reasons:
They want to give the app another name, to match their internal naming conventions.
They want to change the URL of the app from app.product.com to acme.product.com so they can click on the app in the App gallery and be taken to directly to their instance, instead of manually browsing to acme.product.com.
These are reasonable requests, and I get it, but if every customer has their own app registration then our support overhead goes way up, because we have to hold their hand as they set it up and then make sure it's updated whenever we have to make changes (quite rarely, mind you).
Is this a common pattern and we just have to deal with it, or is this all better solved in some other way?
If you want to sync the configurations between your Azure AD app and the customer's, the best way is using multi-tenant app.
Unfortunately customer cannot modify the app name and reply url in this case.
Publish your app to the Azure AD app gallery and customer can install it from their tenant would allow them to modify the name and reply url.
I have an application hosted by Google Appengine and I need to serve it using custom domain. Is it possible to use custom domains without owner verification?
In order for a custom domain to serve your GAE app, Google must verify that you are indeed an owner of the domain (DNS entries often need to be added, etc.)
If you DNS provider can do a 301/302 HTTP redirect, you can set it up to redirect to your app's underlying app_id.appspot.com URL, but the user would be seeing it after the first page load in the browser address bar.
Without validation though, you won't be able to host a site directly.
We are developing an app which our customer would like to install for some of their teams. However, we have not yet listed this app on the App Marketplace and would like to install this application for our client's sub-org without needing to do so. Is there any way to have the admin grant access to our app for only this sub-org?
We checked out domain wide delegation, but it seems to be for the whole domain. The only other method seems to be using OAuth, but this would involve every person individually signing up, and not a one time action by the admin.
Thanks!
As far as I know.... no.
But you definitely could simulate that. For instance make your app completely public, but on the login page check for the IP of the logged customer and then decide if it comes from the right subdomain. If not, send the customer to a "403" page.
Or you might be able to create ONE user, using the same email for the whole organization?
I have a GAE project (myproject.appspot.com) which I'd like to serve from a custom domain (myapp.com).
I have added the custom domain to my Google Apps account for my company (example.com)
On my dashboard I have successfully added my domain. This is confirmed; it says myapp.com - Active
Following Google's instructions, I perform step 3 (click "Add Domain"), which attempts to log me in using my normal admin account:
Problem #1, it won't let me perform this step:
You are trying to access Google Admin of myapp.com but you do not have a valid logged in account for it.
I have successfully performed step 4 (Activate this service), and my app appears under "App Engine Apps" for my company.
This page displays: Web address — Your users can access MYPROJECT at: https://myproject.appspot.com — Add new URL
I then click on "Add new URL", which offers me a chance to select a domain from a pulldown list that includes all the domains I own on this account (i.e. both example.com and myapp.com).
Problem #2, it won't let me perform this step. I choose http://myapp.com and click [Add]. When I do this, I get an alert in a red popup box that says The term 'myapp.com' is not allowed. The single quotes are unescaped and appear as "'"
I can successfully add the URL for my company domain (example.com) just fine. But it throws an error/alert if I select myapp.com instead.
Why is Google Apps preventing me from using this domain? I clearly own it, and it appears on
the pulldown menu. Why does it say "the term" is not allowed, as if it's a typo? Is this a bug in parsing the unescaped quote characters?
I found a great (and very obscure) solution.
First of all, Google doesn't tell you this, but the custom domain cannot be a secondary domain on your Google Apps account. Only the primary domain can be selected for "Add new URL."
There are two solutions. One is to add the second domain (myapp.com) to your Google Apps account as a domain alias for the primary (example.com), not a secondary domain. This may not be acceptable for many users, since it means you cannot use myapp.com to deliver different content from example.com.
The second solution is to create an entirely independent, separate Google Apps account, and make your domain (myapp.com) a primary domain for that account. This too may not be acceptable for many users, since you may not feel like paying for a Google Apps account (minimum of $50 per user per year). However, there is a very cool way to get a Google Apps account for free.
You can create an independent Google Apps account with exactly 1 user, and then delete Google Apps for that user. This sounds weird, but stay with me. The superuser account remains, so you can administer the domain and the App Engine app. What you give up are the paid services: gmail,docs,calendar, etc. for that user, which means you're not obliged to pay the $50/year.
Here's the recipe. You will need:
a) a Google User account (e.g. joe#myapp.com created at http://gmail.com)
b) an App Engine account (e.g. http://appengine.google.com)
c) a Google Apps account (e.g. http://admin.google.com/myapp.com)
Create your Google Apps account, you will get a free 30-day trial.
Make sure your user (a) is an owner of the app engine project (b).
Make sure you add your app engine project (b) to your Apps account (c).
Under "Admin Console / More controls / App Engine Apps" ("add services", click icon in upper right corner)
Here's where you delete the paid services and keep the Apps account for free:
In the admin console, choose Company Profile / Profile.
Scroll all the way down to Account Deletion. Look for the text "One or more subscriptions are still active. Please cancel these subscriptions "
Click "subscriptions".
Click "Google Apps".
Click "Cancel Google Apps" (It's the ⃠ icon on the extreme right side of page)
This will delete the paid services (gmail,docs,cal, etc.) so you will no longer have access to any of those. Gmail will not handle any email sent to joe#myapp.com. You will need to set up the MX records for myapp.com to point to some other service if you want to enable email for the myapp.com domain. But you will have the myapp.com domain associated with your Apps account and with your App Engine app, for free, and you will be able to log in as joe#myapp.com to administer them both.
At some point, if you change your mind and decide you want Gmail for your users, you are always welcome to add the Google Apps service back on, and of course purchase licenses for $50/user/year.
You need to add the GAE app from your Google Apps for Domain account. There is a form where you can add an appengine app to your Google Apps account, but it's not in your GAE account, it's in your Google Apps account.
How can visualforce pages and their respective controllers be hosted on SFDC but have my own domain name and URL extension being used when directing users to them?
I am building pages in VisualForce with Apex controller extensions in the background and would like to know how to direct my users to them whilst still prepended the filename with my own URL and not na9.salesforce......
Would these pages have to be hosted on Sites.com Or can I host them as pages in my developer.force.com account? I think the first because if they were to be hosted within SFDC then a login would be required to view the pages?
I am so confused that things are not going well. I know that SFDC want everything to be integrated but i think that users should just be happy with a single solution that does not have modules thrown all over the place where you need bespoke training to use effectively.
Salesforce.com's Sites is the technology that you are going to need to use if you want to provide your own domain (URL). Essentially, with that technology you can setup a guest account for anonymous user access. So everything still runs under the context of a user it would just be this generic guest account.
This article explains the details of mapping your Domain to the Salesforce.com Site domain.
http://wiki.developerforce.com/page/Force.com_Sites_Best_Practices