15 July 2019

How Trailblazer Identity (TBID) Works with Trailhead and myTrailhead

Almost weekly, I find myself trying to explain how Trailblazer Identity works with both Trailhead and myTrailhead.

For those that don’t know, Trailhead uses a service called Trailblazer Identity for managing user sign-up and login. Trailblazer Identity is one of the greatest innovations that Salesforce has created. It solves a truly unique problem set: how to unify all the Salesforce community properties such as Trailhead, Trailblazer Community, Dreamforce, Events, AppExchange under a common profile and identity that represents their single user across all Salesforce properties. At the same time, it also supports myTrailhead users within a company who may double up as Salesforce community users. That’s some serious double-thinking going on - you can be a member of several communities, plus access Trailhead, plus access private myTrailhead content - all as the same user! I could be an Independent Software Vendor (ISV) managing my app on AppExchange, a guest at Dreamforce, a partner attending a Trailblazer Community event, a Salesforce learner on Trailhead, or a learner on my own company’s myTrailhead tenant - all within the same day. That is a truly unique problem set that was solved with a single identity service!

Using Trailblazer Identity means a single person can use many different login identities (Google, Facebook, Salesforce, LinkedIn, Email) for many different use cases in many different user contexts (I’m an ISV, a partner, a learner, an admin, an employee, an event attendee) all going through the same identity service to sign up, login, access different types of content, and view their profile of accomplishments and engagement with Trailhead, myTrailhead, and the Salesforce community. As you can hopefully imagine, there are many different ways Trailblazer Identity interacts with users - whether it’s logging them in either via the web site or single sign-on, linking or merging their identities and users together, signing them up, or managing their settings including their hands-on orgs used for challenges. And it does all of this for both Trailhead and myTrailhead. As a result, there’s some complexity in the identity service which creates an opportunity to educate others how it works.

When I start explaining Trailblazer Identity in the context of both Trailhead and myTrailhead, I wind up with a white board that looks a little like this:



White board of Trailblazer Identity with Trailhead and myTrailhead

Keep in mind, every myTrailhead user is a Trailhead user. This means that myTrailhead users have full access as first class citizens to public Trailhead content while, at the same time, having access to their organization’s private myTrailhead content.

In its most basic form, Trailblazer Identity works like this: a new user signs up for Trailhead using a login identity that Trailblazer Identity accepts including:

  • *Salesforce production org 
    • including developer edition and a trial org
  • Google
  • LinkedIn 
  • Facebook 
  • Email
    • email address/one-time password
*Important Note: sandbox org logins do not work with Trailblazer Identity for login or sign up. This affects Trail Tracker sync later on in this blog post. If you have developers in a sandbox that aren’t already in a production Salesforce org, Trail Tracker won’t be able to load any of their badges. Those developers can still use a different login identity like Google or Facebook; however, their badges won’t sync with Trail Tracker.


Web login and sign up options

Now that Trailblazer Identity has some information about the login identity that you’re using to sign up, it asks for some simple information to finish the user registration. All users, including myTrailhead users, must self-register first as a Trailhead user. This guarantees a set of rights for all users based on the Terms of Service for Trailhead. For instance, an organization can inactivate a production user, removing their access to their private badges. But the organization can't take away access to a user's public badges as long as that user connected a separate, non-production org identity to their Trailhead user. Because everyone must self-register as Trailhead users, there is no way to auto-provision users on Trailblazer Identity such as through an LDAP or Active Directory service.

Progressive Profile User Registration

So the whole login and signup flow looks a little like this on the white board:

Login and Signup flows put together

Keep in mind, the idea is to have a common user across all Salesforce properties based on the user’s email address. If Trailblazer Identity finds that the user already exists with the same email address that you just used to sign-up a new user, then it’ll link the new user with the existing one. This helps keep a user from signing up multiple times and losing track which user or login maps to which badges that they’ve earned.

If your intention is to create multiple Trailhead users intentionally, for instance if you’re getting ready to do a demonstration to your team but don’t want it to affect your real badges or profile, then you can use a different email address or modify your email. For example, Gmail allows you to add a ‘+’ in your address as a filter which will act like a new email address even if emails will still go to your original address. There’s a great blog from Google about using filters in email addresses.

It’s also important to understand that you can use more than one login identity tied to your Trailhead user, so any of the following login identities can be used to login to your single Trailhead User.

Multiple Logins, Only one of You

That means you can login to Trailhead one day with your Google login identity, the next with your LinkedIn login identity, another day with your Email using a one-time password, and another day using your Salesforce production org user. Logins just tell Trailblazer Identity how to map to the single user they’re associated with. You can also manage all of these login identities under the Settings page within Trailhead, choosing which ones to keep and which ones to disconnect or merge and link.

Manage Login Identities under Settings

Notice that ‘Connect’ button in the last picture? That helps Trailhead to link or merge login identities and even other existing Trailhead users with our user. This is because it’s possible that there are multiple Trailhead users with different email addresses even though in reality, there’s only one of you. If that is the case, you can link or merge them:

Linking or Merging users

The difference between link or merging users is that if the second Trailhead user has any badges, we’ll merge them into the first user before we combine all of their login identities together. Otherwise, Trailhead will just link their login identities to their one-and-only-one Trailhead user.

And now that you have your single Trailhead user, you can login through the web site by clicking the login button or through single sign-on. To learn more about the single sign-on route, check out this awesome blog post.

Most importantly, now that you have a single user with multiple login identities, you have a single place to share your user’s profile and accomplishments. It doesn’t matter what login identity you use to login, you can access your single Trailhead profile.

Public Trailhead Badges and Rank

However, if you login with your myTrailhead production org identity, you'll see something slightly different than if you logged in with any of your other login identities. You’ll see both your public Trailhead badges as well as your myTrailhead badges together. And your rank will be based on the combination of both public and private content instead of when you logged in using a non-myTrailhead org login identity where you only saw your rank in the context of public Trailhead badges and points.

myTrailhead + Public Trailhead Badges and Rank

This may cause your head to spin a little bit. I don’t blame you. One minute you’re a Mountaineer rank and the next you’re a Ranger! The advantage is whether you’re an administrator or developer earning public Trailhead badges, or an employee, end-user, partner or anyone else earning private myTrailhead badges. Your login identity helps establish the context of what you can see including your badges.

People find Trailhead through a variety of means such as searching Google, following someone on Twitter, and word of mouth. Most of these result in a new Trailhead user signing up via the public Trailhead web site.

A myTrailhead user will typically become a Trailhead user by clicking through a single sign-on deep link in an email inviting them to earn a badge on myTrailhead. They might also click a single sign-on link from another website like a community or within a chatter post in the Salesforce app.  Keep in mind, a Trailhead user must use a Salesforce production org login to access their myTrailhead content - that’s how Trailhead connects the dots between the org they’re logging in from and the myTrailhead tenant they should have access to. After all, it’s possible for a single Trailhead user to have access to multiple myTrailhead tenants of content.  If that user already exists and has logged into their production org in another browser tab, Trailhead will log them in automatically. If not, Trailhead will take them through the progressive profile sign up process and then deep link them to the content from the email.

myTrailhead login and single sign-on flow

And when they’re done with the content, if they logout from myTrailhead, they’ll be logged out from Trailhead as well and be directed to the Trailhead home page.

Finally, Trailblazer Identity helps Trailhead to connect the dots with Trail Tracker reporting. Trail Tracker is a free AppExchange app for tracking user badge and Trailmix activity. When reporting on badge activity via Trail Tracker, Trailhead uses your user’s information to decide how to sync their activity with their reporting organization.

Every day, a scheduled Apex job in Trail Tracker runs, it calls into Trailhead with the organization Id and retrieves all of the badge and Trailmix activity for any user who has linked or used the same production org identity to login for their Trailhead user.  That way, Trailhead can share the user’s public and private myTrailhead badges the same way Trailhead figures out whether you can see public or public and private badges on your profile. And if the user doesn’t use myTrailhead, that’s okay. Trail Tracker will sync all of their public badges with your organization - as long as they’ve linked at least one of their Trailhead user login identities with the same org. More about using Trail Tracker and linking login identities in this fantastic blog post.


Trail Tracker and User Identities

One use case that is a bit more challenging with Trail Tracker is using sandbox to test it. Trail Tracker actually does work in a sandbox, but the integration user has to be a production org user when you set it up since sandbox users can’t login to Trailhead to begin with. In other words, you can’t have developers who exist only in a sandbox org sync their badges with Trail Tracker running in sandbox since it's not possible for them to login to Trailhead in the first place to earn badges. This isn’t a limitation in Trail Tracker - it’s just the way Trailblazer Identity works - since you can’t login or sign up with a sandbox user, you can’t earn badges and if you can’t earn badges, you can’t sync them to Trail Tracker. Access is based on the link between a Trailhead user’s production org identity and the production org where Trail Tracker is installed.

Trailblazer Identity is one of the greatest innovations that Salesforce has created. It allows you to access multiple communities in different contexts as your day switches you from partner, to customer, to developer, to employee end-user. It solves many difficult problems and helps us unify the community as well as providing a secure, scalable, and trusted service for all Salesforce community properties including Trailhead and myTrailhead.

05 July 2019

Using Single Sign-on with Trailhead

In March, Trailhead introduced a new identity service called Trailblazer ID (TBID). This innovation enables Salesforce to create a foundation for unifying community properties such as Trailhead and the Trailblazer Community. But under the covers, there are a number of incredible innovations, one of which I'm asked about at least once per week -

"Can I single sign-on (SSO) and deep link to content on Trailhead without having my users login to Salesforce first and navigate through the site?" 

The short answer is, YES!

There is one important caveat, of the four login types including Salesforce, Google, LinkedIn, and Email, this solution will only work with your Salesforce login.

Trailblazer ID Login Options

As a result, you need to link your Trailhead account using a Salesforce org login to make SSO work. This is because it gives TBID enough information about who you are to log you in correctly using our SSO solution.

The following excerpt is customized from the myTrailhead Help & Training docs (I can't take credit for that writing - the myTrailhead doc writer deserves all the credit) that describes how to create an SSO deep link to content on myTrailhead. However, with one small change described in this blog post, it works for Trailhead as well.

myTrailhead Help & Training Docs

The second section of this blog post describes how you can apply that deep link using a simple formula customization built on top of Trail Tracker to make it 'button click' easy to access content on Trailhead as a logged in user.

Let's say you work at the Pacifica company, and you want to single sign-on an Administrator to the Advanced Formulas module on Trailhead. You can build a link that initiates the necessary relays to confirm that a user is authenticated and then takes the user to the module.

For example, this SSO link leads to the Advanced Formulas module on Trailhead.

https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/learn/modules/advanced_formulas/

Follow this process to build the link.

Navigate to the Trailhead content that you want to link to, such as the Advanced Formulas module.

Keep the page open in a browser so that you can refer to it. The URL contains some of the details required to create the SSO link.

Example: https://trailhead.salesforce.com/content/learn/modules/advanced_formulas/

Advanced Formulas Module - Logged In User

This URL contains the following information for building an SSO link.

Trailblazer ID Communitytrailhead
Namespace namelearn
Content typemodules
Content API nameadvanced_formulas
Name the online location of the relay servicetrailblazer.me

Example: https://trailblazer.me

Add the relay prompt that initiates SSO authentication: /relay?.

Example: https://trailblazer.me/relay?

Now tell the relay where to go by adding community=trailhead.

Example: https://trailblazer.me/relay?community=trailhead

Add an ampersand (&) and one of the following, depending on whether My Domain is set up in your Salesforce org.

If My Domain is set up in your Salesforce org, add mydomain= and your My Domain name, such as pacificalearning.

If My Domain is not set up in your Salesforce org, add instance= and the instance where your Salesforce org is located, such as na57.

Example:

With My Domain:

https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning

Without My Domain:

https://trailblazer.me/relay?community=trailhead&instance=na57

NOTE To determine if My Domain is set up in your Salesforce org, navigate to Setup > My Domain. If your org uses My Domain, the domain name is on that page. To determine the instance where your Salesforce org is located, in your org, navigate to Setup > Company Information.
You’ve built the part of the link that confirms whether the user is authenticated through SSO. Now add the path to the content where you want to take your users.

Add &path=/content/.

Example:

With My Domain:

https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/

Without My Domain:

https://trailblazer.me/relay?community=trailhead&instance=na57&path=/content/

To add the path to the content, refer to the URL that you navigated to in step 1. Add:
The content type, such as modules/ or trails/.
Your namespace name, such as pacificalearning/
The content API name, such as advanced_formulas

Example:

With My Domain:

https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/learn/modules/advanced_formulas/

Without My Domain:

https://trailblazer.me/relay?community=trailhead&instance=na57&path=/content/learn/modules/advanced_formulas/

Now you’ve created the SSO authentication link that you can send to your users!

But how would you use this in the real world?

You could use this to generate links using an Excel formula and sending the links out via branded emails as invitations to complete Trailhead badges. The downside of this solution is that if you haven't logged into your organization yet, you'll have to first login since we don't have enough information from your email alone to log you into Trailhead.

Another way you could auto-generate these SSO deep links to Trailhead content is to build a formula field in your org with Trail Tracker. I like this approach over email because it guarantees that you're already logged into your Salesforce organization.

Button Click using Single Sign-on to a Trailhead Module

The flow is pretty straight forward: when you view a badge record, you can click on a custom field, in this case called Single Sign-on URL, it will login you into Trailhead automatically and navigate to the Advanced Formulas module. And if you haven't already registered as a Trailhead user, don't worry, TBID will take you through the progressive profile to create a new user and then return you to the Advanced Formulas module when you're done.

To create the field, you just need to go to Setup as an Administrator and under the Badge object, create a new formula field called Single Sign-on URL.

Badge Formula Field

The following formula is a starting point for trying this out in your org. It checks the type of badge (If Module, Then Project, Then Superbadge, Else "None") and then constructs the SSO URL by parsing the standard trailheadapp__URL__c field that comes with the Trail Tracker App.

Formula:

IF (ISPICKVAL(trailheadapp__Type__c, 'Module'), HYPERLINK('https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/learn/modules/'&IF(BEGINS( trailheadapp__URL__c , "https://"), MID( trailheadapp__URL__c , FIND('https://',  trailheadapp__URL__c , 1)+50, (LEN( trailheadapp__URL__c ) - FIND('https://',  trailheadapp__URL__c , 1)+50)),  trailheadapp__URL__c  ),  Name  , '_blank'),IF (ISPICKVAL(trailheadapp__Type__c, 'Project'), HYPERLINK('https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/learn/projects/'&IF(BEGINS( trailheadapp__URL__c , "https://"), MID( trailheadapp__URL__c , FIND('https://',  trailheadapp__URL__c , 1)+50, (LEN( trailheadapp__URL__c ) - FIND('https://',  trailheadapp__URL__c , 1)+50)),  trailheadapp__URL__c  ),  Name  , '_blank'),IF (ISPICKVAL(trailheadapp__Type__c, 'Superbadge'), HYPERLINK('https://trailblazer.me/relay?community=trailhead&mydomain=pacificalearning&path=/content/learn/superbadges/'&IF(BEGINS( trailheadapp__URL__c , "https://"), MID( trailheadapp__URL__c , FIND('https://',  trailheadapp__URL__c , 1)+56, (LEN( trailheadapp__URL__c ) - FIND('https://',  trailheadapp__URL__c , 1)+56)),  trailheadapp__URL__c  ),  Name  , '_blank'), "none")))

That's the power of the Salesforce platform. From there, you can introduce this link in Login Flows, Workflows, Notifications, Reports, and pretty much anywhere the formula can be presented to a user.

Single Sign-on to Trailhead from your Salesforce organization is possible to help you ramp your team on Salesforce.