15 July 2019

How Trailblazer Identity (TBID) Works with Trailhead and myTrailhead

Almost weekly, I find myself trying to explain how Trailblazer Identity works with both Trailhead and myTrailhead.

For those that don’t know, Trailhead uses a service called Trailblazer Identity for managing user sign-up and login. Trailblazer Identity is one of the greatest innovations that Salesforce has created. It solves a truly unique problem set: how to unify all the Salesforce community properties such as Trailhead, Trailblazer Community, Dreamforce, Events, AppExchange under a common profile and identity that represents their single user across all Salesforce properties. At the same time, it also supports myTrailhead users within a company who may double up as Salesforce community users. That’s some serious double-thinking going on - you can be a member of several communities, plus access Trailhead, plus access private myTrailhead content - all as the same user! I could be an Independent Software Vendor (ISV) managing my app on AppExchange, a guest at Dreamforce, a partner attending a Trailblazer Community event, a Salesforce learner on Trailhead, or a learner on my own company’s myTrailhead tenant - all within the same day. That is a truly unique problem set that was solved with a single identity service!

Using Trailblazer Identity means a single person can use many different login identities (Google, Facebook, Salesforce, LinkedIn, Email) for many different use cases in many different user contexts (I’m an ISV, a partner, a learner, an admin, an employee, an event attendee) all going through the same identity service to sign up, login, access different types of content, and view their profile of accomplishments and engagement with Trailhead, myTrailhead, and the Salesforce community. As you can hopefully imagine, there are many different ways Trailblazer Identity interacts with users - whether it’s logging them in either via the web site or single sign-on, linking or merging their identities and users together, signing them up, or managing their settings including their hands-on orgs used for challenges. And it does all of this for both Trailhead and myTrailhead. As a result, there’s some complexity in the identity service which creates an opportunity to educate others how it works.

When I start explaining Trailblazer Identity in the context of both Trailhead and myTrailhead, I wind up with a white board that looks a little like this:



White board of Trailblazer Identity with Trailhead and myTrailhead

Keep in mind, every myTrailhead user is a Trailhead user. This means that myTrailhead users have full access as first class citizens to public Trailhead content while, at the same time, having access to their organization’s private myTrailhead content.

In its most basic form, Trailblazer Identity works like this: a new user signs up for Trailhead using a login identity that Trailblazer Identity accepts including:

  • *Salesforce production org 
    • including developer edition and a trial org
  • Google
  • LinkedIn 
  • Facebook 
  • Email
    • email address/one-time password
*Important Note: sandbox org logins do not work with Trailblazer Identity for login or sign up. This affects Trail Tracker sync later on in this blog post. If you have developers in a sandbox that aren’t already in a production Salesforce org, Trail Tracker won’t be able to load any of their badges. Those developers can still use a different login identity like Google or Facebook; however, their badges won’t sync with Trail Tracker.


Web login and sign up options

Now that Trailblazer Identity has some information about the login identity that you’re using to sign up, it asks for some simple information to finish the user registration. All users, including myTrailhead users, must self-register first as a Trailhead user. This guarantees a set of rights for all users based on the Terms of Service for Trailhead. For instance, an organization can inactivate a production user, removing their access to their private badges. But the organization can't take away access to a user's public badges as long as that user connected a separate, non-production org identity to their Trailhead user. Because everyone must self-register as Trailhead users, there is no way to auto-provision users on Trailblazer Identity such as through an LDAP or Active Directory service.

Progressive Profile User Registration

So the whole login and signup flow looks a little like this on the white board:

Login and Signup flows put together

Keep in mind, the idea is to have a common user across all Salesforce properties based on the user’s email address. If Trailblazer Identity finds that the user already exists with the same email address that you just used to sign-up a new user, then it’ll link the new user with the existing one. This helps keep a user from signing up multiple times and losing track which user or login maps to which badges that they’ve earned.

If your intention is to create multiple Trailhead users intentionally, for instance if you’re getting ready to do a demonstration to your team but don’t want it to affect your real badges or profile, then you can use a different email address or modify your email. For example, Gmail allows you to add a ‘+’ in your address as a filter which will act like a new email address even if emails will still go to your original address. There’s a great blog from Google about using filters in email addresses.

It’s also important to understand that you can use more than one login identity tied to your Trailhead user, so any of the following login identities can be used to login to your single Trailhead User.

Multiple Logins, Only one of You

That means you can login to Trailhead one day with your Google login identity, the next with your LinkedIn login identity, another day with your Email using a one-time password, and another day using your Salesforce production org user. Logins just tell Trailblazer Identity how to map to the single user they’re associated with. You can also manage all of these login identities under the Settings page within Trailhead, choosing which ones to keep and which ones to disconnect or merge and link.

Manage Login Identities under Settings

Notice that ‘Connect’ button in the last picture? That helps Trailhead to link or merge login identities and even other existing Trailhead users with our user. This is because it’s possible that there are multiple Trailhead users with different email addresses even though in reality, there’s only one of you. If that is the case, you can link or merge them:

Linking or Merging users

The difference between link or merging users is that if the second Trailhead user has any badges, we’ll merge them into the first user before we combine all of their login identities together. Otherwise, Trailhead will just link their login identities to their one-and-only-one Trailhead user.

And now that you have your single Trailhead user, you can login through the web site by clicking the login button or through single sign-on. To learn more about the single sign-on route, check out this awesome blog post.

Most importantly, now that you have a single user with multiple login identities, you have a single place to share your user’s profile and accomplishments. It doesn’t matter what login identity you use to login, you can access your single Trailhead profile.

Public Trailhead Badges and Rank

However, if you login with your myTrailhead production org identity, you'll see something slightly different than if you logged in with any of your other login identities. You’ll see both your public Trailhead badges as well as your myTrailhead badges together. And your rank will be based on the combination of both public and private content instead of when you logged in using a non-myTrailhead org login identity where you only saw your rank in the context of public Trailhead badges and points.

myTrailhead + Public Trailhead Badges and Rank

This may cause your head to spin a little bit. I don’t blame you. One minute you’re a Mountaineer rank and the next you’re a Ranger! The advantage is whether you’re an administrator or developer earning public Trailhead badges, or an employee, end-user, partner or anyone else earning private myTrailhead badges. Your login identity helps establish the context of what you can see including your badges.

People find Trailhead through a variety of means such as searching Google, following someone on Twitter, and word of mouth. Most of these result in a new Trailhead user signing up via the public Trailhead web site.

A myTrailhead user will typically become a Trailhead user by clicking through a single sign-on deep link in an email inviting them to earn a badge on myTrailhead. They might also click a single sign-on link from another website like a community or within a chatter post in the Salesforce app.  Keep in mind, a Trailhead user must use a Salesforce production org login to access their myTrailhead content - that’s how Trailhead connects the dots between the org they’re logging in from and the myTrailhead tenant they should have access to. After all, it’s possible for a single Trailhead user to have access to multiple myTrailhead tenants of content.  If that user already exists and has logged into their production org in another browser tab, Trailhead will log them in automatically. If not, Trailhead will take them through the progressive profile sign up process and then deep link them to the content from the email.

myTrailhead login and single sign-on flow

And when they’re done with the content, if they logout from myTrailhead, they’ll be logged out from Trailhead as well and be directed to the Trailhead home page.

Finally, Trailblazer Identity helps Trailhead to connect the dots with Trail Tracker reporting. Trail Tracker is a free AppExchange app for tracking user badge and Trailmix activity. When reporting on badge activity via Trail Tracker, Trailhead uses your user’s information to decide how to sync their activity with their reporting organization.

Every day, a scheduled Apex job in Trail Tracker runs, it calls into Trailhead with the organization Id and retrieves all of the badge and Trailmix activity for any user who has linked or used the same production org identity to login for their Trailhead user.  That way, Trailhead can share the user’s public and private myTrailhead badges the same way Trailhead figures out whether you can see public or public and private badges on your profile. And if the user doesn’t use myTrailhead, that’s okay. Trail Tracker will sync all of their public badges with your organization - as long as they’ve linked at least one of their Trailhead user login identities with the same org. More about using Trail Tracker and linking login identities in this fantastic blog post.


Trail Tracker and User Identities

One use case that is a bit more challenging with Trail Tracker is using sandbox to test it. Trail Tracker actually does work in a sandbox, but the integration user has to be a production org user when you set it up since sandbox users can’t login to Trailhead to begin with. In other words, you can’t have developers who exist only in a sandbox org sync their badges with Trail Tracker running in sandbox since it's not possible for them to login to Trailhead in the first place to earn badges. This isn’t a limitation in Trail Tracker - it’s just the way Trailblazer Identity works - since you can’t login or sign up with a sandbox user, you can’t earn badges and if you can’t earn badges, you can’t sync them to Trail Tracker. Access is based on the link between a Trailhead user’s production org identity and the production org where Trail Tracker is installed.

Trailblazer Identity is one of the greatest innovations that Salesforce has created. It allows you to access multiple communities in different contexts as your day switches you from partner, to customer, to developer, to employee end-user. It solves many difficult problems and helps us unify the community as well as providing a secure, scalable, and trusted service for all Salesforce community properties including Trailhead and myTrailhead.

No comments:

Post a Comment