Skip to main content
+2,000 points

Integration Configuration Superbadge Unit

Set up an integration user and configure a connected app for OpenID Connect.

~2 hrs

Integration Configuration Superbadge Unit

What You'll Be Doing to Earn This Superbadge

  1. Set up an integration user.
  2. Establish a JWT Bearer flow connected app.
  3. Define an OAuth custom scope.
  4. Configure a connected app to use OpenID Connect.
  5. Configure an Auth. Provider with OpenID Connect.

Concepts Tested in This Superbadge

  • Integration Best Practices
  • Connected App
  • Auth. Provider

Prework and Notes

Sign Up for Two Developer Edition Orgs with Special Configuration

Important: Please read the instructions below carefully as they are different than you may have seen in other superbadges.

To complete this superbadge unit, you need two special Developer Edition orgs that contain special configuration and sample data. These Developer Edition orgs are designed to work with the challenges in this superbadge unit.

  1. Follow both links below to sign up for the two Developer Edition orgs.
  2. Fill out each form and enter an active email address.
    • Tip: Include the words primary and secondary in the respective usernames to help distinguish each org. (Example: yourinitials + today’s date +
  3. After you fill out the form, click Sign me up.
  4. When you receive the activation emails (this might take a few minutes), open them and click Verify Account.
  5. Complete your registration by setting your password and challenge question.
    • Tip: Write down your username, password, and login URL for easy access later.
  6. You are logged in to your superbadge Developer Edition orgs.

Now, connect your primary Developer Edition org to Trailhead. You don’t need to connect the secondary org to Trailhead to pass the challenges in this superbadge unit.

  1. Make sure you’re logged in to your Trailhead account.

  2. In the Challenge section at the bottom of this page, select Connect Org from the picklist.

  3. On the login screen, enter the username and password for the primary org you just set up.

  4. On the Allow Access? page, click Allow.

  5. On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge.

  6. Now that you have two Salesforce orgs with special configuration for this superbadge unit, you’re good to go.


  • Enter all labels exactly as described in the instructions. Labels are case-sensitive and spelling counts.

  • When possible, copy and paste the label names from superbadge instructions instead of typing them.

  • Make sure you save your work before running the challenge check.

  • Build your solution according to the requirements; adding more configurations can cause challenge checks to fail.

  • We recommend following best practices and always including descriptions for configurations. However, we’re not checking for descriptions in this superbadge unit.

  • We don't recommend changing your org's My Domain Name for this challenge. If you do choose to deploy a new My Domain Name for your primary org, you'll need to disconnect and reconnect the org to Trailhead in order to reestablish the connection.

  • As you'll be working in multiple orgs, always record the unique My Domain and Experience Cloud site URLs for each org.



Before you begin the challenges, please review Integration Security Specialist Superbadge: Trailhead Challenge Help.

This superbadge unit is part of the Integration Security Specialist Superbadge. Complete the capstone assessment and related superbadge units to receive the Integration Security Specialist Superbadge.

Make sure you’re using the two Developer Edition orgs provided above to complete the challenges. If you’ve completed the Named Credentials Superbadge Unit, you can use the same Developer Edition org as the primary org to complete the challenges in this superbadge unit and sign up for a new secondary Developer Edition org from this sign up link. If not, make sure you’re using a new primary Developer Edition org from this sign up link. If you use an org that’s been used for other work, you won’t pass the challenges in this superbadge unit.

Review Superbadge Challenge Help for information about the Salesforce Certification Program and Superbadge Code of Conduct.

Use Case

Cloud Kicks (CK), an up-and-coming shoe company, is setting up a strategic partnership with Northern Trail Outfitters (NTO), a well-established athletic gear company. Though the partnership shows strong promise to help each company expand its business, a deep dive into their data brought up a few issues.

A comprehensive data quality assessment helped the lead generation teams from both companies identify duplicate leads and outdated data across their systems. Recognizing the potential challenges this posed, they’ve made a decision to manage lead data in an external system and purge all duplicates and outdated entries.

Business Requirements

The key objective for this integration project is to ensure that CK and NTO operate with the cleanest and most streamlined data possible, so the lead generation teams can get back on track! Mergester is a custom application specifically designed to refine and streamline lead data. It’s great at pinpointing and removing outdated leads efficiently. In your role, you'll set up and define the authorizing application within CK's Salesforce environment.

Set Up an Integration User for Mergester

When you’re working in data integration, the right setup is key. Begin with establishing a dedicated integration user, specifically for Mergester. The choice of a name and username is flexible, but make sure the username is unique.

Using the principle of least privilege (PoLP), ensure that the user license and user's access aligns with the integration's objectives. This integration user's function will primarily be via Salesforce application programming interfaces (APIs), so direct access to the Salesforce user interface isn’t necessary. In addition to the default profile, the integration user should have the ability to delete the lead records. Assign the existing LEAD Sales - D permission set, which allows the delete operation for the Lead object.

Configure Mergester Connected App

As a systems developer, your next task is to configure an OAuth-enabled Mergester application (app) in the primary Developer Edition org. Define the redirect URI as The app should be allowed to interact with Salesforce APIs, and when the bearer token expires, it should automatically be able to request a renewal of the token. Make sure the security token exchanged for authorization is digitally signed by the Mergester.crt certificate. The Mergester app should be able to locally validate if the access token is valid and exists, avoiding additional requests to CK.

Next up, review the OAuth access policies for this app. Only the integration user you established should be pre-approved to delete the lead records using the Mergester connected app. The application should automatically request a new token only using the JSON Web Token (JWT) when the bearer token expires.

When Mergester integrates a lead into the external system, it should be able to purge outdated records by deleting them. This operation requires not only an access token but also a customized parameter that defines the conditions for lead deletion in the external system. The owner of this external system has defined a required policy of lead_delete to have the correct authorization to delete these leads.

With the successful creation of Mergester connected app, CK can securely improve data accuracy and simplify the lead generation process.

Configure Cloud Kicks as an OpenID Provider

One of the goals of the new partnership between CK and NTO is to develop a seamless online shopping and special events experience for CK's customers. NTO's extensive online shopping platform owes its success, in part, to its smooth integrations that are available for retail companies to utilize. CK is currently promoting a range of niche sneakers that will be showcased at exclusive events in the NTO community. Through OpenID Connect tokens, CK's customers can access these exclusive NTO community events using their current CK credentials. In this section, we’ll set up the OpenID Connect Authentication process between CK and NTO using two distinct orgs.

Org Descriptions
Org OpenID Connect Role Description
Primary OpenID Connect Provider This org includes the CloudKicks Experience Cloud site that supports CK's loyal customer base.
Secondary Service Provider This org includes the NTO Experience Cloud site that opens doors to many different retail companies to showcase their unique products.

Important: You'll make configurations in both the primary and the secondary orgs to complete the challenges in this superbadge unit. However, you will connect only the primary org for challenge checks in this superbadge unit.

In the primary org, set up the OpenId Connect application with the name: NTO. For this integration, set the redirect URI as https://NTO-Experience-Cloud-site-URL/services/authcallback/CloudKicks. Note: Replace NTO-Experience-Cloud-site-URL with the site URL of the secondary Developer Edition org. Add the standard scope to support OpenID Connect requests and allow access to the user's basic identity information.

The identity token should be customized so that NTO can fetch user profiles and preferences to provide a personalized shopping experience. Configure the recipient of the identity token as the Experience Cloud Site URL of the secondary org. The token should be valid for 5 minutes. The identity token must convey essential user details, including their name, profile, and, importantly, the reward points they've accrued over time. Name this attribute points. This is tracked through the user object custom field, Points__c. Incorporate this data to ensure NTO offers product access that reflects the user's reward status.

Configure NTO as a Service Provider

In the secondary Developer Edition org, set up an Auth. Provider as the service provider for CK, using the Open ID Connect template.

  1. Create the Auth. Provider with the name CloudKicks.
  2. Update the Consumer Key and Secret fields with the NTO connected app client ID and secret values.
  3. For the exchange of authorization codes, tokens, and user information, use the respective endpoint URLs with the CloudKicks Experience Cloud site domain of the primary org.
  4. Add the scopes as they are set up in the NTO connected app.
  5. Click Save.
  6. In the NTO connected app, make sure the redirect URI settings match the client configuration URL in the Auth. Provider for the Experience Cloud site.

Test Your Configuration

Now that you’ve set up the connected app and the service provider, it’s time to test your configuration. Both the primary and support orgs contain a test user named Jack Rogers. This user has all the necessary configurations and permissions you need in order to test the connection between the two orgs.

Follow the steps outlined below to test your configuration.

  1. Primary org: Activate the CloudKicks site.
    1. Go to Setup | Feature Settings | Digital Experiences | All Sites.
    2. Click the Builder link.
    3. Click to Publish the site.
  2. Primary org: Update Jack Rogers’s email to your email address. Check the box labeled Generate new password and notify user immediately.
  3. Primary org: Note Jack’s username and password.
  4. Secondary org: Make note of the Test-Only Initialization URL of the CloudKicks Auth. Provider for the Experience Cloud site.
  5. In an incognito or private browser window, go to the initialization URL and use Jack's credentials when prompted to log in.
  6. Click the Allow button to authorize with the NTO connected app.
  7. You should successfully get the authorization code.

Ready to Tackle This Superbadge?

Please first complete the prerequisites and the challenge for Integration Configuration Superbadge Unit will be unlocked.

~2 hrs