CraftCMS User Roles Configuration

VIDEO TRANSCRIPT | Recorded: 2025-10-17 | Verify against current system state

Abstract¶

Technical deep-dive into Craft CMS authentication and SAML integration, focusing on the migration from Aptify to Salesforce. Covers custom SAML attributes (first name, last name, email, member type, show links unlocked), the complex member groups JSON object, and why Salesforce can't directly pass this data (using notifications API instead). Demonstrates Salesforce App Manager configuration, custom attribute mapping, and flows that sync fields between account, contact, and user objects for HigherLogic integration. Also covers web user roles UI that replaces Aptify for managing legacy application permissions.

Key Procedures¶

• Access Salesforce SAML configuration: Setup > App Manager > Manage (not Edit or View)
• Configure custom SAML attributes for Craft CMS authentication
• Add AMP External Identity User profile to connected app
• Use metadata discovery endpoint for third-party SAML setup
• Create Salesforce flows to sync account fields to contact/user objects
• Use notifications API endpoint for member groups JSON delivery
• Access web user roles UI for legacy application permissions
• Configure Craft CMS identity provider with well-known metadata endpoint

Notable Statements¶

• 0:01:33 "Matt's solution with the notifications API is a stronger solution for the long term, because then we have much more control over how those attributes are sent over."
• 0:02:18 "With Salesforce, I can't control the name ID field as easily."
• 0:02:40 "You can't have two at signs in a valid email address."
• 0:05:07 "If either three of those are true, then they should be able to see the links unlocked."
• 0:17:30 "If you try to go at it at a different route, you may mess things up."
• 0:22:05 "All of these fields must exist on the user object."
• 0:30:06 "HigherLogic only... everything has to exist on a contact record."
• 0:35:36 "The simpler your flow, the better. And that's not what you're going to see when you look at I2C flows."

Systems & Configurations¶

Systems Mentioned¶

• Craft CMS (website authentication)
• Salesforce (new identity provider)
• Aptify eBusiness (legacy identity provider)
• HigherLogic (communities integration)
• .NET Identity Server (legacy apps)
• OAuth/SAML protocols

Specific Configurations¶

Credentials/Access Mentioned¶

• Salesforce App Manager access
• Craft CMS admin panel
• Web user roles UI (Keith developed)
• Notifications API endpoint

Errors & Troubleshooting¶

• Issue: Can't see custom attributes in Salesforce connected app
• Cause: Accessed via Edit or View instead of Manage
• Resolution: Always use App Manager > Manage path

• Timestamp: 0:17:30

• Issue: SAML attributes can't traverse object relationships

• Cause: Salesforce SAML only reads from user object
• Resolution: Duplicate fields from account to user object via flows

• Timestamp: 0:22:05

• Issue: Member groups JSON too complex for Salesforce SAML

• Cause: Salesforce can't build complex JSON in SAML response
• Resolution: Use notifications API endpoint instead

• Timestamp: 0:05:55

• Issue: HigherLogic can't read account object fields

• Cause: HigherLogic only reads contact objects
• Resolution: Sync account fields to contact via flows with HL_ prefix
• Timestamp: 0:30:06

Transcript Gaps & Quality Notes¶

• Very technical session for IT team knowledge transfer
• Discussion of I2C vendor's Salesforce implementation
• Web user roles UI development in progress for post-Aptify
• Engagement tags (MP Research Report) mentioned for topic codes
• VPN connection issues during recording
• Need to add advocate volunteer video and other new engagement tags
• Fellows, state reps group management use case discussed