S-URL and Public Share Setup (S-Drive 2.7.12 and later)

Owned by Claire SanNicolas
Feb 15, 2022
14 min read

This page explains how to set up and use S-URL which works by using Salesforce communities (“Digital Experience” sites) and allows use of Public Share links where users can open, download, upload or delete files, as well as edit file meta-data.

To use Legacy S-URL (not recommended) see Legacy S-URL: How to Activate Public Share Link & S-URL.

File links that were created using Legacy S-URL will continue to work. However links created once this S-URL configuration is set up will not work if you switch back to Legacy S-URL.

This page explains how to set up S-Drive so that short url links (S-URL or surl) can be used. S-URL is needed in order to create public share files to share files with users outside of Salesforce. S-URL can also be used to open and download files internally in Salesforce if desired.

S-URL uses a Salesforce Digital Experience Site (formerly known as Salesforce Community) to access the file. It requires a dedicated user that will use passwordless login to the community.

To use this feature, you will need to do the following:

  1. Create a Digital Site (Community)

  2. Create a user for the site (Community User)

  3. Create a self-signed certificate to use for the Connected App

  4. Create a connected app to login to the community

  5. Create Passwordless Login Page and Controller to allow the user to automatically login to the community

  6. Finish setting up your Community

  7. Add Trusted Sites and Remote Site Settings to Salesforce

  8. Give Community User Profile access to the Connected App and PasswordlessLogin Class and Page

  9. Give the Community User access to the necessary objects through sharing rules

  10. Enable and Configure S-URL in S-Drive

 

We will go through the steps below.

STEP 1: Create a Digital Experience (Community)

  1. If you do not already have Digital Experiences enabled

    • Go to Setup > Feature Settings > Digital Experiences > Settings

    • Check Enable Digital Experiences checkbox.

    • Choose a domain name. (This will be used for all your Digital Experience sites, not just S-Drive or S-URL. It can be something like your company name)

    • Click Save.

  2. Click OK on the prompt.

  3. You will be redirected in another tab into Setup > Feature Settings> Digital Experiences > All Sites with a success message “Success! You can now create new experiences.”.

  4. Click New.

  5. Select Build Your Own. (There are 2 Build Your Own options. Do NOT select (LWR) one.)

  6. Click Get Started.

  7. Give it a name such as SURL.

  8. For the URL, set it as surl.

  9. Click Create.

  10. Wait for the community to be created.

  11. We will now create a community user and profile and will return to the community later to complete the setup.

back to instruction list

STEP 2: Create a Community User

This user will be used solely for accessing files that use S-URL.

You can either use an internal user or a Community User. This user will need View All permissions for the objects you want to share files for. If you use a community user, View All permission is not allowed, so you will need to set up sharing rules instead, which is done in STEP 9.

If you use a community user, we recommend a user with a Customer Community Plus license or some other license that allows the use of sharing rules. (For example, a Customer Community license can only use sharing sets, not sharing rules.)

Choose either Option 1 (Community User License) or Option 2 (Salesforce License) to set up your user.

Option 1: Community User option:

A community user is set up from a Contact on an Account. You may wish to create a simple dedicated Account just for this contact/user.

To create your user and profile using a customer community plus license and profile:

  1. Create the profile

    • Go to Setup-->profiles

    • Clone the Customer Community Plus profile. You may want to use this profile only for S-URL since it will have access to a Custom App created for S-URL, as well as an Apex class and Visualforce page

    • Give the following profile permissions

      • Parent objects (ex: Account) where you store files you want to share: Read

      • File object (ex: Account Files) of files you want to share: Create/Read/Edit/Delete as needed

      • Custom file objects with lookup relationship (such as a custom Account File object that has a lookup with Account): Read/Create/Edit/Delete as desired

      • SURL object: Create/Read/Edit/Delete

      • Make sure there is Field Level access to the fields on the objects you’re allowing.

  2. Create an Account. Note: the Account owner must have a role.

  3. Create a Contact on this account that you’ll use for community access

    • On the contact, click Enable Customer User (if this button is not there, go to page layout of Contact, go to Mobile and Lightning Actions and add it to the page.)

    • Give the user a license (Customer Community Plus or another “Plus” license is needed) and the profile you just created.

    • Click Save

Option 2: Internal user option:

  1. Create the profile

    • Go to Setup-->profiles

    • Clone any profile, such as standard user profile

    • Give the following profile permissions

      • Parent objects (ex: Account) where there is a master-detail relationship with files you want to share (ex: Accounts for Account Files): View All (user will not see the Accounts because you will only be sharing files, but they need access to the account in order to access the Account Files because of the master-detail relationship.)

      • File object (ex: Account Files) of files you want to share: Read/Create/Edit/Delete as desired

      • Custom file objects with lookup relationship (such as a custom Account File object that has a lookup with Account): Read/Create/Edit/Delete as desired

      • SURL object: Create/Read/Edit/Delete or Modify All

      • If using Preview & Thumbnail: Preview object: Read/Create/Edit/Delete

      • If using File Activities: File Activity object: Read/Create

      • Click Save

  2. Create a user

    • Assign the profile you just created to this user

back to instruction list

STEP 3: Create a Self-Signed Certificate

Create a Self-Signed Certificate to use with the passwordless login method.

  1. Go to Setup > Security > Certificate and Key Management.

  2. Click on Create Self-Signed Certificate.

  3. Name its label and the unique name as “SURL” (Case sensitive).

  4. Make sure the Exportable Private Key is checked.

  5. Click Save.

  6. Click on the certificate you just created.

  7. Click Download Certificate.

back to instruction list

STEP 4: Create a Connected App

Create a Connected App to use with the passwordless login method.

  1. Go to Setup > Apps > App Manager.

  2. Click on New Connected App.

  3. Enter Connected App Name and Contact Email.

  4. Check the box for Enable OAuth Settings

  5. Enter Callback URL as http://localhost:8080/auth2/callback

  6. Check Use digital signatures and upload the self-signed certificate you downloaded.

  7. Choose the OAuth Scopes

  8. Click Save.

  9. Click Continue.

  10. Click on Click to reveal next to the Consumer Secret field.

  11. Copy both Consumer Key and Consumer Secret as you will use them in the passwordless login system.

  12. Click Manage at the top of the Connected App

  13. Click Edit Policies

  14. Under Permitted Users, change it to “Admin approved users are pre-authorized”

  15. Click Save

back to instruction list

STEP 5: Create Passwordless Login Page and Controller

Create a Visualforce page and its controller class to allow the user to access shared items by logging in automatically by a passwordless login system.

  1. Set up Custom Settings needed for the controller class

    • Go to Setup-->Custom Settings

    • Find SDriveConfig and click Manage

    • Click New

    • Enter Name: SUrl_Community_Username / Value: the username of the delegated Salesforce user

    • Click Save & New

    • Enter Name: SUrl_Community_ClientId / Value: the consumer key from the connected app

    • Click Save & New

    • Enter Name: SUrl_Community_BaseUrl / Value: the base URL of the community (go to setup>digital experiences>all sites to see the url you created in STEP 1.

    • Click Save & New

    • Enter Name: SUrl_Community_Certificate / Value: the unique name of the self-signed certificate

    • Click Save

  2. Go to Setup-->Visualforce pages

  3. Click Developer Console

  4. Click File->New->Apex Class

  5. Create the PasswordlessLoginController class as shown below:

    global with sharing class PasswordlessLoginController { cg__SDriveConfig__c sdrivesetting_SUrl_Community_Username = cg__SDriveConfig__c.getValues('SUrl_Community_Username'); public String username = sdrivesetting_SUrl_Community_Username.cg__Value__c; cg__SDriveConfig__c sdrivesetting_SUrl_Community_ClientId = cg__SDriveConfig__c.getValues('SUrl_Community_ClientId'); public String clientId = sdrivesetting_SUrl_Community_ClientId.cg__Value__c; cg__SDriveConfig__c sdrivesetting_SUrl_Community_BaseUrl = cg__SDriveConfig__c.getValues('SUrl_Community_BaseUrl'); public String communityBaseUrl = sdrivesetting_SUrl_Community_BaseUrl.cg__Value__c; cg__SDriveConfig__c sdrivesetting_SUrl_Community_Certificate = cg__SDriveConfig__c.getValues('SUrl_Community_Certificate'); public String certificate = sdrivesetting_SUrl_Community_Certificate.cg__Value__c; public PageReference JWTlogin() { String url = ApexPages.currentPage().getHeaders().get('referer')==null?'':ApexPages.currentPage().getHeaders().get('referer'); String surlId = url==''?'':url.substring(url.lastIndexOf('sid=') + 4); system.debug('surlId: ' + surlId); String token = getAccessToken(); system.debug('token: ' + token); PageReference PR = New PageReference(communityBaseUrl + '/secur/frontdoor.jsp?sid=' + token + '&retURL=' + communityBaseUrl + '/s/?sid=' + surlId); if(Test.isRunningTest()){ PR = NULL; } return PR; } public String getAccessToken() { String tokenEndpoint = communityBaseUrl + '/services/oauth2/token'; Auth.JWT jwt = new Auth.JWT(); jwt.setIss(clientId); jwt.setSub(username); jwt.setAud(communityBaseUrl); Auth.JWS jws = new Auth.JWS(jwt, certificate); Auth.JWTBearerTokenExchange bearer = new Auth.JWTBearerTokenExchange(tokenEndpoint, jws); String accessToken=''; if(!Test.isRunningTest()){ accessToken = bearer.getAccessToken(); } return accessToken; } }

  6. Click File->Save

  7. Click New->Visualforce Page

  8. Create the PasswordlessLogin VFP as below:

    <apex:page controller="PasswordlessLoginController" showHeader="false" cache="false" standardStylesheets="false" action="{!JWTlogin}"> </apex:page>

     

  9. Create the following test class to use when needed for migration to production

    @isTest public class PasswordlessLoginController_Test { @testSetup static void makeData() { cg__SDriveConfig__c sdrivesetting_SUrl_Community_Username = new cg__SDriveConfig__c(); sdrivesetting_SUrl_Community_Username.Name = 'SUrl_Community_Username'; sdrivesetting_SUrl_Community_Username.cg__Value__c = 'communitysurl@surl.com'; insert sdrivesetting_SUrl_Community_Username; cg__SDriveConfig__c sdrivesetting_SUrl_Community_ClientId = new cg__SDriveConfig__c(); sdrivesetting_SUrl_Community_ClientId.Name = 'SUrl_Community_ClientId'; sdrivesetting_SUrl_Community_ClientId.cg__Value__c = 'ABCDEFGHIJ'; insert sdrivesetting_SUrl_Community_ClientId; cg__SDriveConfig__c sdrivesetting_SUrl_Community_BaseUrl = new cg__SDriveConfig__c(); sdrivesetting_SUrl_Community_BaseUrl.Name = 'SUrl_Community_BaseUrl'; sdrivesetting_SUrl_Community_BaseUrl.cg__Value__c = 'https://test.cs99.force.com/surl'; insert sdrivesetting_SUrl_Community_BaseUrl; cg__SDriveConfig__c sdrivesetting_SUrl_Community_Certificate = new cg__SDriveConfig__c(); sdrivesetting_SUrl_Community_Certificate.Name = 'SUrl_Community_Certificate'; sdrivesetting_SUrl_Community_Certificate.cg__Value__c = 'MySurl'; insert sdrivesetting_SUrl_Community_Certificate; } @isTest static void passwordlessLoginTest() { if(Test.isRunningTest()){ PasswordlessLoginController controller = new PasswordlessLoginController(); String accessToken = controller.getAccessToken(); System.assertEquals('', accessToken); PageReference pageReference = controller.JWTlogin(); System.assertEquals(null, pageReference); PasswordlessLoginController controller2 = new PasswordlessLoginController(); controller2.username = 'invalid@example.com'; String accessToken2 = controller2.getAccessToken(); System.assertEquals('', accessToken2); PageReference pageReference2 = controller2.JWTlogin(); System.assertEquals(null, pageReference2); PasswordlessLoginController controller3 = new PasswordlessLoginController(); controller3.clientId = 'invalidclientid'; String accessToken3 = controller3.getAccessToken(); System.assertEquals('', accessToken3); PageReference pageReference3 = controller3.JWTlogin(); System.assertEquals(null, pageReference3); PasswordlessLoginController controller4 = new PasswordlessLoginController(); controller4.communityBaseUrl = 'invalidcommunityBaseUrl'; String accessToken4 = controller4.getAccessToken(); System.assertEquals('', accessToken4); PageReference pageReference4 = controller4.JWTlogin(); System.assertEquals(null, pageReference4); PasswordlessLoginController controller5 = new PasswordlessLoginController(); controller5.certificate = 'surl'; String accessToken5 = controller5.getAccessToken(); System.assertEquals('', accessToken5); PageReference pageReference5 = controller5.JWTlogin(); System.assertEquals(null, pageReference5); } } }

  10. Click File->Save

 

back to instruction list

STEP 6: Finish setting up your Community

  1. Access your community by going to Setup->Digital Experiences->All Sites and click Builder

  2. Go to Settings-->General and click on the Community Guest User profile

  3. Give this profile access to the PasswordlessLogin Visualforce page. (This is needed even though we will not be using the community Guest User.)

  4. Go back to your community and go to Workspaces

  5. Click on Administration.

  6. Go to the Members tab.

  7. Add the profile of the User you set up in STEP 2 to the Selected Profiles section and click Save. NOTE: If using a community user profile, make sure to change the dropdown for “Search” to Customer instead of Internal.

  8. Click Save

  9. Go to Login & Registration tab.

  10. Under Login Page Setup, Select Login Page Type as Visualforce Page and select the PasswordlessLogin VFP.

  11. Click Save.

  12. Click on the Administration on the top and click on Builder.

  13. Click the Trash icon on the “Let’s get started!” section to remove it.

  14. When prompted click Delete.

  15. Click on the Components (lightning icon) section.

  16. Drag a Visualforce Page component on the Content section.

  17. Select SUrlRedirect as the Visualforce Page.

  18. Set its height to 1000.

  19. Keep the Record ID as {!recordId}.

  20. You should either see the S-URL page load as a preview (with an error message)



  21. Click on the Paintbrush to the left and the arrow in the new pop and click on Edit CSS

  22. Click on User Overrides in the popup box

  23. Add the following CSS code.

  24. Click Save

  25. Click on Settings (gear icon) > Security & Privacy

  26. Make the Security Level as Relaxed CSP: Permit Access to Inline Scripts and Allowed Hosts.

  28. Click Publish

  29. Click Publish on the prompt.

  30. Go to Administration.

  31. Click Activate.

 

back to instruction list

STEP 7: Add Trusted Sites and Remote Site Settings to Salesforce

  1. Go to Setup > CSP Trusted Sites.

  2. Click on New Trusted Site and set up the site with a URL that is formatted as https://<bucketname>.s3.<region>.amazonaws.com where <bucketname> is your S3 bucket name and <region> is your bucket regions, such as us-east-1.

    NOTE: If you’re not sure what your bucketname and region are, you can go to Setup-->Custom Settings-->SDriveConfig. Click “Manage” and click on AmazonRegion and BucketName to see the values.

  3. On the Content Security Policy Trusted Site page, make sure Allow site for frame-src and Active boxes are checked. The box below this one may be checked by default, so make sure the correct box



  4. Click Save & New

  5. Add a Trusted Site URL formatted as https://<bucketname>.s3.amazonaws.com

  6. Make sure Allow site for frame-src and Active boxes are checked

  7. Click Save & New

  8. Add a Trusted Site URL as https://zip.cyangate.com.

  9. Make sure Allow site for frame-src and Active boxes are checked

  10. Click Save.

  11. Go to Setup > Remote Site Settings and add your Community URL (e.g. https://sandbox-surl-development-developer-edition.cs87.force.com).

  12. Click Save and New

  13. Add https://zip.cyangate.com as a URL in your setting.

  14. Click on Save.

back to instruction list

STEP 8: Give Community User Profile access to the Connected App and PasswordlessLogin Class and Page

  1. Go to Setup-->Profiles and edit the community user profile you created in STEP 2

  2. Give the profile the following access

    • Under Connected Apps: give access to the connected app you created in STEP 4.

    • Under Apex Classes: give access to PasswordlessLoginController

    • Under Visualforce Pages: give access to PasswordlessLogin

 

back to instruction list

STEP 9: Give the Community User access to the necessary objects through sharing rules

The community user needs access to objects in addition to the profile permissions given in STEP 2. If you used an internal user with View All permission, you can skip this step.

Access is given through Sharing Settings. Go to Setup->Sharing Settings.

For the SUrl object and each object you want to use for S-URL you can choose either option below.

Note: If using Preview & Thumbnail or File Activities, include sharing rules for Preview and File Activities.

  • Option 1: Make OWD public for external users (if using a Community license) for that object (or for the parent if the file object is a master-detail relationship, for example for Account if using S-URL for Account Files)

  • Option 2: Create a sharing rule to share all records of the object. You can use something as shown below, where the surl public group contains only the user you set up in STEP 2. Or you can share with Portal Roles and select the role of your user. Use criteria that is always true.

back to instruction list

STEP 10: Enable S-URL

  1. Go to Setup-->Custom Settings.

    • Find SDriveConfig and click Manage

    • Find EnableLegacySurl and click Edit. Change Value to false

    • Click Save

  2. Go to S-Drive Configuration > Micro Services

  3. Enable S-URL and type in the URL you set for the community (e.g. https://sandbox-surl-enhancements-developer-edition.cs81.force.com/surl)




  4. (Optional) To customize the public share page, upload CSS static resource as “sdrivecustom” and Javascript static resource as “sdrivecustomscript” and change the initial part of static resource links with the community URL link before configuring the UI customization on the S-Drive Configuration page.
    Example:

    Static resource URL: https://guls-demo-cg-dev-ed--c.visualforce.com/resource/1595934376000/sdrivecustom?

    will be changed to

    SURL Configuration URL: https://cyangate-comm-developer-edition.um5.force.com/surl/resource/1595934376000/sdrivecustom

  5. You can choose to use S-URL for internal open and/or internal download (not recommended)

  6. You can choose to require a password and/or an expiration date for Public Share links.

  7. Click Save

back to instruction list

Notes:

Community can NOT have guest user access. Make sure this box is unchecked. Error will be “Too many redirects”