# Salesforce

## Overview <a href="#overview" id="overview"></a>

The Identity Intelligence identity security platform can integrate with your Salesforce instance or instances to capture user account activity. This is valuable in particular for the following reasons -

* Identifying unused Salesforce accounts and reducing unnecessary licensing cost
* Review Salesforce authentication activity and maintain security compliance
* Detect unauthorized access or use of your Salesforce platform

## Requirements <a href="#requirements" id="requirements"></a>

The following things are required to configure Salesforce integration with Identity Intelligence:

* A Salesforce admin account
* **Licensing** - a user account with Salesforce edition of **Enterprise** or above, due to the requirement for the Web Services API. \
  \
  Developer edition and other lower tier editions will <mark style="color:red;">**not**</mark> work for this integration, as the **API Only User option is required** for the necessary credential flow, and that setting doesn't exist in those tiers.<br>

  <figure><img src="/files/uv569zXb92v0idmT0BLN" alt="" width="539"><figcaption></figcaption></figure>
* If access to Salesforce by API is restricted by IP address, please coordinate with your Identity Intelligence representative or open a TAC case

## Salesforce API Limits

The Identity Intelligence integration for Salesforce will monitor API usage against your Salesforce tenant's daily limit. If the Identity Intelligence detects that the API utilization is within <mark style="color:blue;">**75%**</mark> of the Salesforce tenant daily quota, Identity Intelligence will stop any further collection for that day and resume the following day. &#x20;

## Salesforce Configuration <a href="#salesforce-configuration" id="salesforce-configuration"></a>

### Step 1 - Create API Only User Account <a href="#create-api-only-user-account" id="create-api-only-user-account"></a>

1. The first step in the process is to create an [API only user](https://help.salesforce.com/s/articleView?id=000386144\&type=1) for integration purposes using the Salesforce documentation. Please note:

   * As noted in the Salesforce KB article above, we recommend the user and permission set (if used) have at least a **Salesforce** license<br>

   <mark style="color:$danger;">DO NOT USE</mark> the `Minimum Access - API Only Integration` profile or the Salesforce Integration license.  They do not have the necessary permissions to collect the data required by CII. \ <img src="/files/jQY4e0Aok4nQ9WChNbSB" alt="" data-size="original"><br>

   <figure><img src="/files/ctSX5nclh6RpdnJUzVpX" alt=""><figcaption></figcaption></figure>

   * The Profile or Permission Set must have **API Enabled** and **API Only User** checked in the Administrative Permissions area<br>

     <figure><img src="/files/hdoBhZjJkkGHhK6DvalV" alt="" width="563"><figcaption></figcaption></figure>
   * **Manage Internal Users** and **Manage External Users** permission under the User section is required to collect Login History of all users. *Enabling this setting will automatically check a number of other related permissions*<br>

<figure><img src="/files/fh1ocgoaDTTvPqCUYP63" alt=""><figcaption></figcaption></figure>

### Step 2 - Set up a Connected App

#### Create Connected App

1. In Salesforce set up go to **Apps --> External Client App Manager** and click **New External client App**\
   **in the top right corner of the screen**<br>

   <figure><img src="/files/5SxkxhpkGA83JaETnBdM" alt=""><figcaption></figcaption></figure>
2. Fill in the connected app details, such as Name, Contact email, etc
3. Check **Enable OAuth**
4. Fill in the **Callback URL:** [https://localhost:3000/test](https://localhost:3000/test%5C)/\
   The Identity IntelligenceIdentity Intelligence API integration does not use an redirects and does not need a functioning callback URL for that purpose.
5. Add **Manage user data via APIs** scope.&#x20;
6. *Check* **Enable Client Credentials Flow**<br>

<figure><img src="/files/RBKzy2HYzLGxUEO4bLpT" alt=""><figcaption></figcaption></figure>

7. *Uncheck* **Require Secret for Web Server Flow** and **Require Secret for Refresh Token Flow**
8. Click **Create**. Click **Continue** if you see the warning: "Changes can take up to 10 minutes to take effect. Deleting a parent org also deletes all connected apps with OAuth settings enabled."

#### Get Key and Secret

1. On the Settings tab of the new app, under App Settings, click Consumer Key and Secret\ <br>

   <figure><img src="/files/oRhoYGZQfdECn6VkHCks" alt=""><figcaption></figcaption></figure>
2. Reauthenticate to proceed
3. Copy the Key and Secret to a secure temporary location or a key vault of your preference

#### Assign to API user

1. Go back to the external app and go to the Policies tab.  Click **Edit**
2. At the bottom, under **Oauth Flows and External Client App Enhancements**, click Enable Client Credentials Flow and enter the username / email of the API user account created above.<br>

   <figure><img src="/files/pNDhxtcQfInXU6HD91z8" alt=""><figcaption></figcaption></figure>
3. Click **Save**
4. Find your Salesforce URL and save it for use in the next section. This will be under Company Settings -> My Domain

### Step 3 - Identity Intelligence Dashboard Configuration <a href="#oort-dashboard-configuration" id="oort-dashboard-configuration"></a>

1. Login to your Identity Intelligence Dashboard and go to the **Integrations** tab
2. Click on ***Add Integration***
3. Click on ***Add Integration*** under Salesforce

<figure><img src="/files/FNAPwM2sl3VICBZr2oTu" alt="" width="233"><figcaption></figcaption></figure>

4. Fill in the details for the Salesforce Integration. Enter the values saved from earlier on in the Salesforce setup:

* `Display Name`
* `Salesforce URL`
* `Consumer Key`
* `Consumer Secret`

<figure><img src="/files/SbttNonJsHWK4tGHpiSE" alt="" width="563"><figcaption></figcaption></figure>

5. Click **Save**. You will now have a new integration listed on the Integrations page
6. For more details, click on integration name for details
7. You can also click the 3-dot menu drop-down and click ***Test Connectivity*** to test the API connectivity with Salesforce<br>

   <figure><img src="/files/I8CBt7mniN1GEFrgfImd" alt="" width="240"><figcaption></figcaption></figure>
8. If you see “Connected!” everything is working
9. Now click the Salesforce integration bar again and click **Collect Now** to begin the first data collection<br>

   <figure><img src="/files/awNmdazZqnqd6jUkR6gv" alt="" width="231"><figcaption></figcaption></figure>
10. Initial data collection may take up to 24 hours, depending on the size of the environment


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/integrations/salesforce-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.