> For the complete documentation index, see [llms.txt](https://docs.oort.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oort.io/integrations/salesforce-integration.md).

# Salesforce

## Overview <a href="#overview" id="overview"></a>

The Identity Intelligence identity security platform can integrate with your Salesforce instance or instances to capture user account activity. This is valuable in particular for the following reasons -

* Identifying unused Salesforce accounts and reducing unnecessary licensing cost
* Review Salesforce authentication activity and maintain security compliance
* Detect unauthorized access or use of your Salesforce platform

## Requirements <a href="#requirements" id="requirements"></a>

The following things are required to configure Salesforce integration with Identity Intelligence:

* A Salesforce admin account
* **Licensing** - a user account with Salesforce edition of **Enterprise** or above, due to the requirement for the Web Services API.\
  \
  Developer edition and other lower tier editions will <mark style="color:red;">**not**</mark> work for this integration, as the **API Only User option is required** for the necessary credential flow, and that setting doesn't exist in those tiers.<br>

  <figure><img src="/files/uv569zXb92v0idmT0BLN" alt="" width="539"><figcaption></figcaption></figure>
* If access to Salesforce by API is restricted by IP address, please coordinate with your Identity Intelligence representative or open a TAC case

## Salesforce API Limits

The Identity Intelligence integration for Salesforce will monitor API usage against your Salesforce tenant's daily limit. If the Identity Intelligence detects that the API utilization is within <mark style="color:blue;">**75%**</mark> of the Salesforce tenant daily quota, Identity Intelligence will stop any further collection for that day and resume the following day.

## Salesforce Configuration <a href="#salesforce-configuration" id="salesforce-configuration"></a>

### Step 1 - Create API Only User Account <a href="#create-api-only-user-account" id="create-api-only-user-account"></a>

1. The first step in the process is to create an [API only user](https://help.salesforce.com/s/articleView?id=000386144\&type=1) for integration purposes using the Salesforce documentation. Please note:

   * As noted in the Salesforce KB article above, we recommend the user and permission set (if used) have at least a **Salesforce** license<br>

   <mark style="color:$danger;">DO NOT USE</mark> the `Minimum Access - API Only Integration` profile or the Salesforce Integration license. They do not have the necessary permissions to collect the data required by CII.\ <img src="/files/jQY4e0Aok4nQ9WChNbSB" alt="" data-size="original"><br>

   <figure><img src="/files/9BrIaw3cKn5awHkRNrsA" alt=""><figcaption></figcaption></figure>

   * The Profile or Permission Set must have **API Enabled** and **API Only User** checked in the Administrative Permissions area<br>

     <figure><img src="/files/hdoBhZjJkkGHhK6DvalV" alt="" width="563"><figcaption></figcaption></figure>
   * **Manage Internal Users** and **Manage External Users** permission under the User section is required to collect Login History of all users. *Enabling this setting will automatically check a number of other related permissions*<br>

<figure><img src="/files/fh1ocgoaDTTvPqCUYP63" alt=""><figcaption></figcaption></figure>

### Step 2 - Set up a Connected App

#### Create Connected App

1. In Salesforce set up go to **Apps --> External Client App Manager** and click **New External client App**\
   **in the top right corner of the screen**<br>

   <figure><img src="/files/5SxkxhpkGA83JaETnBdM" alt=""><figcaption></figcaption></figure>
2. Fill in the connected app details, such as Name, Contact email, etc
3. Check **Enable OAuth**
4. Fill in the **Callback URL:** [https://localhost:3000/test](https://localhost:3000/test%5C)/\
   The Identity IntelligenceIdentity Intelligence API integration does not use an redirects and does not need a functioning callback URL for that purpose.
5. Add **Manage user data via APIs** scope.
6. *Check* **Enable Client Credentials Flow**<br>

<figure><img src="/files/RBKzy2HYzLGxUEO4bLpT" alt=""><figcaption></figcaption></figure>

7. *Uncheck* **Require Secret for Web Server Flow** and **Require Secret for Refresh Token Flow**
8. Click **Create**. Click **Continue** if you see the warning: "Changes can take up to 10 minutes to take effect. Deleting a parent org also deletes all connected apps with OAuth settings enabled."

#### Get Key and Secret

1. On the Settings tab of the new app, under App Settings, click Consumer Key and Secret\ <br>

   <figure><img src="/files/oRhoYGZQfdECn6VkHCks" alt=""><figcaption></figcaption></figure>
2. Reauthenticate to proceed
3. Copy the Key and Secret to a secure temporary location or a key vault of your preference

#### Assign to API user

1. Go back to the external app and go to the Policies tab. Click **Edit**
2. At the bottom, under **Oauth Flows and External Client App Enhancements**, click Enable Client Credentials Flow and enter the username / email of the API user account created above.<br>

   <figure><img src="/files/pNDhxtcQfInXU6HD91z8" alt=""><figcaption></figcaption></figure>
3. Click **Save**
4. Find your Salesforce URL and save it for use in the next section. This will be under Company Settings -> My Domain

### Step 3 - Identity Intelligence Dashboard Configuration <a href="#oort-dashboard-configuration" id="oort-dashboard-configuration"></a>

1. Login to your Identity Intelligence Dashboard and go to the **Integrations** tab
2. Click on ***Add Integration***
3. Click on ***Add Integration*** under Salesforce

<figure><img src="/files/FNAPwM2sl3VICBZr2oTu" alt="" width="233"><figcaption></figcaption></figure>

4. Fill in the details for the Salesforce Integration. Enter the values saved from earlier on in the Salesforce setup:

* `Display Name`
* `Salesforce URL`
* `Consumer Key`
* `Consumer Secret`

<figure><img src="/files/SbttNonJsHWK4tGHpiSE" alt="" width="563"><figcaption></figcaption></figure>

5. Click **Save**. You will now have a new integration listed on the Integrations page
6. For more details, click on integration name for details
7. You can also click the 3-dot menu drop-down and click ***Test Connectivity*** to test the API connectivity with Salesforce<br>

   <figure><img src="/files/I8CBt7mniN1GEFrgfImd" alt="" width="240"><figcaption></figcaption></figure>
8. If you see “Connected!” everything is working
9. Now click the Salesforce integration bar again and click **Collect Now** to begin the first data collection<br>

   <figure><img src="/files/awNmdazZqnqd6jUkR6gv" alt="" width="231"><figcaption></figcaption></figure>
10. Initial data collection may take up to 24 hours, depending on the size of the environment
