Connecting to Salesforce from App Connect

In App Connect, you can connect to Salesforce by using OAUTH 2.0 AUTH CODE, OAUTH 2.0 PASSWORD, and BASIC OAUTH authorization methods.

The following steps describe how to connect App Connect to a Salesforce account from the App Connect Designer Connect > Applications and APIs page (previously the Catalog page).

  1. Open the Connect to Salesforce dialog box by using one of the following methods.
    • The first time that you connect to a Salesforce account, go to the App Connect Designer Applications and APIs page, expand Salesforce, then click Connect.
    • To connect to another Salesforce account, expand the Accounts list under Salesforce, then click Add a new account.
  2. In the Connect to Salesforce dialog box, select the appropriate Authorization method.
    • Select Use the application's website to sign in (OAUTH 2.0 AUTH CODE) to authorise App Connect by logging in to a Salesforce account with your username and password.
      Attention: A 401 (Unauthorized) error when you use the OAUTH 2.0 AUTH CODE authorization method can be caused by a problem with newly created accounts. This error can occur because the refresh token is revoked after a certain amount of time. If you get this error, try the following fixes.
      • Delete all unwanted App Connect accounts in case multiple accounts are created with the same instance credentials. Review the active sessions and session details on the Session Management page in Salesforce. For more information, see View User Session Information on the Session Management Page in the Salesforce documentation.
      • To identify the concurrent session limit for your Salesforce instance, raise a support case with Salesforce support.
      Note: If you later try to use Firefox to update an account in App Connect that was created with Use the application's website to sign in (OAUTH 2.0 AUTH CODE), the Firefox option Block pop-up windows prevents the Connect to Salesforce dialog box from appearing. You can update the account in App Connect by either using a different browser or temporarily turning off the Firefox option Block pop-up windows.
    • Select Provide a username, password, and client credentials (OAUTH 2.0 PASSWORD) to authorise App Connect with the client ID and secret from your own Salesforce connected application.
    • Select Provide credentials for App Connect to use (BASIC OAUTH) to authorize App Connect with the access and refresh tokens that are generated from the application client ID and client secret.
  3. Click Continue.

Continue with the appropriate steps for your chosen authorization method.

Use the application's website to sign in (OAUTH 2.0 AUTH CODE)

Use this option to authorize App Connect by logging in to a Salesforce account with your username and password.

  1. If necessary, specify the Salesforce environment (production or sandbox), or subdomain (with a personalized login page) that you want to connect to. The type of environment or subdomain that you can connect to depends on your Salesforce edition. For example, sandboxes are available in some editions like Professional, Enterprise, Performance, and Unlimited, but aren’t available in the Developer Edition.
    • If you're connecting to a standard production environment, you can leave the Custom URL field blank and click Connect. When you connect, you are automatically directed to the generic, non-instance-specific production URL: https://login.salesforce.com

      Alternatively, you can specify a production instance by entering its login URL in the Custom URL field in the following format (without the https:// prefix): instance.salesforce.com.

      In this example, instance represents the name of the production instance that you're connecting to, such as na19, eu11, or ap1 for the North America, EMEA, or Asia Pacific regions.

    • If you're connecting to a standard sandbox that is being used for development or testing, you must first specify its login URL in the Custom URL field. Use either of the following values (without the https:// prefix).
      • test.salesforce.com (the generic, non-instance-specific URL)
      • instance.salesforce.com

        In this example, instance represents the name of the sandbox instance that you're connecting to, such as cs19.

    • If you're connecting to your company's personalized login page (with a configured subdomain) in a production environment, you must first specify the URL in the Custom URL field. Use the following format (without the https:// prefix): subdomain.my.salesforce.com.

      In this example, subdomain represents the name of a subdomain that is defined within your Salesforce org to replace the instance name, such as myCompanyName.

      Tip: If you're using the Developer Edition, the custom URL must end with -dev-ed.my.salesforce.com rather than .my.salesforce.com, which is used in other editions.
    • If you're connecting to your company's personalized login page (with a configured subdomain) in a sandbox environment, you must first specify the URL in the Custom URL field. Use the following format (without the https:// prefix): subdomain--sandboxname.instance.my.salesforce.com

      In this example, subdomain represents the name of a subdomain that is defined in your Salesforce organization to replace the instance name. sandboxname is your assigned sandbox name and instance is the name of the sandbox instance. For example, myCompanyName--mySandboxName.csN (where N is a number).

  2. Click Connect, then click Continue to close the message about your Salesforce account requirements.
  3. In Salesforce, specify the username and password of the Salesforce environment that you want to connect to. If appropriate, select to use a custom domain. Then, click to allow the App Connect instance to access Salesforce.
    Tip: If you're already logged in to Salesforce in the same browser window as App Connect, App Connect offers that Salesforce account as the default choice to connect to. To connect to a different Salesforce account, select Log In with a Different Username.
    Figure 1. Example of connecting to Salesforce from App Connect
    Example showing fields in App Connect and Salesforce used to connect Salesforce to App Connect on IBM Cloud

Provide a username, password, and client credentials (OAUTH 2.0 PASSWORD)

Use this option to authorise App Connect with the client ID and secret from your own Salesforce connected app.

  1. Complete the connection fields that you see in the App Connect Designer Applications and APIs page or flow editor. If necessary, work with your Salesforce administrator to obtain these values.
    • Set the Login URL to the login URL of your Salesforce instance, prefixed with https:// and optionally suffixed with a forward slash (/).

      To obtain the Login URL value, complete the following steps:

      1. In your Salesforce instance, click the View profile icon. The URL is displayed below your username.
      2. Construct the Login URL value by adding the https:// prefix and an optional forward slash (/) suffix to this URL. For example, https://login.salesforce.com, https://myInstance.salesforce.com, or https://mySubdomain.my.salesforce.com/.
    • Set Username to the username (in the form of an email address) that you use to log in to your Salesforce instance.
    • Set Password to the password that you use to log in to Salesforce, suffixed with your Salesforce security token.
      To obtain the password, complete the following steps to retrieve the security token that is associated with your Salesforce password.
      1. If you previously reset the security token in your Salesforce instance, locate the email that contains the security token details, which was sent to the email address that is set for your user profile.
        Alternatively, reset the security token as follows.
        1. Click the View profile icon in your Salesforce instance, then click Settings.
        2. In the navigation pane, click Reset My Security Token. A message is displayed to warn that the existing security token will be invalidated.
        3. Click Reset Security Token to confirm that you want to continue.

          The new security token is sent to the email address that is set in the Personal Information page.

      2. Log in to your email account and locate the email from Salesforce.
        The Salesforce email with the security token
      3. Construct the Password value by appending the security token to the password that you use to log in to your Salesforce instance. For example, MypasswordMysecuritytoken.
        Note: If you change your password, you need to get a new security token for that password. You receive an email from Salesforce with details of the new security token. You must then update the Salesforce account in App Connect to specify the new password and security token in the Password field.
    • Set the Client ID to the consumer key that is generated when you create a connected application for App Connect in Salesforce.
    • Set the Client secret to the consumer secret that is generated when you create a connected application for App Connect in Salesforce.

      To obtain values for the Client ID and Client secret fields, you need a connected application that enables App Connect to integrate with Salesforce by using APIs and protocols. You can create a connected application in the following way. If you already have a connected application that you want to use, skip to the step that describes how to locate the consumer key and secret that were generated when you created the connected app.

      Note: You need the following Salesforce user permissions to create a connected application: Customize Application AND either Modify All Data OR Manage Connected Apps.
      To create a connected application and generate the Client ID and Client secret values, complete the following steps.
      1. From your Salesforce instance, create a connected application.
        1. Click Setup (), then click Apps > App Manager in the navigation pane.
        2. Click New Connected App.
        3. On the New Connected App page, specify basic information for the connected app, then enable OAuth settings for integration with the Salesforce API:
          • Set the Connected App Name to a unique name for the connected app.
          • For the API Name, accept the default value that is generated when you click within this field.
          • Set the Contact Email to an email address that Salesforce can use to contact you if necessary. (You can use the email address that is specified in your user profile or an administrator's email address.)
          • Select Enable OAuth Settings.
          • For the Callback URL, select Enable for Device Flow to generate a callback URL, or manually specify any valid secure URL. (This URL isn't used by your connected app).
          • For the Selected OAuth Scopes, select Manage user data via APIs (api) from the Available OAuth Scopes list and add it to the Selected OAuth Scopes list.
            Important: For the Salesforce Account Engagement connector, you must add the scopes Manage Pardot services (pardot_api) and Perform requests at any time (refresh_token, offline_access). For more information, see Account Engagement API Quick Start in the Salesforce Account Engagement API documentation.
        4. Click Save, then click Continue.
        5. Click Manage.
        6. In the OAuth Policies section, ensure that Permitted Users is set to All users may self-authorize. If this option is not selected, connections might fail even if the correct credentials are supplied.
      2. Locate the consumer key and consumer secret that were generated for the connected app:
        1. Click Setup (), then click Apps > App Manager in the navigation pane.
        2. Click the options menu for the connected app that you created, then click View.
        3. Click Manage Consumer Details. You're asked to verify your identity by using the verification code that was sent to your registered email address.
        4. Log in to your email account and locate the email from Salesforce that contains the verification code.
        5. Enter your verification code, then click Verify.
        6. In the Consumer Details section of the resulting page, locate and then copy the values in the following fields.
          • Use the Consumer Key as the value for the Client ID field.
          • Use the Consumer Secret as the value for the Client secret field.
  2. Click Connect, then click Continue to close the message about your Salesforce account requirements.

Provide credentials for App Connect to use (BASIC OAUTH)

Use this option to authorize App Connect with the access token and refresh token that were generated from the application client ID and client secret.

  1. Complete the connection fields that you see in the App Connect Designer Applications and APIs page or flow editor. You might need to work with your Salesforce administrator to get these values.
    • Set the Custom URL to the URL of your Salesforce instance.
      To obtain the Custom URL value, complete the following steps.
      1. In your Salesforce instance, click the View profile icon. The URL is displayed below your username.
      2. Construct the Custom URL value by adding the https:// prefix and an optional forward slash (/) suffix to this URL. For example, https://login.salesforce.com, https://myInstance.salesforce.com, or https://mySubdomain.my.salesforce.com/.
    • Set the Client ID to the consumer key that is generated when you create a connected app for App Connect in Salesforce.
    • Set the Client secret to the consumer secret that is generated when you create a connected app for App Connect in Salesforce.

      To obtain values for the Client ID and Client secret fields, you need a connected app that enables App Connect to integrate with Salesforce by using APIs and protocols. You can create a connected app in the following way. If you already have a connected app that you want to use, skip to the step that describes how to locate the consumer key and consumer secret that were generated when you created the connected app.

      Note: You need the following Salesforce user permissions to create a connected app: Customize Application AND either Modify All Data OR Manage Connected Apps.
      To create a connected app and generate the Client ID and Client secret values, complete the following steps.
      1. From your Salesforce instance, create a connected app.
        1. Click Setup (), then click Apps > App Manager in the navigation pane.
        2. Click New Connected App.
        3. On the New Connected App page, specify basic information for the connected app, then enable OAuth settings for integration with the Salesforce API:
          • Set the Connected App Name to a unique name for the connected app.
          • For the API Name, accept the default value that is generated when you click within this field.
          • Set the Contact Email to an email address that Salesforce can use to contact you if necessary. (You can use the email address that is specified in your user profile or an administrator's email address.)
          • Select Enable OAuth Settings.
          • For the Callback URL, select Enable for Device Flow to generate a callback URL, or manually specify any valid secure URL. (This URL isn't used by your connected app).
          • For the Selected OAuth Scopes, select Manage user data via APIs (api) from the Available OAuth Scopes list and add it to the Selected OAuth Scopes list.
            Important: For the Salesforce Account Engagement connector, you must also add the scopes Manage Pardot services (pardot_api) and Perform requests at any time (refresh_token, offline_access). For more information, see Account Engagement API Quick Start in the Salesforce Account Engagement API documentation.
        4. Click Save, then click Continue.
        5. Click Manage.
        6. In the OAuth Policies section, ensure that Permitted Users is set to All users may self-authorize. If this option is not selected, connections might fail even if the correct credentials are supplied.
      2. Locate the consumer key and consumer secret that were generated for the connected app:
        1. Click Setup (), then click Apps > App Manager in the navigation pane.
        2. Click the options menu for the connected app that you created, then click View.
        3. Click Manage Consumer Details. You are asked to verify your identity by using the verification code that was sent to your registered email.
        4. Log in to your email account and locate the email from Salesforce that contains the verification code.
        5. Enter your verification code, then click Verify.
        6. In the Consumer Details section of the resulting page, locate and then copy the values in the following fields.
          • Use Consumer Key as the value for the Client ID field.
          • Use Consumer Secret as the value for the Client secret field.
    • Set the Access token to the consumer key that is generated when you create a connected app for App Connect in Salesforce.
    • Set the Refresh token to the refresh token that is generated from the application client ID and client secret.

      To generate an access token and a refresh token to use to interact with Salesforce on your behalf, use an application such as IBM API Connect Test and Monitor to submit a POST request.

      1. Replace the parameters in the following URL with your own values. https://<INSTANCE_URL>/services/oauth2/authorize?response_type=code&client_id=<CONSUMER_KEY>&redirect_uri=<CALLBACK URL>
        • Replace INSTANCE_URL with the URL of your Salesforce instance. For example, https://MyDomainName.my.salesforce.com.
        • Replace CONSUMER_KEY with the client ID of your connected application.
        • Replace CALLBACK URL with the URL where users are redirected after a successful authentication. The redirect URI must match one of the values in the connected application's Callback URL field, otherwise, the approval fails. For example, https://login.salesforce.com/services/oauth2/success.
      2. Go to the URL from a web browser. When you're asked for permission to allow access to Salesforce, click Allow.
        Allowing permissions to salesforce

        The message Remote Access Application Authorization is shown in the web browser, and a new URL that contains the code is generated on your address bar. For example, https://login.salesforce.com/services/oauth2/success?code=aPrx_yTkbIprMMjYsra0Uw_IC8xpUl.FFwUrwesdsdsd4jl5w3bLgvtuQYCAPsJyD0k.kgo8gxg%3D%3D.

      3. Copy the code value from the generated URL.
      4. Use an application like IBM API Connect Test and Monitor to generate an access token and refresh token.
        1. Start a new POST request and specify the request URL with your own values. For example, https://<INSTANCE_URL>/services/oauth2/token?code=<CODE_VALUE>&grant_type=authorization_code&client_id=<CONSUMER_KEY>&client_secret=<CONSUMER_SECRET>&redirect_uri=<CALLBACK URL>
          • The INSTANCE_URL is the URL of your Salesforce instance. For example, https://MyDomainName.my.salesforce.com.
          • The CODE_VALUE is the code value in the generated URL.
          • The CONSUMER_KEY is the client ID of your connected application.
          • The CONSUMER_SECRET is the client secret of your connected application.
          • The CALLBACK URL is the URL where users are redirected after successful authentication. The redirect URI must match one of the values in the connected application's Callback URL field, otherwise, the approval fails. For example, https://login.salesforce.com/services/oauth2/success.
        2. Click Send. An access token and refresh token are returned in the response. Make a note of these values because you need to specify them as connection values when you create the account.
          Note: The generated access token is valid for 1 hour, and the refresh token expires after 90 days of inactivity. Therefore, you need to generate new tokens only if the refresh token is revoked or isn't used in 90 days.
  2. Click Connect, then click Continue to close the message about your Salesforce account requirements.

Provide credentials for App Connect to use (BASIC JWT)

Complete the following connection fields that you see in the App Connect Designer Connect > Applications and APIs page (previously the Catalog page) or flow editor. If necessary, work with your Salesforce administrator to obtain these values.
Salesforce BASIC JWT authorization connection fields:
Login URL: The login URL of your Salesforce instance, prefixed with https://.
Username: The username of your Salesforce account.
Client ID: The consumer key that is generated when you create a connected app for App Connect in Salesforce.
Private key: Specify the private key for your Salesforce connected app in PEM format.
API version: The API version of the Salesforce REST APIs (for example, 54.0). Supported versions are from 54.0 to 62.0.
To obtain the connection values required for BASIC JWT, complete the following steps:
  1. To generate the connection value for client ID, see step #connect_cloud__basicoauthclientidandsecret.
  2. To generate the private key, see Create a Private Key and Self-Signed Digital Certificate on the Salesforce Developers documentation page.
  3. To know more about the Salesforce REST API version, see Find Salesforce Edition and API version on the Salesforce page.

Result

These steps create an account in App Connect. For more information, see Managing accounts.

Tip:

Before you use the account that is created in App Connect in a flow, rename the account to something meaningful that helps you to identify it. To rename the account on the Applications and APIs page, select the account, open its options menu (⋮), then click Rename Account.