Activity Insights - Salesforce

To display activity data from Salesforce, you can set up a single SaaS connector or configure both a virtual appliance (VA) and Activity Insights - Salesforce connector.

Configuring Activity Insights Using the Salesforce SaaS Connector

If you are using the Salesforce SaaS connector, follow the connector guide to enable Activity Insights.

After a successful test connection, you must correlate accounts and run an aggregation for the Salesforce SaaS source. Your activity data will begin syncing immediately but may take up to 24 hours to display. Data will then update daily.

Note

If you previously configured both the Salesforce identity governance and Activity Insights - Salesforce connectors, you do not have to take additional action to continue receiving your data.

Configuring Activity Insights Using a VA-Based Source

If you are setting up Activity Insights using a VA-based connector, you may either use basic authentication or create a connected app in Salesforce using an OAuth 2.0 authentication method to connect Salesforce to Identity Security Cloud. You'll then configure both the Salesforce identity governance and Activity Insights - Salesforce connectors so that your tenant can gather your account information and display activity data.

Configuring a Connected App in Salesforce

To create a connected app in Salesforce, you may use an account with the System Administrator profile or create and assign a custom profile with least privilege. Both profiles require the user have a Salesforce license type. The user should not be part of the Customer Portal or Partner Portal. For more information, refer to Salesforce's product documentation.

You'll create a connected app using one of the following OAuth 2.0 grant types:

Client Credentials
Password
Refresh Token
JSON Web Token (JWT)

Configuring a Connected App using Client Credentials Grant Type

Create a service account in Salesforce.
Select the Setup icon > Setup.
Under Platform Tools in the navigation menu, select Apps > App Manager.
Select New Connected App.
In the Basic Information section, enter a name and email address to associate with the connected app.
In the API (Enable OAuth Settings) section, complete the following:
- Select the Enable OAuth Settings checkbox.
- Select the Enable for Device Flow checkbox. The callback URL is automatically populated.
- Add Manage user data via APIs (api) as an OAuth scope.
- Select the Require Secret for Web Server Flow checkbox.
- Select the Require Secret for Refresh Token Flow checkbox.
- Select the Enable Client Credentials Flow checkbox and select OK.
Select Save to create the connected app.
Select Continue to go to the connected app's page.
In the API (Enable OAuth Settings) section, select Manage Consumer Details to view your consumer key and secret. Copy these values as you'll need this information to connect Salesforce to Identity Security Cloud.
Select Manage in the top section of the page and then select Edit Policies.
In the Client Credentials Flow section, search for your service account in the Run As text box. Select Save to save these settings.

You can now configure the Salesforce identity governance source in Identity Security Cloud.

Configuring a Connected App using Password Grant Type

Create a service account in Salesforce. You’ll use these credentials to connect Salesforce to Identity Security Cloud.
Create a connected app in Salesforce.
On the connected app's page, select Manage Consumer Details to view your consumer key and secret. Copy these values as you'll need this information to connect Salesforce to Identity Security Cloud.
Set the application's IP relaxation in Salesforce.
- On the connected app's page, select Manage and then select Edit Policies.
- Set the IP relaxation to Relax IP restrictions and then select Save.
Allow OAuth Username-Password Flows in Salesforce.
- Select the Setup icon > Setup.
- Under Settings in the navigation menu, select Identity > OAuth and OpenID Connect Settings. Enable the Allow OAuth Username-Password Flows toggle.

You can now configure the Salesforce identity governance source in Identity Security Cloud.

Configuring a Connected App using a Refresh Token

Create a service account in Salesforce.
Select the Setup icon > Setup.
Under Platform Tools in the navigation menu, select Apps > App Manager.
Select New Connected App.
In the Basic Information section, enter a name and email address to associate with the connected app.
In the API (Enable OAuth Settings) section, complete the following:
- Select the Enable OAuth setting checkbox.
- Enter https://login.salesforce.com as the callback URL.
- Add the following OAuth scopes:
  - Manage user data via APIs (api)
  - Manage user data via Web browsers (web)
  - Perform requests at any time (refresh_token, offline_access)
Select Save to create the connected app. Select Continue to go to the connected app's page.
In the API (Enable OAuth Settings) section, select Manage Consumer Details to view your consumer key and secret. Copy these values as you'll need this information to connect Salesforce to Identity Security Cloud.
Generate an authorization code. This will be used to generate a refresh token.
- Copy the below URL and substitute your values for the Consumer Key and the Callback URL:
  
  https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<Consumer Key>&redirect_uri=<Callback URL>
  
  Where:
  
  <Consumer Key> is the consumer key for the connected app.
  
  <Callback URL> is the callback URL https://login.salesforce.com.
- Paste the modified URL into your browser and authenticate as needed.
- Select Allow to authorize access.
After authorizing, the browser redirects you to the callback URL you configured for the connected app. Note the authorization code appended to it: https://login.salesforce.com/?code=<authorization code>.

Important

You may need to URL-decode the authorization code before using it to generate a refresh token.
In Postman, use the authorization code to generate a refresh token.
- Set the method to POST.
- Enter https://login.salesforce.com/services/oauth2/token as the URL.
- Select the Body tab and then select raw.
- Enter the following:
1 2 3 4 5
grant_type=authorization_code client_id=<Consumer Key> client_secret=<Consumer Secret> code=<New Authorization Code> redirect_uri=<Callback URL>
Where:

<Consumer Key> is the consumer key for the connected app you created.

<Consumer Secret> is the consumer secret for the connected app you created.

<New Authorization Code> is the authorization code you generated.

<Callback URL> is the callback URL https://login.salesforce.com.

After selecting Send, you'll receive the refresh token in the response that the request returns. You can now configure the Salesforce identity governance source in Identity Security Cloud.

Configuring a Connected App using a JSON Web Token

To configure a connected app using a JSON web token, you'll first need to create a connected app and then generate a JWT assertion.

Creating a Connected App

Create a service account in Salesforce.
Select the Setup icon > Setup.
Under Platform Tools in the navigation menu, select Apps > App Manager.
Select New Connected App.
In the Basic Information section, enter a name and email address to associate with the connected app.
In the API (Enable OAuth Settings) section, complete the following:
- Select the Enable OAuth Settings checkbox.
- Select the Use digital signatures checkbox.
- Select Choose File and upload your digital certificate file, such as server.crt.
  
  Note
  
  If you do not have your own private key and digital certificate, you can create a private key and a self-signed certificate using OpenSSL. This process creates server.key and server.crt files.
- Enter https://login.salesforce.com as the callback URL.
- Add the following OAuth scopes:
  - Manage user data via APIs (api)
  - Manage user data via Web browsers (web)
  - Perform requests at any time (refresh_token, offline_access)
- Select the Require Secret for Web Server Flow checkbox.
- Select the Require Secret for Refresh Token Flow checkbox.
- Select the Enable Client Credentials Flow checkbox and then select OK.
Select Save to create the connected app. You'll now set an expiration and timeout for the refresh token.
Select Continue to go to the connected app's page.
Select Manage and then select Edit Policies.
In the OAuth Policies section, complete the following:
- Set Permitted Users to Admin approved users are pre-authorized and select OK.
- Set the Refresh Token Policy to Expire refresh token after: and enter 90 days or less.
  
  Best Practice
  
  SailPoint recommends setting a maximum of 90 days for the refresh token expiration. If the refresh tokens have expired, reauthorize it with your Salesforce login or org login JWT command.
In the Session Policies section, set the Timeout Value to 15 minutes.

Best Practice

SailPoint recommends setting a timeout for access tokens. Salesforce CLI automatically handles an expired access token by referring to the refresh token.
Select Save to save these settings.

You'll then assign the connected app to specific profiles so that admin-approved users are automatically granted access.
Under Administration, select Users > Profiles.
Select the user profiles that you want to assign to the connected app.
In the Apps section, select Assigned Connected Apps.
Select Edit.
Select the checkboxes for the connected apps you want to assign to this profile and then select Save. You can also create a permission set if needed.

After the you've set up the connected app, you'll need to generate a JWT assertion.

Generating a JWT Assertion

Construct a JWT header with the following format:

{"alg":"RS256"}

Encode the header with Base64url.
Construct a JSON Claims Set for JWT with the following parameters and encode with Base64url:
- iss: The issuer must contain the OAuth consumer key for the connected app for which you registered the certificate.
- aud: The audience identifies the authorization server as an intended audience. The authorization server must verify that it is an intended audience for the token. Use the authorization server's URL if you are using one of the following values:
  
  https://login.salesforce.com
  
  https://test.salesforce.com
  
  Alternatively, if you are implementing for a community, use the following URL: https://community.force.com/customers
- sub: The subject must contain the username of the Salesforce user or community user. For backward compatibility, you can use principal (prn) instead of subject (sub). If both are specified, prn is used.
- exp: The validity must be the expiration time of the assertion within 3 minutes, expressed as the number of seconds from 1970-01-01T0:0:0Z measured in UTC.
The JSON Claim Set should look like the following:
1 2 3 4 5
{"iss": "3MVG99Ox8878y48hf98[omitted for brevity]_rSK781.BoSVPGZHQ ukXnVjzRgSuQqGn75NL7yfkQcyy7", "sub": "my@email.com", "aud": "https://login.salesforce.com", "exp": "1333685628"}
Create a string for the encoded JWT Header and the encoded JWT Claims Set in the format encoded_JWT_Header + "." + encoded_JWT_Claims_Set.
Download the X509 Certificate from JKS.
Sign the resulting string using RSA SHA256.
Use the string you created to make an assertion string in the following form:

existing_string + "." + base64_encoded_signature

Use the following API request to generate an access token from the JWT assertion:

POST /services/oauth2/token HTTP/1.1
Host: login.example.com
Content-Type: application/x-www-form-urlencoded
grant_type= urn:ietf:params:oauth:grant-type:jwt-bearer&
assertion=eyJpc3MiOiAiM01WRz...[omitted for brevity]...ZT

After you've generated the access token, you can now configure the Salesforce identity governance source in Identity Security Cloud.

Configuring Salesforce Identity Governance Source

Follow the directions to create your Salesforce source in Identity Security Cloud. You can also edit an existing source.

Configuring the Activity Insights - Salesforce Source

To display activity data from Activity Insights, you must configure the Activity Insights - Salesforce source in Identity Security Cloud.

Go to Admin > Connections > Sources.
Select Create New to create a new source.
Search for and select the Activity Insights - Salesforce connector.
Enter a name and description for the source.
In the Source Owner field, begin typing the name of an owner. Matches appear after you type two letters.
(Optional) Select a governance group for source management.
Select the checkbox if the source is an authoritative source.
Select Continue to create the source.
From the left panel, select Configuration in the Source Setup section.
On the Authentication page, select the authentication type used to create a connected app in Salesforce:
- For Basic authentication, complete the following:
  - Salesforce URL - Enter your organization's Salesforce's URL in the format http://<Current My Domain URL>/services/Soap/u/.
    
    To find your site's URL, select Integrations > API under Platform Tools in the navigation menu. On the API WSDL page, find Partner WSDL and select Generate Partner WSDL. In the generated file, search for "service name". The URL is displayed in this section in the format of "https://<Current My Domain URL>/services/Soap/u/61.0"/>.
    
    Important
    
    If you have enabled Prevent SOAP API Login from https://login.salesforce.com, you must modify the default URL to provide a domain-specific URL. Under Settings in the navigation menu, select Company Settings > My Domain. Your organization's domain-specific URL is listed as the Current My Domain URL in the My Domain Details section.
    
    The default URL should be changed to https://<Current My Domain URL>/services/Soap/u/. For example if your Current My Domain URL is example.my.salesforce.com, then your default URL should be changed to https://example.my.salesforce.com/services/Soap/u/.
  - Service Account - Enter the name of the service account you created.
  - Password - Enter the password for the service account you created.
    
    Note
    
    This is the API user's Salesforce password. If the client's IP address has not been added to your organization's allowed list, you must add a security token to your password for OAuth2 authentication.
  - Identity Governance Source Name - Enter the name of the source you created for the identity governance connector. If no matching source is found, the test connection will fail.
- For OAuth 2.0 authentication, complete the following:
  - Salesforce OAuth 2.0 Token URL - Enter your OAuth 2.0 Token URL from Salesforce in the form of <current_my_domain_url>/services/oauth2/token. To find your domain name, search for "domain" in Salesforce. Under Company Settings, select My Domain. Add your domain from Current My Domain URL.
  - Grant Type - Select the OAuth 2.0 grant type used:
    - For Client Credentials, enter your consumer key and secret in the Client ID and Client Secret fields.
    - For Password, enter the name and password for the service account you created in the Service Account and Password fields. Enter your consumer key and secret in the Client ID and Client Secret fields.
    - For Refresh Token, enter your consumer key and secret in the Client ID and Client Secret fields. Enter your refresh token in the Refresh Token field.
    - For JWT, enter the values for the subject, issuer, audience, private key, and private key password in the corresponding fields.
      Notes
      
      The private key should be in standard PKCS #1 format. PKCS #8 format is not supported.
      
      The private key password is only required if the private key is encrypted with a passphrase.
  - Identity Governance Source Name - Enter the name of the source you created for the identity governance connector. If no matching source is found, the test connection will fail.
Select Save to save these settings.
From the left panel, select Review and Test in the Source Setup section.
On the Configuration Summary page, select Test Connection to test the connection between the applications. You must have a successful connection for Identity Security Cloud to gather activity data. If the test is unsuccessful, retry your credentials or contact SailPoint Support.

To gather account data, you must correlate accounts and run an aggregation for the Salesforce identity governance source. Your activity data will begin syncing immediately but may take up to 24 hours to display. Data will then update daily.

Setting Permissions for a Custom Profile with Least Privilege

You can create and assign a profile with the least privilege by creating a custom profile with the following settings:

System Permissions


Create and Customize List View	Create and Set Up Experiences
Create Libraries	Create Topics
Customize Application	Edit Events
Update Consent Preferences Using REST API	Lightning Console User
Lightning Experience User	Lightning Login User
Manage All Private Reports and Dashboards	Manage Certificates
Manage Connected Apps	Manage Custom Permissions
Manage Lightning Sync	Manage Mobile Configurations
Manage Multi-Factor Authentication in User Interface	View All Data
View Event Log Files	View Help Link
View Real-Time Event Monitoring Data	View Roles and Role Hierarchy
View Setup and Configuration	View User Records with PII

User Permissions


Assign Permission Sets	Manage Internal Users
Manage IP Addresses	Manage Login Access Policies
Manage Password Policies	Manage Profiles and Permissions Sets
Manage Roles	Manage Sharing
Manage Users	Reset User Passwords and Unlock Users
View All Profiles	View All Users

Object Settings

For a complete list of object permissions, refer to Salesforce Integration - Object Settings.

App Permissions

Category	Permission Name
Call Center	Manage Macros Users Can't Undo
Knowledge Management	Allow View Knowledge
Knowledge Management	Knowledge One
Sales	Edit Opportunity Product Sales Price
Sales	Send Stay-in-Touch Requests

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.