Availability
C1 only integrates with the Salesforce editions with API access: Salesforce Enterprise, Unlimited, Developer, and Performance editions. You cannot use this connector successfully with Group or Essentials editions, or with Professional edition without an API add-on. Learn more about which Salesforce editions support API access in the Salesforce documentation.Capabilities
The Salesforce connector supports automatic account provisioning.
This connector does not support account deprovisioning. You must deprovision accounts directly in Salesforce.
Territories require Enterprise Territory Management 2.0 to be enabled in your Salesforce org. If this feature is not enabled, the connector will return an error when attempting to sync territories.
*Agents (Agentforce agents and Einstein Bots, backed by the
BotDefinition object) are opt-in and disabled by default. Enable the Agent resource type in C1 to sync them. Agentforce or Einstein Bots must be enabled in your Salesforce org; otherwise the connector skips agents cleanly.
Optional fields for custom validation rules
Some Salesforce orgs have custom validation rules that require additional fields to be set when creating a user (for example, a rule that requiresFederationIdentifier for SSO).
To add an optional field mapping in C1, use the exact Salesforce field API name as the mapping key (for example, FederationIdentifier, Department, CommunityNickname) allowing you to satisfy any validation rule.
*You have the option to sync user accounts that use non-standard licenses.
Connector actions
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the Perform connector action automation step.Gather Salesforce credentials
Configuring the connector requires you to pass in credentials generated in Salesforce. Gather these credentials before you move on.Enable API access and permissions for your Salesforce user
Before you begin, make sure that the Salesforce user who will set up the integration with C1 has the required system permissions. The recommended approach is to create a Permission Set and assign it to the connector user.1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “permission sets” and select Permission Sets.
3
Click New to create a permission set (for example, “C1 Connector Access”).
4
In the permission set, click System Permissions, then click Edit.
5
Enable API Enabled and Manage Users. If syncing connected apps, also enable Customize Application. If using provisioning, also enable Manage Roles and Role Hierarchy and Manage Groups.
6
Click Save.
7
Click Manage Assignments, then Add Assignment to assign the permission set to the connector user.
Locate your Salesforce domain
1
Log into the Salesforce admin panel and copy the URL from your browser.
Create a Salesforce External Client App for JWT Bearer
Use these instructions if you want to authenticate using a signed JWT assertion and a private key.1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “External Client App Manager” and select External Client App Manager.
3
Click New External Client App.
4
Fill in the basic information:
- External Client App Name: a name of your choice (for example,
baton-jwt) - Contact Email: your email address
5
Expand OAuth Settings and configure the following:
- Callback URL: enter any valid URL
- Selected OAuth Scopes: add Full access (full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access)
- Under Flow Enablement, check Enable JWT Bearer Flow. A Certificate Upload field will appear — upload your certificate (
.pem). You will need the corresponding private key (.pem) later when configuring the connector.
6
Click Create.
7
Go to the Policies tab and click Modify.
- Scroll down to the OAuth Policies section. Under Plugin Policies, set Permitted Users to Admin approved users are pre-authorized.
- After changing that setting, scroll back up to the App Policies section. Under Select Profiles, move the profile of your connector user (for example, System Administrator) from the available list to the selected list.
8
Go to the Settings tab, expand OAuth Configuration, and click Consumer Key and Secret to retrieve your Consumer Key. Save it — this is your Client ID.
private.pem file and a Consumer Key to use with the JWT Bearer authentication method.
Create a Salesforce External Client App for Client Credentials
Use these instructions if you want to authenticate using a client ID and secret.1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “External Client App Manager” and select External Client App Manager.
3
Click New External Client App.
4
Fill in the basic information:
- External Client App Name: a name of your choice (for example,
baton-cc) - Contact Email: your email address
5
Expand OAuth Settings and configure the following:
- Callback URL: enter any valid URL
- Selected OAuth Scopes: add Full access (full) and Manage user data via APIs (api)
- Under Flow Enablement, check Enable Client Credentials Flow
6
Click Save.
7
Go to the Policies tab and click Modify.Scroll down to the OAuth Policies section and find the OAuth Flows and External Client App Enhancements subsection:
- Check Enable Client Credentials Flow. A Run As (username) field will appear directly below.
- In the Run As (username) field, enter the Salesforce username of your connector user.
8
Go to the Settings tab, expand OAuth Configuration, and click Consumer Key and Secret to retrieve your Consumer Key and Consumer Secret. Save both — these are your Client ID and Client Secret.
Configure the Salesforce connector
- Cloud-hosted
- Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.Done. Your Salesforce connector is now pulling access data into C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Salesforce v2 and click Add.
3
Choose how to set up the new Salesforce connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Select your method of authenticating to Salesforce: OAuth, JWT Bearer, Client Credentials, or **Username and password (deprecated) **.
8
If you chose OAuth:
- In the Domain field, enter your Salesforce domain.
-
Optional. Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization’s accounts. This option is especially helpful if your organization uses multiple service accounts that all share a
noreply@salesforce.comemail address. - Optional. Check the box if you want the connector to sync connected apps.
- Optional. Uncheck the box if you do not want to sync deactivated users.
- Optional. Check the box if you want the connector to sync users on non-standard licenses, such as external users.
- Optional. Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
- Click Save.
- Click Login with OAuth.
- Log in and authorize C1 with your Salesforce instance.
- You will then be redirected back to the Salesforce setup page in C1, where you’ll see an authorization message.
- In the Domain field, enter your Salesforce domain.
- In the Client ID field, enter the Consumer Key from your External Client App.
-
In the Private Key (.pem) field, upload your
private.pemfile. - In the JWT Subject field, enter the Salesforce username of the connector user.
-
Optional. In the Login URL field, enter a custom Salesforce login URL. Defaults to
https://login.salesforce.com. Usehttps://test.salesforce.comfor sandbox orgs. - Optional. Configure sync options as needed (connected apps, deactivated users, non-standard users, license mapping).
- Click Save.
- In the Domain field, enter your Salesforce domain.
- In the Client ID field, enter the Consumer Key from your External Client App.
- In the Client Secret field, enter the Consumer Secret from your External Client App.
- Optional. Configure sync options as needed (connected apps, deactivated users, non-standard users, license mapping).
- Click Save.
- Enter your Salesforce username and password in the top two fields.
- Enter your Salesforce security token in the Security token field. If trusted IP is configured on your user, entering this token is optional. If needed, refer to Reset Your Security Token in the Salesforce documentation.
- In the Domain field, enter your Salesforce domain.
-
Optional. Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization’s accounts. This option is especially helpful if your organization uses multiple service accounts that all share a
noreply@salesforce.comemail address. - Optional. Check the box if you want the connector to sync connected apps.
- Optional. Uncheck the box if you do not want to sync deactivated users.
- Optional. Check the box if you want the connector to sync users on non-standard licenses, such as external users.
- Optional. Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
- Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Troubleshooting the Salesforce integration
When I try to log in with OAuth, I see a “This feature is not currently enabled for this user” error
Salesforce returns this error if the user who is logging in with OAuth does not have permission to access the Salesforce APIs:When I try to sync, I see an “insufficient access rights on cross-reference id” error
Salesforce returns this error if the connector user does not have sufficient permissions:
Additional permissions required for provisioning:
To fix this error, follow the instructions to Enable API access and permissions for your Salesforce user to create a Permission Set with the required permissions and assign it to the connector user.