Nailing the Security Audit with RRCU

ConductorOne docs

Set up a Salesforce connector

ConductorOne provides identity governance for Salesforce. Integrate your Salesforce instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

📜 Deprecation warning: A newer version of this integration is available. This version of the integration is no longer available for installation. If you’re setting up a Salesforce integration with ConductorOne for the first time, use the v2 version of the integration.

Availability

ConductorOne only integrates with the Salesforce editions with API access: Salesforce Enterprise, Unlimited, Developer, and Performance editions.

You cannot use this connector successfully with Group or Essentials editions, or with Professional edition without an API add-on.

Learn more about which Salesforce editions support API access in the Salesforce documentation.

Capabilities

  • Sync user identities from Salesforce to ConductorOne

  • Resources supported:

    • Groups
    • Roles
    • Permission sets

Add a new Salesforce connector

This task requires either the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Salesforce and click Add.

  3. Choose how to set up the new Salesforce connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

    Do you SSO into Salesforce using your identity, SSO, or federation provider? If so, make sure to add the connector to the unmanaged Salesforce app that was created automatically when you integrated your provider with ConductorOne, rather than creating a new managed app.

  1. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    A Salesforce connector owner must have the following permissions:

    • Connector Administrator or Super Administrator role in ConductorOne
    • A Salesforce user account with a profile that includes the API Enabled permission (this permission is included by default in the Standard User and System Administrator profiles)
  1. Click Next.

Next steps

  • If you are the connector owner, proceed to Configure your Salesforce connector for instructions on integrating Salesforce with ConductorOne.

  • If someone else is the connector owner, ConductorOne will notify them by email that their help is needed to complete the setup process.

Configure your Salesforce connector

A user with the Connector Administrator or Super Administrator role in ConductorOne and a Salesforce user account with a profile that includes the API Enabled permission must perform this task.

Step 0: Enable API access for your Salesforce user

Before you begin, make sure that the Salesforce user who will set up the integration with ConductorOne has a profile that includes the API Enabled permission. This permission is included by default in the Standard User and System Administrator profiles.

To edit a different profile so that it includes the API Enabled permission:

  1. Log into Salesforce as an Administrator.

  2. Click the gear icon and select Setup.

  3. Search for “profiles” and select Profiles from the search results.

  4. In the User Profiles list, locate the user profile you want to add the permission to and click Edit.

  5. Find the Administrative Permissions section of the page and click to select API Enabled.

  6. Click Save.

Your user’s profile can now access Salesforce APIs, and you’re ready to begin the integration process.

Step 1: Locate your Salesforce domain

  1. Log into the Salesforce admin panel and copy the URL from your browser. We’ll use this in Step 2.

    ConductorOne integrates with domains that use one of the following Salesforce URL structures:

    • my.salesforce.com
    • sandbox.my.salesforce.com
    • test.salesforce.com
    • lightning.force.com
    • develop.lightning.force.com
    • sandbox.lightning.force.com

Step 2: Set up the Salesforce connector

  1. In ConductorOne, navigate to the Salesforce connector by either:

    • Clicking the Set up connector link in the email you received about configuring the connector.

    • Navigate to Connectors > Salesforce (if there is more than one Salesforce listed, click the one with your name listed as owner and the status Not connected).

  2. Find the Settings area of the page and click Edit.

  3. In the Domain field, enter the Salesforce domain you looked up in Step 1.

  4. Optional. Check the box to tell ConductorOne to use Salesforce usernames as the email addresses for your organization’s accounts. This option is especially helpful if your organization uses multiple service accounts that all share a noreply@salesforce.com email address.

  5. Click Save.

Step 3: Log in with OAuth

  1. Click Login with OAuth.

  2. Log in and authorize ConductorOne with your Salesforce instance.

  3. You will then be redirected back to the Salesforce setup page in ConductorOne, where you’ll see an authorization message.

  4. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Salesforce connector is now pulling access data into ConductorOne.

Configure the Salesforce integration using Terraform

As an alternative to the integration process described above, you can use Terraform to configure the integration between Salesforce and ConductorOne.

See the ConductorOne Salesforce integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.

Troubleshooting the Salesforce integration

When I try to log in with OAuth, I see a “This feature is not currently enabled for this user” error

Salesforce returns this error if the user who is logging in with OAuth does not have permission to access the Salesforce APIs:

{"code":2, "message":"error getting info from connectorClient: [simpleforce] Error. http code: 403 Error Message:  This feature is not currently enabled for this user. Error Code: FUNCTIONALITY_NOT_ENABLED"}

If you see this message, follow the instructions in Step 0: Enable API access for your Salesforce user and then try logging in again.