Salesforce integration

Integrate Identity Security Posture Management (ISPM) with your Salesforce tenant:

Download the server certificate file

  1. In the Identity Security Posture Management console, go to SettingsSources gallery.

  2. Select Salesforce.

  3. Enter a value in the Source Name field.

  4. Click Generate server.crt.

  5. Click Download server.crt.

Add ISPM IPs to your Trusted IP Range

For the integration to succeed, you must have the ISPM IP addresses 13.52.68.184 , 54.193.209.206 , 13.57.96.208 , and 184.72.14.192 in your trusted IP range.

  1. From the left menu, go to Settings Security.

  2. Click Network Access. The Trusted IP Range page opens.

  3. Create a rule for each of the IPs above:

    1. Click New.

    2. Set the IP as the Start IP Address and the End IP Address.

    3. Add a description. For example, ISPM IP number 1.

  4. Repeat steps 1 - 3 for each ISPM IP address.

Create a permission set

  1. In your Salesforce tenant, go to SettingsSetup.

  2. In ADMINISTRATION, select Users Permission Sets. The Permission Sets page opens.

  3. Click New. The Create screen opens.

  4. In the Enter permission set information section, enter ISPM SFDC integration permission as the Label.

  5. Optional. Enter a description.

  6. In the Select the type of users who will use this permission set section, set the License to None.

  7. Click Save.

  8. Scroll down to the System section and select System Permissions. The ISPM SFDC integration permission page opens.

  9. Click Edit to modify system permissions.

  10. Select the following system permissions:

    System permission Notes
    API Enabled Select this checkbox to access any Salesforce.com API.
    View Setup and Configuration The View Roles and Role Hierarchy permission is selected automatically.
    View All Data The following permissions are selected automatically:
    • Read and View All on all standard and custom objects
    • View Setup and Configuration
    • View Event Log Files
    • View Dashboards in Public Folders
    • View Reports in Public Folders
    • View Login Forensics Events
    • View Real-Time Event Monitoring Data
    Manage Multi-Factor Authentication in API The following permissions are selected automatically:
    • Manage Users
    • Reset User Passwords and Unlock Users
    • View All Users
    • Manage Profiles and Permission Sets
    • Assign Permission Sets
    • Manage Roles
    • Manage IP Addresses
    • Manage Sharing
    • View Setup and Configuration
    • Manage Internal Users
    • Manage Password Policies
    • Manage Login Access Policies
    • Manage Multi-Factor Authentication in User Interface

  11. Select the following user permissions:

    • View All Profiles

  12. Click Save. The Permission Changes Confirmation screen opens.

  13. Review the permissions that you selected and click Save.

Assign the permission set

  1. In your Salesforce tenant, go to SettingsSetup.

  2. In ADMINISTRATION, select Users Users.

  3. Select a user account that you want to use for the ISPM integration. This account must have Salesforce as its user license.

  4. Go to the Permission Set Assignments section.

  5. Click Edit Assignments.

  6. Find and select the Identity Security Posture Management SFDC integration permission set.

  7. Click Add.

  8. Ensure that it appears in the Enabled Permission Sets section.

  9. Click Save.

Create an external client app

  1. In your Salesforce tenant, go to SettingsSetup.

  2. Under Platform tools, go to Apps External Client App Manager.

  3. Click New External Client App.

  4. Go to the Basic Information section and enter values for the following fields:

    1. External Client App Name: Enter a name for the app. For example, ISPM SFDC Integration

    2. API Name: This field is populated automatically. Leave this value as it is.

    3. Contact Email: Enter an email address.

    4. Distribution State: Select Local.

  5. Go the API (Enable OAuth Settings) section and enter values for the following fields:

    1. Select the Enable OAuth checkbox.

    2. In the Callback URL field, enter http://localhost:1717/OauthRedirect

    3. Under OAuth Scopes, add the following OAuth scopes:

      1. Manage user data via APIs (api)

      2. Manage user data via Web browsers (web)

      3. Perform requests at any time (refresh_token, offline_access)

    4. Go to the Flow Enablement section:

      1. Select Enable JWT Bearer Flow.

      2. Upload the server certificate file (server.crt) that you downloaded earlier from the ISPM console.

    5. Go to the Security section and ensure that the following checkboxes are selected:

      • Require Secret for Web Server Flow

      • Require Secret for Refresh Token Flow

    6. Click Create.

    7. On the external client app's page, go to the Settings tab.

    8. Under OAuth Settings, click the Consumer Key and Secret field and copy the copy the consumer key value. Store this value securely.

  6. Go to the Policies tab and click Edit.

  7. Go to the OAuth Policies section and do the following steps:

    1. Set the Permitted Users field to Admin approved users are pre-authorized.

    2. For the Select Permission Sets field, select the permissions set that you created earlier.

    1. In the App Authorization subsection:

      1. Select Refresh token is valid until revoked.

      2. Set IP Relaxation as Enforce IP restrictions.

    2. Click Save.

Share the parameters with ISPM

  1. In the Identity Security Posture Management console, go to SettingsSources gallery.

  2. Select Salesforce.

  3. Enter the username of the user that you assigned to the permission set.

  4. Enter the consumer key that you copied earlier.

  5. Click Submit.