Salesforce integration

This topic describes the steps to integrate Identity Security Posture Management (ISPM) with your Salesforce tenant:

• Download the server certificate file

• Add ISPM IPs to your Trusted IP Range

• Create a permission set

• Assign the permission set

• Create an external client app

• Share the parameters with ISPM

Download the server certificate file

1. In the Identity Security Posture Management console, go to SettingsSources gallery.

2. Select Salesforce.

3. Enter a value in the Source Name field.

4. Click Generate server.crt.

5. Click Download server.crt.

Add ISPM IPs to your Trusted IP Range

For the integration to succeed, you must include these ISPM IP addresses in your trusted IP range.

• 18.98.16.160/27

• 3.44.64.96/27

• 3.40.0.96/27

• 13.52.68.184

• 54.193.209.206

• 13.57.96.208

• 184.72.14.192

• 13.57.65.107

• 13.57.96.250

1. From the left menu, go to Settings Security.

2. Click Network Access. The Trusted IP Range page opens.

3. Create a rule for each of the IPs above:

   1. Click New.

   2. Set the IP as the Start IP Address and the End IP Address.

   3. Add a description. For example, ISPM IP number 1.

4. Repeat steps 1 - 3 for each ISPM IP address.

Create a permission set

1. In your Salesforce tenant, go to SettingsSetup.

2. In ADMINISTRATION, select Users Permission Sets. The Permission Sets page opens.

   

3. Click New. The Create screen opens.

4. In the Enter permission set information section, enter ISPM SFDC integration permission as the Label.

   

5. Optional. Enter a description.

6. In the Select the type of users who will use this permission set section, set the License to None.

7. Click Save.

8. Scroll down to the System section and select System Permissions. The ISPM SFDC integration permission page opens.

   

9. Click Edit to modify system permissions.

   

10. Select the following system permissions:

    • API Enabled. This system permission allows ISPM to access any Salesforce.com API.

    • View Setup and Configuration

    • View All Data

    • Manage MFA in API

    • Manage MFA in API

    • Optional. Customize Application. This system permission allows ISPM to detect Unauthorized Salesforce Apps Installed by Users.

    Sometimes when you select a permission, there are other system permissions that are selected automatically. See Salesforce system permissions

11. Optional. Select all of the following system permissions to allow ISPM to detect Salesforce workload identities, including connected apps and External Client Apps (ECAs):

    • Manage Connected Apps

    • Modify Metadata Through Metadata API Functions

    • View all External Client Apps

    • View all External Client Apps, view their settings, and edit their policies

    • View Roles and Role Hierarchy

    • Customize Application

      Workload identities is a Limited Early Access release. Contact your Customer Support Manager or Account Executive to learn more.

12. Select the View All Profiles user permission.

13. Click Save. The Permission Changes Confirmation screen opens.

14. Review the permissions that you selected and click Save.

Assign the permission set

1. In your Salesforce tenant, go to SettingsSetup.

2. In ADMINISTRATION, select Users Users.

   

3. Select a user account that you want to use for the ISPM integration. This account must have Salesforce as its user license.

4. Go to the Permission Set Assignments section.

   

5. Click Edit Assignments.

6. Find and select the Identity Security Posture Management SFDC integration permission set.

   

7. Click Add.

8. Ensure that it appears in the Enabled Permission Sets section.

9. Click Save.

Create an external client app

1. In your Salesforce tenant, go to SettingsSetup.

2. Under Platform tools, go to Apps External Client App Manager.

3. Click New External Client App.

4. Go to the Basic Information section and enter values for the following fields:

   1. External Client App Name: Enter a name for the app. For example, ISPM SFDC Integration

   2. API Name: This field is populated automatically. Leave this value as it is.

   3. Contact Email: Enter an email address.

   4. Distribution State: Select Local.

5. Go the API (Enable OAuth Settings) section and enter values for the following fields:

   1. Select the Enable OAuth checkbox.

   2. In the Callback URL field, enter http://localhost:1717/OauthRedirect

   3. Under OAuth Scopes, add the following OAuth scopes:

      1. Manage user data via APIs (api)

      2. Manage user data via Web browsers (web)

      3. Perform requests at any time (refresh_token, offline_access)

   4. Go to the Flow Enablement section:

      1. Select Enable JWT Bearer Flow.

      2. Upload the server certificate file (server.crt) that you downloaded earlier from the ISPM console.

   5. Go to the Security section and ensure that the following checkboxes are selected:

      • Require Secret for Web Server Flow

      • Require Secret for Refresh Token Flow

   6. Click Create.

   7. On the external client app's page, go to the Settings tab.

   8. Under OAuth Settings, click the Consumer Key and Secret field and copy the copy the consumer key value. Store this value securely.

6. Go to the Policies tab and click Edit.

7. Go to the OAuth Policies section and do the following steps:

   1. Set the Permitted Users field to Admin approved users are pre-authorized.

   2. For the Select Permission Sets field, select the permissions set that you created earlier.

   1. In the App Authorization subsection:

      1. Select Refresh token is valid until revoked.

      2. Set IP Relaxation as Enforce IP restrictions.

   2. Click Save.

Share the parameters with ISPM

1. In the Identity Security Posture Management console, go to SettingsSources gallery.

2. Select Salesforce.

3. Enter the username of the user that you assigned to the permission set.

4. Enter the consumer key that you copied earlier.

5. Click Submit.

Salesforce system permissions

While integrating Salesforce with Identity Security Posture Management (ISPM), Salesforce automatically selects more permissions when you select certain system permissions to include in a permission set.

System permission	Additional automatically selected system permissions
View Setup and Configuration	View Roles and Role Hierarchy
View All Data	Read and View All on all standard and custom objects View Setup and Configuration View Event Log Files View Dashboards in Public Folders View Reports in Public Folders View Login Forensics Events View Real-Time Event Monitoring Data
Manage MFA in API	Manage Users Reset User Passwords and Unlock Users View All Users Manage Profiles and Permission Sets Assign Permission Sets Manage Roles Manage IP Addresses Manage Sharing View Setup and Configuration Manage Internal Users Manage Password Policies Manage Login Access Policies Manage MFA in User Interface
Customize Application	View Setup and Configuration Manage Custom Permissions