Configure OAuth and REST integration

This topic describes how to configure the Salesforce integration to use REST APIs to authenticate using OAuth.

You can configure the Salesforce app integration to use REST APIs for OAuth authentication. Before Salesforce can access REST API resources, it must be authorized as a safe visitor. To do this, use a connected app and an OAuth 2.0 authorization flow. See Authorization Through Connected Apps and OAuth 2.0.

Before you begin

  1. Create an administrator account in Salesforce. You need this account to create the OAuth consumer key and consumer secret used in the Salesforce REST integration.
  2. Create a custom user profile in Salesforce. This is required for both SOAP and REST integrations. See Enable Salesforce provisioning
  3. In Salesforce, create a connected app and enable OAuth settings for API integration.
    • To create a connected app, perform the steps in Configure Basic Connected App Settings.
    • To enable OAuth settings, perform the steps in Enable OAuth Settings for API Integration. Use the following settings:
      • Enable for Device Flow: disabled
      • Callback URL: https://system-admin.okta.com/admin/app/generic/oauth20redirect
      • Use digital signatures: disabled
      • Selected OAuth scopes:
        • Manage user data via APIs (api)
        • Perform requests at any time (refresh_token, offline_access)
      • Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows: disabled
      • Require Secret for Web Server Flow: enabled
      • Require Secret for Refresh Token Flow: enabled
      • Enable Client Credentials Flow: disabled
      • Introspect All Tokens: disabled
      • Configure ID Token: disabled
      • Enable Asset Tokens: disabled
      • Enable Single Logout: disabled
  4. Go to SetupManage AppsConnected Apps{{Connected App Name}}OAuth PoliciesPermitted Users. Choose All users may self-authorize. Click Save.
  5. Allow up to 10 minutes for your changes to take effect before using the connected app.
  6. In Salesforce, note your Consumer Key and Consumer Secret in Enable OAuth Settings for API Integration. These values are required when you configure your provisioning in Okta.
  7. On the Salesforce page that displays your consumer key and consumer secret, click Manage. Verify that the Refresh Token Policy is set to Refresh token is valid until revoked.

Configure OAuth and REST integration

For existing customers:

Even after you enable this feature, SOAP credentials (admin username and password) are still used for all provisioning operations. If you haven't configured your SOAP credentials or completed the following steps to configure your OAuth credentials, then any provisioning operation results in an invalid API credentials error.

  1. In the Admin Console, go to ProvisioningIntegration.
  2. Enter the following:
    • OAuth Consumer Key: Consumer Key from your Salesforce OAuth settings
    • OAuth Consumer Secret: Consumer Secret from your Salesforce OAuth settings
  3. Click Authenticate with Salesforce.com.
  4. In the new Salesforce.com window, enter the administrator username and password that you used to create the connected OAuth app. If you previously entered SOAP credentials, you don't need to enter them again.
  5. Click Allow to permit access to your connected app.
  6. Click Save.

Your Salesforce integration is now integrated. If you previously used SOAP credentials (admin username and password), you can switch back by disabling this feature.