Set up Salesforce

danger

Atlan currently only supports Salesforce Sales Cloud. In addition, Atlan recommends using the OAuth 2.0 JWT bearer flow method for authentication.

Atlan supports the following authentication flows for Salesforce:

• OAuth 2.0 username-password flow for special scenarios
• OAuth 2.0 JWT bearer flow for server-to-server integration

You can use the following steps to configure these flows.

Use the OAuth 2.0 username-password flow

Who can do this?

You will probably need your Salesforce administrator to run these commands - you may not have access yourself.

Atlan requires the following credentials for this flow:

• Username
• Password
• Consumer Key (client_id)
• Consumer Secret (client_secret)

Create a connected app

To set up a connected app in Salesforce:

1. Log in to Salesforce.
2. In the upper right of the screen, click the settings icon and then click Setup. 
3. From Setup, enter apps in the Quick Find box and select App Manager.
4. In the upper right of the screen, click the New Connected App button.
5. Under Basic Information, enter the following details:
   • For Connected App Name, enter a meaningful name, such as AtlanConnector.
   • (The API Name should be automatically populated.)
   • For Contact Email, enter your email address.
6. Under API (Enable OAuth Settings), enter the following details:

   • Ensure Enable OAuth Settings is checked.

   • Ensure Enable for Device Flow is checked.

   • For Callback URL, enter any domain, for example https://localhost - this is unused.

   • For Selected OAuth Scopes, add the following scopes:

   • Access Lightning applications (lightning) 

   • Manage user data via APIs (api)

   • Perform requests at any time (refresh_token, offline_access)

   • Ensure Require Secret for Web Server Flow is checked.

   • Ensure Require Secret for Refresh Token Flow is checked.

7. At the top of the screen, click the Save button to save the app.
8. On the resulting screen, click Continue.
9. On your new connected app page and under API (Enable OAuth Settings), click Manage Consumer Details. This will open up a new tab with the consumer details for your connected app.
10. From the resulting screen:

• Copy the Consumer Key.
• Copy the Consumer Secret.

danger

You may need to wait approximately 10 minutes for your connected app to be activated before you can crawl Salesforce.

Retrieve the security token

To retrieve the integration user's personal security token:

1. Within Salesforce, click your user icon in the upper right of the screen.
2. Just below your name, click the Settings link.
3. From the My Personal Information expandable menu on the left, click Reset My Security Token.
4. On the Reset Security Token page, click the Reset Security Token button.
5. Copy the resulting security token.

danger

You will need to enter the concatenation of the user's password and personal security token in the Password field to crawl Salesforce. Entering either the password or personal security token alone will be insufficient. For example, if your user password is xyz and your security token is 123, then enter xyz123.

Use the OAuth 2.0 JWT bearer flow

Who can do this?

You will need your Salesforce administrator to create a non-admin user with a custom profile that is enabled with a JWT bearer-configured connected app. Only then will non-admin users be able to use the JWT bearer flow to connect Atlan with Salesforce. To learn more about why Atlan recommends a Salesforce administrator to complete these steps, see here.

Atlan requires the following credentials for this flow:

• Username
• Consumer Key (client_id)
• server.key file

Create the server key file

The OAuth 2.0 JWT bearer authorization flow requires a digital certificate and the private key used to sign the certificate.

To create the server.key file:

1. Create a private key and a self-signed digital certificate with these instructions. While generating a Certificate Signing Request (CSR), for the Common Name field, you must enter the domain name or hostname for your Salesforce instance.
2. Once the server key setup is completed, keep the following output files:

• server.crt - the digital certification file to be uploaded when creating the connected app in Salesforce.
• server.key - the private key to be used when encoding the JWT token that is sent upon authentication in Atlan.

Edit the connected app policies

1. Log in to Salesforce.
2. Follow the instructions in the Create a connected app section to set up a connected app.
3. Edit the connected app policies.
4. In the upper right of the screen, click the settings icon and then click Setup. 
5. From Setup, enter connected apps in the Quick Find box and select Manage Connected Apps.
6. Locate and click on your connected app, such as AtlanConnector.
7. On your connected app page, click Edit Policies.
8. Under OAuth Policies, click the Permitted Users dropdown menu and select Admin approved users are pre-authorized.
9. From the IP Relaxation dropdown, select Relax IP restrictions.
10. (Optional) For Refresh Token Policy, select Refresh token is valid until revoked.
11. Click Save.

Add the server certificate file to the connected app

To add the server certificate (server.crt) file to the connected app:

1. From Setup, enter app manager in the Quick Find box and select App Manager.
2. Locate your connected app, and then click the dropdown arrow and select Edit.
3. For API Enable OAuth Settings, check Use digital signatures. 
4. Click Choose File and upload the server.crt file.
5. Click Save.

Create a custom profile

Custom profiles are only used for non-admin users. Admin users are always set with an immutable standard profile.

Atlan strongly recommends using a custom profile enabled with the Modify All Data permission:

• To better manage permissions on Salesforce objects to be crawled into Atlan.
• To minimize the risk of missing assets, as certain custom objects may not be crawled into Atlan otherwise.
• As a subset of the Modify All Data permission, View All Data is insufficient for allowing a custom profile to crawl all objects.

To create a custom profile:

1. From Setup, enter profiles in the Quick Find box and select Profiles.
2. From Profiles, click the New Profile button to navigate to the Clone Profile page.
3. On the Clone Profile page, from the Existing Profile dropdown menu, select Standard User.
4. For Profile Name, enter a name, such as AtlanIntegrationProfile.
5. Click Save.
6. On the new profile page, click Edit.
7. For Connected App Access, check the name of your connected app.
8. For Administrative Permissions, uncheck all of the boxes except the following required permissions:

• API Enabled
• View Dashboards in Public Folders
• View Reports in Public Folders
• View All Data
• Run Reports

10. For Standard Object Permissions and Custom Object Permissions, select Read and View All for all items.
11. Click Save.

Add profile to connected app

Add your profile to connected app, follow these steps:

1. Go to Manage Connected App
2. Locate and click on your connected app, such as AtlanConnector.
3. On your connected app page, scroll down and click on Manage Profile
4. Select and check the profile that we created and click Save

Create a user

To create a non-admin user:

1. From the Setup menu and under Administration, click Users to expand the dropdown menu.

2. From the dropdown menu, click Users.

3. On the All Users page, click the New User button.

4. On the New User page, enter the required details - First Name, Last Name, Alias, Email, Username, and Nickname.

5. From the User License dropdown menu, select Salesforce.

6. From the Profile dropdown, select the custom profile you created.

7. Click Save.

danger

The new user will require a Salesforce license to crawl metadata in Atlan. If the Salesforce license does not appear in the User License dropdown, the account may have used up the allowed license limit. To check if you've reached the allowed license limit, follow these instructions.