This document provides an overview of connected apps in Salesforce. It defines connected apps and their usage, protocols like OAuth and SAML, and terminology. It also demonstrates how to create a connected app, integrate a service provider using SAML or OpenID Connect, and manage access to third-party apps. The document contains examples of connected app use cases and managing OAuth access policies. It concludes by encouraging the reader to continue exploring and learning.
2. SalesforceCodex.com 2
About Me
Dhanik Lal Sahni
Technical Architect
Conduent Business Solution
Certified Application Architect
Twitter : @dhaniksahni
Blog : salesforcecodex.com
3. SalesforceCodex.com 3
Session 13-Agenda
• In a given scenario, recommend when to use API-based
integrations, such as SOAP, REST, Bulk, Streaming, Canvas,
Workflow outbound, APEX (Callouts, @ future, etc.), and
Lightning Connect to achieve business requirements.
• Compare and contrast the advantages and drawbacks (design
trade-offs) of using API-based integrations such as SOAP, REST,
Bulk, Streaming, Canvas, Workflow outbound, APEX (Callouts,
@future, etc.), and Lightning Connect.
28%
17%
15%
10%
15%
10%
5%
Integration Architecture
Designer Exam
1 2 3 4 5 6 7
Salesforce Integration Capabilities:: 28%
5. SalesforceCodex.com 5
WHAT IS CONNECTED APP?
A connected app is a framework that enables an external application to integrate with Salesforce using APIs,
Connected app uses standard protocols, such as SAML, OAuth, and OpenID Connect to authorize, authenticate, and
provide single sign-on (SSO) for external apps.
6. SalesforceCodex.com 6
CONNECTED APP PROTOCOLS
OAuth 2.0 is the industry-standard protocol for authorization.
OAuth 2.0 focuses on client side to provide specific authorization flows for web applications,
desktop applications, mobile phones, and living room devices.
Basically it allows a user’s information to be used by third party system without exposing
passwords.
Add an identity layer on top of OAuth2.0
Allows Clients to verify the End-User Identity and obtain his basic information.
Basically it is used for user authentication
Security Assertion Markup Language (SAML) 2.0 is a means to exchange authorization and
authentication information between services.
SAML is frequently used to implement internal corporate single sign-on (SSO) solutions where
the user logs into a service that acts as the single source of identity
7. SalesforceCodex.com 7
Connected App and OAuth Terminology
Access Token
Authorization
Code
Instead of using the user’s Salesforce credentials, a consumer (connected app) can use an access
token to gain access
Only used in OAuth 2.0 with the web server flow, the authorization code is a token that represents the
access granted by the end user. The authorization code is used to obtain an access token and a refresh
token. It expires after 15 minutes.
Authorization
Server
The authorization server is the server that authorizes a resource owner, and upon successful
authorization, issues access tokens to the requesting consumer.
Callback URL A callback URL is the URL that is invoked after OAuth authorization for the consumer (connected app)
Consumer A consumer is the website or app that uses OAuth to authorize both the Salesforce user and itself on
the user’s behalf.
Consumer Key A consumer uses a key to identify itself to Salesforce.
8. SalesforceCodex.com 8
Connected App and OAuth Terminology
Consumer Secret
Refresh Token
A consumer uses a secret to establish ownership of the consumer key
Only used in OAuth 2.0, a consumer can use a refresh token to obtain a new access token, without
having the end user approve the access again.
Resource Owner The resource owner is the entity (usually the end user) that grants access to a protected resource.
Resource Server
The resource server is the server that hosts the protected resource. Your Salesforce org is the resource
server that protects your data.
9. SalesforceCodex.com 9
CONNECTED APP USE CASES
Access Data with API Integration
• Use a connected app to request access to Salesforce data on behalf of an
external application
• Must be integrated with the Salesforce API using the OAuth 2.0 protocol
Integrate Service Providers with
Your Salesforce Org
• Use a connected app to integrate your service provider with your Salesforce org
• Use a connected app with SAML 2.0 or OpenID Connect to integrate a service
provider with your Salesforce org
Manage Access to Third-Party
Apps
• Admins can set security policies to control what data a third-party app can
access from your org.
• Admins can also define who can use the third-party app
11. SalesforceCodex.com 11
Connected App Server Scopes
Scope DESCRIPTION
Access Pardot
services (pardot_api)
Allows access to Pardot API services on behalf of the user.
Access and manage your
data (api)
Allows access to the current, logged-in user’s account using APIs, such as REST API and
Bulk API. This scope also includes chatter_api.
Access and manage your
Chatter feed (chatter_api)
Allows access to Connect REST API resources on behalf of the user.
Access custom
permissions (custom_permi
ssions)
Allows access to the custom permissions in an org associated with the connected app.
Full access (full)
Allows access to all data accessible by the logged-in user, and encompasses all other
scopes.
12. SalesforceCodex.com 12
Connected App Server Scopes
Access your basic information (id,
profile, email, address, phone)
Allows access to the identity URL service. You can request profile, email, address,
or phone individually to get the same result as using id; they are all synonymous.
Allow access to your unique
identifier (openid)
Allows access to the current, logged in user’s unique identifier for OpenID
Connect apps.
In the OAuth 2.0 user-agent flow and the OAuth 2.0 web server flow, use
the openid scope.
Perform requests on your behalf at
any time (refresh_token,
offline_access)
Allows a refresh token to be returned when the requesting client is eligible to
receive one.
Provide access to your data via the
Web (web)
Allows use of the access_token on the web. This scope also includes visualforce,
allowing access to customer-created Visualforce pages.
13. SalesforceCodex.com 13
CREATE A CONNECTED APP
device with limited input or display capabilities,
URL which is redirected to after successful authorization.
15. SalesforceCodex.com 15
Integrate Service Providers with Your Salesforce Org
• Single sign-on (SSO) lets users access other applications without logging in separately to each one—and without having to
create (and remember) different user credentials for each app.
• Two server roles important in SSO - Identity Providers and Service Providers
Identity Provider
Service Provider
An identity provider is a system entity that creates, maintains, and
manages identity information.
A service provider is a vendor that provides IT solutions and/or services to
end users and organizations.
16. SalesforceCodex.com 16
Integrate Service Providers with Your Salesforce Org
Integrate a Service
Provider with SAML
To integrate a service provider with your Salesforce org, you can use a
connected app that implements SAML 2.0 for user authentication
17. SalesforceCodex.com 17
Integrate Service Providers with Your Salesforce Org
Integrate a Service
Provider with OpenID
Connect
• OpenID Connect is a rewrite of SAML using OAuth 2.0.
• In SAML, the user is redirected from the Service Provider (SP) to the
Identity Provider (IDP) for sign in.
• In OpenID Connect, the user is redirected from the Relying Party (RP)
to the OpenID Provider (OP) for sign in.
20. SalesforceCodex.com 20
Install a Connected App
• We can install a connected app by installing a managed package that includes
the connected app as a component.
• We can also install it from OAuth connected app from the Connected Apps
OAuth Usage page
21. SalesforceCodex.com 21
Uninstall a Third-Party Connected App
• We can uninstall a third-party connected app from your org.
• Uninstalling an app doesn’t delete the connected app. It delete OAuth policies.
• Uninstalling a connected app only when the original developer deletes the app
from their org
• We can also block app to make it inaccessible.
22. SalesforceCodex.com 22
Manage OAuth Access Policies for a Connected App
Permitted Users
• All users may self-authorize
• Allows all users in the org to authorize the app after successfully signing in.
• Users must approve the app the first time they access it
• Admin approved users are pre-authorized
• Allows only users with the associated profile or permission set to access the app without first authorizing it.
23. SalesforceCodex.com 23
Manage OAuth Access Policies for a Connected App
IP Relaxation
• Enforce IP restrictions:
• Enforces the IP restrictions configured for the org, such as the IP ranges assigned to a user profile.
• Enforce IP restrictions, but relax for refresh tokens:
• Enforces the IP restrictions configured for the org but relax for refresj token
• Relax IP restrictions for activated devices
• Allows a user running the app to bypass the org’s IP restrictions
• app has a list of allowed IP ranges and is using the web server authentication flow.
• Relax IP restrictions
• Allows a user to run this app without org IP restrictions.
Determines user’s access to the app is restricted by IP ranges.
24. SalesforceCodex.com 24
Manage OAuth Access Policies for a Connected App
Refresh Token Policy
• Refresh token is valid until revoked—
• Default. The refresh token is used indefinitely, unless revoked by the user or Salesforce admin.
• Immediately expire refresh token—
• The refresh token is invalid immediately. The user can use the current session (access token) already issued, but
can’t obtain a new session when the access token expires.
• Expire refresh token if not used for n:
• The refresh token is valid as long as it’s been used within the specified amount of time.
• Expire refresh token after n
• The refresh token is valid for a fixed amount of time.
Determine how long a refresh token is valid for.
If refresh tokens are provided, users can continue to access the OAuth-enabled
connected app without having to reauthorize when the access token expires .
Refresh tokens are required only when a user’s session has expired or isn’t available.