RAC/M Identity

English

Français

English

Français

Theme

The Salesforce connector allows RAC/M Identity to read and provision user accounts and permissions from Salesforce. This connector uses the SCIM connector with JWT Bearer Token authentication to communicate with Salesforce's SCIM API.

INFO

The Salesforce connector is based on the SCIM connector. Version 1.5.0.0 or newer is required for Salesforce. Please refer to the SCIM connector documentation for general SCIM configuration details.

Configuration

This guide is based on Configure an External Client App to Issue JWT-Based Access Tokens from Salesforce.

The Salesforce connector uses the SCIM connector with jwt-bearer-token authentication. The following parameters are required:

Common SCIM Parameters

ConfigurationDescription
AuthenticationSelect jwt-bearer-token for JWT bearer token authentication.
SCIM EndpointEnter /services/scim as the SCIM endpoint path on Salesforce.
SCIM VersionEnter /v2 as the SCIM API version supported by Salesforce.
Base URLEnter the base URL of your Salesforce instance (e.g., https://yourinstance.salesforce.com).
JWT Authentication EndpointEnter the URL of the authentication endpoint that accepts JWT bearer tokens and returns OAuth access tokens (e.g., https://yourinstance.salesforce.com/services/oauth2/token).
Private Key (PEM)Enter the private key in PEM format (PKCS#8). Required for JWT bearer token authentication. See Creating the Keypair below for details.
JWT IssuerEnter the issuer (iss) claim value to include in the JWT token. This should match the Consumer Key from your Salesforce Connected App.
JWT SubjectEnter the subject (sub) claim value to include in the JWT token. This should be the username of the Salesforce user that will be used for authentication.
JWT AudienceEnter the audience (aud) claim value to include in the JWT token (e.g., https://login.salesforce.com or https://test.salesforce.com for sandbox environment).
JWT Expiration SecondsEnter the JWT token expiration time in seconds (default: 300 seconds / 5 minutes).

Optional Parameters

These parameters should be left empty unless the ICF server used by RAC/M Identity must go through a proxy server to reach the Salesforce instance.

ConfigurationDescription
Proxy AddressEnter the proxy server address (hostname or IP address) if applicable.
Proxy Port NumberEnter the port number of the proxy server if applicable.
Default CharsetEnter the default character encoding used when the response doesn't specify a charset (e.g., UTF-8).

Creating the Keypair

To authenticate with Salesforce using JWT Bearer Token authentication, you need to create a public/private key pair. The private key will be used by RAC/M Identity to sign JWT tokens, and the public key will be uploaded to Salesforce.

Step 1: Generate the Keypair

Generate a private key and corresponding certificate using OpenSSL (key length and expiration date can be adjusted as needed):

bash
openssl req -x509 -newkey rsa:2048 -keyout salesforce_private_key.pem -out salesforce_certificate.crt -days 365 -nodes

The private key (salesforce_private_key.pem) will be used in the Private Key (PEM) configuration parameter in RAC/M Identity. The certificate (salesforce_certificate.crt) will be uploaded to Salesforce in the next section.

Configuring the External App in Salesforce

To enable SCIM integration with Salesforce, you need to create an External Client App in Salesforce and configure it to use JWT Bearer Token authentication.

Step 1: Create a Salesforce profile for the service account

This step is recommended if you do not want to use the System Administrator profile for the service account.`

  1. In the Quick Find box, search for Profiles and select it.
  2. Click New Profile.
  3. Fill in the basic information:
    • Profile Name: Enter a name for the profile (e.g., "RACM Identity SCIM Service Account Profile").
    • Description: Enter a description for the profile.
  4. In Existing Profile, select System Administrator.
  5. Click Save.
  6. Edit the profile and enable the following permissions:
    • PermissionsActivitiesAccess
    • PermissionsAllowViewKnowledge
    • PermissionsApexRestServices
    • PermissionsAssignPermissionSets
    • PermissionsChatterInternalUser
    • PermissionsDelegatedTwoFactor
    • PermissionsLightningConsoleAllowedForUser
    • PermissionsManageInternalUsers
    • PermissionsManageIpAddresses
    • PermissionsManageLoginAccessPolicies
    • PermissionsManagePasswordPolicies
    • PermissionsManageProfilesPermissionsets
    • PermissionsManageRoles
    • PermissionsManageSharing
    • PermissionsManageUsers
    • PermissionsResetPasswords
    • PermissionsViewAllUsers
    • PermissionsViewHelpLink
    • PermissionsViewRoles
    • PermissionsViewSetup
  7. Click Save.

Step 2: Create a user account for the service account

  1. In the Quick Find box, search for Users and select it.
  2. Click New User.
  3. Fill in the basic information:
    • First Name: Enter the first name of the user (e.g., "RACM Identity").
    • Last Name: Enter the last name of the user (e.g., "SCIM Service Account").
    • Email: Enter the email address of the user (e.g., "racmidentity@example.com").
    • Username: Enter the email address of the user (e.g., "racmidentity@example.com"). This will be used as the JWT Subject in RAC/M Identity.
    • Profile: Select the profile you created in the previous step. Make sure that the User License is Salesforce.
  4. Click Save.

Step 3: Create a permission set for the service account

  1. In the Quick Find box, search for Permission Sets and select it.
  2. Click New.
  3. Fill in the basic information:
    • Label: Enter a name (e.g., "RACM Identity SCIM Permissions").
    • API Name: This will be auto-generated.
    • User License: Select Salesforce.
  4. Click Save.
  5. In the permission set, open System Permissions and click Edit.
  6. Enable the following permissions:
    • Assign Permission Sets
    • Delegated Two-Factor Authentication
    • Manage Internal Users
    • Manage IP Addresses
    • Manage Login Access Policies
    • Manage Password Policies
    • Manage Profiles and Permission Sets
    • Manage Roles
    • Manage Sharing
    • Manage Users
    • Record Visibility API
    • Reset Passwords
    • View All Profiles
    • View All Users
    • View Roles
    • View Setup and Configuration
  7. Click Save.
  8. Open Manage Assignments and assign this permission set to the service account user you created in Step 2.

Step 4: Create an External Client App

  1. Log in to Salesforce as an administrator.
  2. Navigate to Setup (gear icon) > Setup.
  3. In the Quick Find box, search for External Client App Manager and select it.
  4. Click New External Client App.
  5. Fill in the basic information:
    • External Client App Name: Enter a name for your external client app (e.g., "RACM Identity SCIM Integration").
    • API Name: This will be auto-generated based on the External Client App Name.
    • Contact Email: Follow your organization's policies for contact email addresses in Salesforce.
  6. Click Create.

Step 5: Configure JWT Bearer Token Flow

  1. Open the Settings tab and click on Edit to open the settings menu.
  2. In OAuth Settings, check Enable OAuth.
  3. Callback URL: Enter a callback URL (required but not used for JWT Bearer Token flow). You can put the URL of the RAC/M Identity instance here (the exact URL doesn't matter as it will be ignored).
  4. Selected OAuth Scopes: Add the following scopes:
    • Manage user data via APIs (api)
    • Perform requests on your behalf at any time (refresh_token, offline_access)
  5. In Flow Enablement, select Enable JWT Bearer Flow.
  6. Click Upload Files and upload the public key certificate (salesforce_certificate.crt) that you created in the Creating the Keypair section.
  7. Click Save.

Step 6: Grant Access

If your Connected App is configured with "Admin approved users are pre-authorized", you may need to:

  1. Open the Policies tab and click on Edit to open the policies menu.
  2. In Selected Profiles, select the profile you created in Step 1(#step-1-create-a-salesforce-profile-for-the-service-account) section.
  3. In Selected Permission Sets, select the permission set you created in Step 3(#step-3-create-a-permission-set-for-the-service-account) section.
  4. In OAuth Policies, for Permitted Users, select Admin approved users are pre-authorized.
  5. Click Save.

Step 7: Retrieve Configuration Values

After creating the External Client App, you will need to retrieve the following values for use in RAC/M Identity:

  1. Click on Consumer Key and Secret to retrieve the Consumer Key and Secret.
  2. In the page that opens, copy the Consumer Key. This will be used as the JWT Issuer in RAC/M Identity.

Next Steps

After completing the keypair creation and Salesforce Connected App configuration:

  1. Configure the SCIM connector in RAC/M Identity with the parameters listed in the Configuration section above.
  2. Use the private key (PKCS#8 format) in the Private Key (PEM) field.
  3. Use the Consumer Key from the Connected App as the JWT Issuer.
  4. Use the Salesforce username as the JWT Subject.
  5. Test the connection to ensure authentication is working correctly.

For more information about SCIM connector configuration and troubleshooting, refer to the SCIM connector documentation.

Copyright ©2011-2025 Okiok Data Ltd, All rights reserved.