Skip to main content

Integrate with Salesforce

Follow this step-by-step guide to allow SlashID to monitor and protect your Salesforce organization. This integration enables SlashID to track users, permissions, connected apps, and security events across your Salesforce environment.

Before starting

Before starting, ensure you have:

  • System Administrator privileges in your Salesforce organization
  • Access to create Connected Apps in Salesforce

SlashID will monitor your entire Salesforce organization, including users, profiles, roles, permission sets, connected apps, and security events.

Choose your authentication method

SlashID supports two authentication methods for connecting to Salesforce:

MethodDescriptionBest For
Client CredentialsUses a client ID and client secret to authenticate directly with Salesforce APIs. Tokens are obtained automatically using the OAuth 2.0 Client Credentials flow.Server-to-server integrations, automated systems, service accounts
OAuth 2.0Uses the OAuth 2.0 Authorization Code flow with user consent. You'll be redirected to Salesforce to authorize SlashID.Interactive setups, when you want to authorize with your admin account

Both methods require creating a Connected App in Salesforce. The setup steps differ slightly depending on which method you choose.

Step 1: Create a Connected App in Salesforce

  1. Log in to your Salesforce organization as a System Administrator.

  2. Navigate to Setup > Apps > App Manager (or use Quick Find to search for "App Manager").

  3. Click New Connected App in the top-right corner.

  4. Fill out the Basic Information section:

    • Connected App Name: SlashID Identity Protection
    • API Name: SlashID_Identity_Protection (auto-populated)
    • Contact Email: Your admin email address
    • Description: Connected app for SlashID identity protection and security monitoring

Step 2: Configure OAuth Settings

  1. In the API (Enable OAuth Settings) section:

    • Check Enable OAuth Settings
    • Callback URL: https://console.slashid.dev/oauth/callback
    • Selected OAuth Scopes: Add the following scopes by selecting them and clicking Add:
      • Access the identity URL service (id, profile, email, address, phone)
      • Access unique user identifiers (openid)
      • Full access (full)
      • Perform requests at any time (refresh_token, offline_access)

  2. Configure based on your chosen authentication method:

    For Client Credentials method

    Enable the Client Credentials flow for server-to-server authentication:

    • Check Enable Client Credentials Flow
    • Client Credentials Flow Run User: Select a dedicated admin user or system user that will be used for API access. This user's permissions determine what SlashID can access.
    tip

    Create a dedicated system user (e.g., "SlashID Integration User") with the necessary permissions rather than using a personal admin account.

    For OAuth 2.0 method

    No additional OAuth settings are required. The standard OAuth 2.0 Authorization Code flow will be used:

    • Ensure the Callback URL is set to https://console.slashid.dev/oauth/callback
    • The user who authorizes the connection in the SlashID Console will be used for API access
    tip

    Use this method if you prefer to authorize the connection interactively with your admin account.

  3. Click Save to create the Connected App.

note

It may take 2-10 minutes for the Connected App to be activated by Salesforce.

Step 3: Retrieve OAuth Credentials (Client Credentials method only)

note

This step is only required if you're using the Client Credentials authentication method. If you're using the OAuth 2.0 method, you can skip to Step 4.

  1. After the Connected App is created and activated, go back to Setup > Apps > App Manager.

  2. Find your SlashID Identity Protection app and click the dropdown arrow, then select View.

  3. In the API (Enable OAuth Settings) section, copy the following values:

    • Consumer Key (this is your Client ID)
    • Consumer Secret (click Click to reveal and copy the Client Secret)

Keep these credentials secure - you'll need them when configuring the connection in the SlashID Console.

For enhanced security, you can create a dedicated Permission Set for the SlashID integration:

  1. Go to Setup > Users > Permission Sets.

  2. Click New to create a new Permission Set:

    • Label: SlashID API Access
    • API Name: SlashID_API_Access
    • License: --None--

  3. In the Permission Set, grant the following System Permissions:

    • API Enabled
    • View All Data
    • View Setup and Configuration
    • View All Users

  4. Assign this Permission Set to the Client Credentials Flow Run User you selected earlier.

Step 5: Obtain Your Salesforce Instance Information

  1. Note your Salesforce Instance URL:

    • This is typically in the format: https://yourcompany.my.salesforce.com
    • You can find this in your browser's address bar when logged into Salesforce

  2. Note your Login URL (if different from instance URL):

    • For production orgs: https://login.salesforce.com
    • For sandbox orgs: https://test.salesforce.com
    • For custom domains: Your custom login URL

Step 6: Create Your Salesforce⬅→SlashID Integration

  1. Go to the SlashID Console > 'Identity Protection' > 'Configuration' > 'Integrations'. Click on 'Add integration' on the right.

  2. Select 'Salesforce' from the list of providers in the horizontal menu.

  3. Enter your Salesforce connection details:

Common fields (both methods):

SlashID Console fieldDescriptionExample
Name of the connectionArbitrary name you give to this connectionSalesforce Production
Authoritative statusDecide whether Salesforce identities are the primary source of truth when reconciling identities across providersPrimary or Secondary
Instance URLYour Salesforce instance URLhttps://yourcompany.my.salesforce.com
Login URL (optional)Your Salesforce login URL (if different from instance URL)https://login.salesforce.com
Authentication methodChoose between Client Credentials or OAuth 2.0Client Credentials or OAuth 2.0

Additional fields for Client Credentials method:

SlashID Console fieldDescriptionExample
Client IDConsumer Key from your Connected App3MVG9... (starts with 3MVG)
Client SecretConsumer Secret from your Connected AppYour consumer secret

Additional steps for OAuth 2.0 method:

When you select OAuth 2.0, clicking "Connect" will redirect you to Salesforce to authorize the connection. Log in with an admin account that has the necessary permissions.

  1. Click on the 'Connect' button to test the connection and complete the integration.

Verification

After successful integration, SlashID will:

  • Sync user data: Import all Salesforce users, their profiles, roles, and permission assignments
  • Monitor connected apps: Track all connected applications and their OAuth scopes
  • Analyze permissions: Identify over-privileged users and unused permissions
  • Track login events: Monitor user login patterns and detect suspicious activity
  • Detect security risks: Identify weak MFA configurations, shared accounts, and privilege escalations

SlashID is now monitoring your Salesforce environment for potential security issues. It may take a few minutes for the initial data sync, after which you can start exploring security events in the 'Identity Protection Dashboard' section of the SlashID Console.

Troubleshooting

Common Issues

"Authentication failed: invalid_client_id" (Client Credentials method)

  • Verify that you copied the Consumer Key (Client ID) correctly
  • Ensure the Connected App has been activated (wait 2-10 minutes after creation)

"Authentication failed: invalid_client" (Client Credentials method)

  • Verify that you copied the Consumer Secret correctly
  • Ensure Client Credentials Flow is enabled in your Connected App

"insufficient_scope" or "INSUFFICIENT_ACCESS"

  • For Client Credentials: Verify the Run User for Client Credentials Flow has sufficient permissions
  • For OAuth 2.0: Ensure the authorizing user has sufficient permissions
  • Ensure the required OAuth scopes are selected in your Connected App
  • Check that the user has the necessary Permission Sets assigned

"invalid_grant" error

  • Check that your Instance URL is correct and accessible
  • For sandbox orgs, ensure you're using the correct login URL (test.salesforce.com)
  • For OAuth 2.0 method: The authorization may have expired; try reconnecting

OAuth 2.0 redirect issues

  • Ensure the Callback URL in your Connected App is exactly https://console.slashid.dev/oauth/callback
  • Check that your browser allows pop-ups from console.slashid.dev
  • Verify you're logging in with a user that has System Administrator privileges

Security Considerations

  • Both Client Credentials and OAuth 2.0 methods are more secure than username/password authentication
  • Client Credentials: Use a dedicated system user with minimal necessary permissions as the Run User
  • OAuth 2.0: The authorizing user's permissions determine what SlashID can access
  • Regularly review the permissions granted to the SlashID Connected App
  • Monitor the API usage in Salesforce Setup > System Overview > API Usage

Data Monitored

SlashID monitors the following Salesforce data:

  • Identity Data: Users, profiles, roles, permission sets, groups
  • Access Control: Permission assignments, sharing rules, object permissions
  • Applications: Connected apps, OAuth clients, custom applications
  • Security Events: Login history, permission changes, suspicious activities
  • Resources: Reports, dashboards, files, knowledge articles
  • Configuration: Sites, custom objects, field-level security