Onboard a Salesforce App to SSPM Using an External Client App

Table of Contents

Onboard a Salesforce App to SSPM Using an External Client App

Connect a Salesforce instance to SSPM to detect posture risks.

For SSPM to detect posture risks in your Salesforce instance, you must onboard your Salesforce instance to SSPM. During onboarding, SSPM connects to the Salesforce API through an External Client App that you create. By leveraging the OAuth 2.0 protocol, the External Client App provides the secure framework for SSPM to access your Salesforce configuration. Once authenticated, SSPM uses the API to scan your Salesforce environment for misconfigured settings and account risks.

The supported Salesforce editions for SSPM scans are the following editions:

Enterprise Edition
Unlimited Edition
Developer Edition
Professional Edition with the API Add-on

To access your Salesforce instance, SSPM requires the following information, which you will specify during the onboarding process.

Item	Description
Instance URL	The unique web address for your Salesforce instance. SSPM uses this address to locate and communicate with your specific environment. The instance URL has the format https://`<instance_name>`.my.salesforce.com.
Client ID	SSPM will access a Salesforce API through a Salesforce External Client App that you create. Salesforce generates the Client ID to uniquely identify the External Client App. The Client ID acts as a username for SSPM to identify itself during the connection process. The Salesforce interface calls this ID the Consumer Key.
Client Secret	SSPM will access a Salesforce API through a Salesforce External Client App that you create. Salesforce generates the Client Secret, which acts as a password that SSPM uses to securely authenticate and establish the OAuth connection. The Salesforce interface calls this secret the Consumer Secret.

Setting up a Salesforce External Client App involves two distinct requirements: a user with permission to create and configure the app, and a Run As user account. The Run As user is the account whose identity the app assumes to interact with Salesforce data. The Run As user provides the security context for the External Client App, ensuring it can access only the records and fields permitted by that account’s permissions.

Although accounts assigned to the System Administrator Profile have the necessary permissions to create the External Client App and to act as the Run As user, you might prefer to use accounts that have only the minimum necessary permissions.

To create and configure the External Client App, the user account requires only the Create, edit, and delete External Client Apps permission. To adhere to the principle of least privilege, you can create a specialized permission set with this permission and assign it to the user who will create the External Client App.

To act as the Run As user, the user account requires the following minimum permissions:

API Enabled
View Health Check
View All Users
Customize Application
Manage Sharing
Manage Users
Download AppExchange Packages

During onboarding, you will specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions. The Run As user requires the Download AppExchange Packages permission only if you plan to grant SSPM full Read and Write permissions during onboarding.
View Event Log Files
View Setup and Configuration
View Roles and Role Hierarchy
Modify Metadata Through Metadata API Functions

To adhere to the principle of least privilege, you can create a specialized permission set with only these permissions and assign it to the user who will act as the Run As user.

To onboard your Salesforce instance, you complete the following actions:

The following steps assume that you are using the Salesforce Lightning Experience UI, which is now the default UI for most Salesforce accounts. If you are using the Salesforce Classic UI, you can click the Switch to Lightening Experience in your page header to follow these instructions.

Make note of your organization's Salesforce instance (domain) URL.

Your instance URL, which is typically used as your login URL, has the format https://<instance_name>.my.salesforce.com. You will provide this entire URL, including the https:// prefix, to SSPM during the onboarding process.

If necessary, you can locate your instance URL from the My Domain Settings page.
1. Click the settings icon (gear icon) in the upper-right corner of the page, and select Setup.
2. From the Setup page's left navigation pane, select Company SettingsMy Domain. These items appear under the SETTINGS section of the menu.
3. On the My Domain Settings page, the Current My Domain URL field contains your instance URL. Remember to add the https:// prefix when you provide this URL to SSPM.
Create an External Client App in Salesforce.

Creating an External Client App establishes a secure identity for SSPM within your Salesforce environment. This identity enables Salesforce to recognize SSPM and authorize its API requests.
1. Identify the Salesforce user account that you will use to create your External Client App.
  Required Permissions: Accounts that meet either one of the following requirements can create an External Client App and access its Consumer Key and Consumer Secret:
  Accounts assigned to the System Administrator Profile.
  Accounts whose permission set includes the Create, edit, and delete External Client Apps permission.
2. Log in to the Salesforce account that you identified.
3. Navigate to your Setup page. To do this, click the settings icon (gear icon) in the upper-right corner of the page, and select Setup.
4. Navigate to the External Client App Manager page. To navigate to this page, from the Setup page's left navigation pane, select Apps External Client AppsExternal Client App Manager. These items appear under the PLATFORM TOOLS section of the menu.
5. On the External Client App Manager page, click New External Client App.
6. Fill in the fields to define your External Client App.
  Under Basic Information, take the following actions:
  In the External Client App Name field, specify a meaningful name, such as SSPM Connector. Salesforce will also automatically format this name for system use (such as replacing spaces with underscores) in the API Name field. Using a clear, descriptive name ensures that SSPM activity is easily identifiable in your Salesforce audit logs and describes the External Client App's purpose to other administrators.
  In the Contact Email field, enter a valid email address that Salesforce can use to contact you or your support team regarding this integration. We recommend using a shared administrative or security team email alias to ensure that these alerts are seen even if a specific individual leaves the organization.
  For the Distribution State, select Local. This setting indicates that your External Client App will be private to your organization, and not packaged for distribution to other organizations.
  Under API (Enable OAuth Settings), take the following actions:
  Select the Enable OAuth checkbox.
  Selecting the Enable OAuth checkbox expands the API (Enable OAuth Settings) section to show additional fields.
  In the Callback URL field, specify the following callback URL:
  https://login.salesforce.com/services/oauth2/callback
  This URL acts as a secure "return address" that allows Salesforce to safely complete the authentication process with SSPM. Ensure you enter the URL exactly as shown, as this field is case-sensitive.
  In the Available OAuth Scopes list, select the following scopes and click the Add arrow to move them to the Selected OAuth Scopes list:
  Manage user data via APIs (api)
  Perform requests at any time (refresh_token, offline_access)
  
  Select the following checkboxes:
  In the Flow Enablement section:
  Enable Client Credentials Flow
  In the Security section:
  Require secret for Web Server Flow
  Require secret for Refresh Token Flow
  Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
7. Create your External Client App.
  
  Salesforce creates the External Client App, and displays a Detail page for the External Client App.
Configure access policies for your External Client App.

Now that you have created the External Client App, you must define its security policies. These settings enable the authorization flow for your SSPM users, and specify which user account will provide the underlying permissions for SSPM’s activity.
1. On the External Client App Detail page, select the Policies tab and Edit.
2. Expand the OAuth Policies section.
3. Under Plugin Policies, set the Permitted Users to All users may self-authorize.
4. Under OAuth Flows and External Client App Enhancements, select the Enable Client Credentials Flow checkbox and specify the Run As user.
  Required Permissions: Accounts the meet either of the following requirements can serve as the Run As user.
  
  Accounts assigned to the System Administrator Profile.
  Accounts whose permission set includes the following permissions:
  API Enabled
  View Health Check
  View All Users
  Customize Application
  Manage Sharing
  Manage Users
  Download AppExchange Packages
  
  During onboarding, you will specify whether you want SSPM to connect with Read Permissions only or with Read and Write permissions. The Run As user requires the Download AppExchange Packages permission only if you plan to grant SSPM full Read and Write permissions during onboarding.
  
  View Event Log Files
  View Setup and Configuration
  View Roles and Role Hierarchy
  Modify Metadata Through Metadata API Functions
5. Under App Authorization, set the Refresh Token Policy to Expire refresh token after a specific time. Use the Refresh Token Validity Period and Refresh Token Validity Unit fields to set the expiration period to 365 days.
6. Under App Authorization, set the IP Relaxation policy to Enforce IP Restrictions.
7. Save your changes.
Copy the credentials (Client ID and Client Secret) for your External Client App.

SSPM will use these credentials to establish a secure connection to your Salesforce instance.
1. On the External Client App Detail page, select the Settings tab.
2. Under the OAuth Settings, locate the App Settings and click Consumer Key and Secret. Salesforce might require you to provide a one-time passcode before continuing.
  
  Salesforce displays the Consumer Key (Client ID) and Consumer Secret (Client Secret).
3. Copy the Client ID and Client Secret and paste them into a text file.
  
  Do not continue to the next step unless you have copied the Client ID and Client Secret. You must provide this information to SSPM during the onboarding process.
Connect SSPM to your Salesforce instance.

In SSPM, complete the following steps to enable SSPM to connect to your Salesforce instance.
1. Log in to Strata Cloud Manager.
2. Select ConfigurationSaaS SecurityPosture SecurityApplicationsAdd Application and click the Salesforce tile.
3. On the Posture Security tab, Add New instance.
4. Select the option for External Client App.
5. Enter your Instance URL and the application credentials (Client ID and Client Secret).
6. Specify whether you want SSPM to connect with Read Permissions only or with Read and Write Permissions.
  The onboarding page lists the API scopes that SSPM will access to complete its various scans and to perform remediation.
7. Connect.