>
    Strata Copilot
    Onboard Salesforce Agentforce to SaaS Agent Security
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Onboard AI Agent Platforms to SaaS Agent Security
    4. Onboard Salesforce Agentforce to SaaS Agent Security
    Download PDF
    SaaS Agent Security

    Onboard Salesforce Agentforce to SaaS Agent Security

    Table of Contents

    Onboard Salesforce Agentforce to SaaS Agent Security

    Onboard Salesforce Agentforce to SaaS Agent Security to gain deep visibility and security for your Salesforce Agentforce AI platform and apps.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    Onboard Salesforce Agentforce (API and Credentials based scanning) to SaaS Agent Security to gain deep visibility and security for your Salesforce Agentforce AI platform and apps.
    Prerequisites
    You must have a Salesforce user license which has a Minimum Access Salesforce profile to proceed with the onboarding of Agentforce platform.
    Optional: If you want SaaS Agent Security to show user identity, onboard the Salesforce SaaS Security Posture Management connector before onboarding Salesforce Agentforce to SaaS Agent Security.
    To access your Salesforce Agentforce instance, SaaS Agent Security requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Domain URLIn Salesforce, a "Domain URL" typically refers to your organization's My Domain, a custom URL that provides a branded and personalized way for users to access your Salesforce instance. Unlike the generic login.salesforce.com, a My Domain URL is unique to your company (for example, yourcompany.my.salesforce.com), enhancing branding and security while offering a specific namespace for Lightning components.
    Client IDIn Salesforce, a Client ID (or Consumer Key) is a unique public identifier for a Salesforce application that's used for OAuth 2.0 authentication to access Salesforce APIs. Along with a matching Client Secret (or Consumer Secret), it authenticates your application when it requests access to Salesforce data and functionality, allowing it to securely connect and integrate with your Salesforce org.
    Client SecretIn Salesforce, the client secret is a sensitive password used by a registered Connected App to authenticate itself to Salesforce's OAuth 2.0 authorization server when requesting access tokens for the app's integration with the Salesforce platform. It's a confidential string, generated during the Connected App registration process, that proves the app's identity, allowing it to securely call Salesforce APIs and access data without the need for user interaction, especially in server-to-server integrations.
    UsernameUsername of the registered user account with Salesforce Agentforce.
    PasswordA password for the registered user account with Salesforce Agentforce.
    TOTP SecretA TOTP secret in Salesforce is a shared secret key used to generate time-based one-time password (TOTP) codes for multi-factor authentication (MFA).
    1. Log in to Salesforce using Org Admin credentials.
    2. Select Setup MenuSetup.
    3. In the search box, start typing My Domain.
      You can view your Domain URL in the My Domain Settings page. Copy it and keep it handy for onboarding later.
    4. In the search box, start typing App Manager.
      You can view your app name in the Lightning Experience App Manager page.
    5. Select your app, use the drop-down at the right and click View.
    6. In the Manage Connected Apps page, under API (Enable OAuth Settings), click Manage Consumer Details.
    7. On the Verify Your Identity page, enter the verification code sent to your registered email address.
      The Consumer Key (Client ID) and Consumer Secret (Client Secret) are displayed.
    8. Copy the Consumer Key (Client ID) and Consumer Secret (Client Secret) and keep it handy for onboarding later.
    9. To manage the permissions for your user, use the same drop-down you used above and click Manage.
    10. In the App Manager page, navigate to the Client Credentials Flow section and click on your user name to view the profile associated with it.
    11. Click on the Minimum Access - Salesforce profile to edit the permissions. Alternatively, you can also search for Profile from the Setup.
    12. Click your User (which has the Minimum Access - Salesforce profile) and select Permission Set AssignmentsEdit Assignments.
    13. Select Metadata API Access and Agentforce Service Agent Configuration from the Available Permission Sets and move it to Enabled Permission Sets and Save.
    14. Click on Metadata API Access link and go to the System Permissions section and enable the following custom permissions.
      • Apex REST Services
      • API Enabled
      • Api Only User
      • Author Apex
      • Customize Application
      • Modify Metadata Through Metadata API Functions. The View Roles and Role Hierarchy and View Setup and Configuration are enabled by default when you enable this profile.
      • View Event Log Files
    15. Have your Username, Password, and TOTP secret handy for CREDENTIALS based scanning.
    16. To get your TOTP secret, do the following:
      1. Log in to Agentforce.
      2. Select ProfileSettingsMy Personal InformationAdvanced User DetailsApp Registration: One-Time Password AuthenticatorConnect.
      3. On the Connect an Authenticator App page, click the I can't scan the QR code link.
        Salesforce displays a key. This is your TOTP secret. Keep it handy for onboarding.
    17. Onboard Salesforce Agentforce platform to SaaS Agent Security.
      1. To start onboarding Salesforce Agentforce to SaaS Agent Security, log in to Strata Cloud Manager.
      2. Select InsightsSaaS AgentsAgent Platform OnboardingOnboard Agent PlatformSalesforce Agentforce and click Next.
      3. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.
      4. In addition to API (which is selected by default), select CREDENTIALS in the Authorization Method Selection page.
        The CREDENTIALS method uses data extraction to fetch the agent activity details from your SaaS application tenant.
      5. On the Enter Service Principal Credentials (Method: API) page, enter the following information (that you gathered in STEP 3 and STEP 7) and click Next.
        • Domain URL
        • Client ID
        • Client Secret
      6. On the Enter SSO Provider Credentials (Method: CREDENTIALS) page, enter the following information (that you gathered in STEP 3, STEP 15 and STEP 16) and click Complete.
        • Domain URL
        • Username
        • Password
        • TOTP Secret
        SaaS Agent Security establishes the API connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.
    18. SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.
      The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.

    © 2025 Palo Alto Networks, Inc. All rights reserved.