>
    Strata Copilot
    Onboard Salesforce Agentforce to SaaS Agent Security
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Onboard AI Agent Platforms to SaaS Agent Security
    4. Onboard Salesforce Agentforce to SaaS Agent Security
    Download PDF
    SaaS Agent Security

    Onboard Salesforce Agentforce to SaaS Agent Security

    Table of Contents

    Onboard Salesforce Agentforce to SaaS Agent Security

    Onboard Salesforce Agentforce to SaaS Agent Security to gain deep visibility and security for your Salesforce Agentforce AI platform and apps.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    SaaS Agent Security utilizes automated intelligence, including off-the-shelf large language models (LLMs), to evaluate configuration data for this application. The system’s outputs are routinely validated against configuration baselines in our internal SaaS environments.
    Onboard Salesforce Agentforce (API and Credentials based scanning) to SaaS Agent Security to gain deep visibility and security for your Salesforce Agentforce AI platform and apps.
    Prerequisites
    You must have a Salesforce user license which has a Minimum Access Salesforce profile to proceed with the onboarding of Agentforce platform.
    Optional: If you want SaaS Agent Security to show user identity, onboard the Salesforce SaaS Security Posture Management connector before onboarding Salesforce Agentforce to SaaS Agent Security.
    To access your Salesforce Agentforce instance, SaaS Agent Security requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Domain URLIn Salesforce, a "Domain URL" typically refers to your organization's My Domain, a custom URL that provides a branded and personalized way for users to access your Salesforce instance. Unlike the generic login.salesforce.com, a My Domain URL is unique to your company (for example, yourcompany.my.salesforce.com), enhancing branding and security while offering a specific namespace for Lightning components.
    Client IDIn Salesforce, a Client ID (or Consumer Key) is a unique public identifier for a Salesforce application that's used for OAuth 2.0 authentication to access Salesforce APIs. Along with a matching Client Secret (or Consumer Secret), it authenticates your application when it requests access to Salesforce data and functionality, allowing it to securely connect and integrate with your Salesforce org.
    Client SecretIn Salesforce, the client secret is a sensitive password used by a registered Connected App to authenticate itself to Salesforce's OAuth 2.0 authorization server when requesting access tokens for the app's integration with the Salesforce platform. It's a confidential string, generated during the Connected App registration process, that proves the app's identity, allowing it to securely call Salesforce APIs and access data without the need for user interaction, especially in server-to-server integrations.
    UsernameUsername of the registered user account with Salesforce Agentforce.
    PasswordA password for the registered user account with Salesforce Agentforce.
    TOTP SecretA TOTP secret in Salesforce is a shared secret key used to generate time-based one-time password (TOTP) codes for multi-factor authentication (MFA).
    1. Create the External Client App.
      Unlike Connected Apps, External Client Apps are defined by specific metadata files, but you can initiate the process through the Salesforce web interface.
      1. Log in to Salesforce as an Org Admin.
      2. Go to Setup and search for External Client Apps.
      3. Select External Client App Manager under the External Client Apps.
      4. Click New External Client App to create a new app and provide a name (for example, Saas_External_App_Test).
        Provide the following details:
        • Basic Information: Fill in the external client app name, API Name (gets auto-filled from the client app name), Contact Email, Distribution State, and other details.
        • OAuth Settings: Select Enable OAuth and Enable Client Credentials Flow.
        • Callback URL: Enter a placeholder (for example, https://oauth.pstmn.io/v1/callback and https://login.salesforce.com/services/oauth2/callback).
      5. Define Scopes: Assign the following OAuth Scopes:
        • api (Manage user data via APIs)
        • refresh_token, offline_access
        • chatbot_api
        • Sfap_api
      6. Select Enable Client Credentials Flow under the Flow Enablement section.
      7. Click Create to save your changes and create your application.
    2. Retrieve Credentials (API Settings).
      1. Access your consumer details: In the External Client App Manager, locate your app.
      2. Click the relevant External App and select the app name.
      3. To manage OAuth flows and external client app enhancements:
        1. Navigate to the Policies tab.
        2. Find the Enable Client Credentials Flow, which has a Run As (Username) configuration.
        3. Configure the username of the user with the following permissions set as part of STEP 3.
        4. Update the Refresh Token Policy under the App Authorization to Refresh token is valid until revoked option.
        5. Save the changes.
      4. To save consumer details:
        1. Navigate to the Settings tab.
        2. Find the OAuth Settings section.
        3. Under the App Settings, click on Consumer Key and Secret (you may be prompted for a verification code via email/MFA).
      5. Copy the Identifiers.
        • Client ID: Copy the client ID.
        • Client Secret: Copy the password.
        • Domain URL: Navigate to My Domain under Setup and copy your unique URL (for example, yourcompany.my.salesforce.com).
    3. Configure User Permissions & Scopes.
      External Client Apps require the integration user to have specific "Local Plugin" permissions and Metadata access.
      1. Click on the Minimum Access - Salesforce profile to edit the permissions. Alternatively, you can also search for Profile from the Setup.
      2. Click your User (which has the Minimum Access - Salesforce profile) and select Permission Set AssignmentsEdit Assignment.
      3. Select Metadata API Access and Agentforce Service Agent Configuration from the Available Permission Sets and move it to Enabled Permission Sets and Save.
      4. Click on the Metadata API Access link.
      5. Select AppsObject Settings.
      6. In the list of objects, find and select AI Trust AttributeEdit.
      7. Select the Read permission.
      8. Go to the System Permissions section and enable the following custom permissions.
        • Apex REST Services
        • API Enabled
        • Api Only User
        • Author Apex
        • Customize Application
        • Modify Metadata Through Metadata API Functions. The View Roles and Role Hierarchy and View Setup and Configuration are enabled by default when you enable this profile.
        • View Event Log Files
    4. Onboard Salesforce Agentforce platform to SaaS Agent Security.
      1. To start onboarding Salesforce Agentforce to SaaS Agent Security, log in to Strata Cloud Manager.
      2. Select AI SecuritySaaS AgentsAgent Platform OnboardingOnboard Agent PlatformSalesforce Agentforce and click Next.
      3. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.
      4. In addition to API (which is selected by default), select CREDENTIALS in the Authorization Method Selection page.
        The CREDENTIALS method uses data extraction to fetch the agent activity details from your SaaS application tenant.
      5. On the Enter Service Principal Credentials (Method: API) page, enter the following information (that you gathered in STEP 3 and STEP 7) and click Next.
        • Domain URL
        • Client ID
        • Client Secret
      6. On the Enter SSO Provider Credentials (Method: CREDENTIALS) page, enter the following information (that you gathered in STEP 3, STEP 15 and STEP 16) and click Complete.
        • Domain URL
        • Username
        • Password
        • TOTP Secret
        SaaS Agent Security establishes the API connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.
    5. SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.
      The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.

    © 2026 Palo Alto Networks, Inc. All rights reserved.