Salesforce
  • 28 Jul 2024
  • 9 Minutes to read
  • Dark
    Light
  • PDF

Salesforce

  • Dark
    Light
  • PDF

Article summary

Salesforce is a customer relationship management solution that gives a single, shared view of every customer.

Attributes

Cybersecurity Asset Management

SaaS Management

Service Account Required?

Yes

Yes

Service Account Permissions

Role: API Access Administrator

Role: API Access Administrator and System Permission Level (see Required Permissions for more details)

API Key Required?

Yes

Yes

API Key Permissions

Yes

Yes

Required Adapter Fields

Domain, Username, Password, User Secret, Consumer Key, Consumer Secret

Domain, Username, Password, User Secret, Consumer Key, Consumer Secret, 2FA Secret Key, SSO Username, SSO Password

Assets Fetched

Users, devices,

SaaS data

Note

The Username, Password, User Secret are only required if you select to authenticate the adapter with the ‘Username-Password Flow’. See Parameters for more details

About this Adapter

Use cases the adapter solves

The Salesforce adapter can be used for:

  • User management - Review users’ statuses, permissions, and activity. identify gaps in offboarding users and in user access levels.

  • Security management - Find misconfigurations that pose security and compliance risks.

  • Cost optimization - Identify cost optimization opportunities.

Related Enforcement Actions

These actions can help when you want users to be suspended or to create a Salesforce case from Axonius.

Salesforce - Activate User

Salesforce - Create Case

Salesforce - Create User

Salesforce - Suspend User

Salesforce - Update User

APIs

Axonius uses the Salesforce API.

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices

  • Users

  • Application Extensions

  • Roles

  • Groups

  • Licenses

  • Application Settings

  • User Extensions

  • Activities

  • SaaS Applications

  • Accounts

  • Application Resources

Permissions

While to access SaaS data you need to grant roles and/or permissions that include write capabilities, the adapter only actually reads data from the application.

Permissions in Salesforce should be configured by the user in your organization with the System Administrator role in Salesforce.

  • The value supplied in User Name must have permissions to fetch assets, as per Create a Secure Salesforce API User.

  • Make sure that you have Enabled Delegated Authentication in your Salesforce environment.

  • The value supplied in Consumer Key must be associated with credentials that have permissions to fetch assets. To create a consumer key, follow the Authorization Setup.

  • Salesforce user permissions (for more information see Create a User Profile):

    • Every permission from the General User section starting with the word "View" except for View Encrypted Data.

    • Lightning Experience User

    • API Enabled

    • Manage IP addresses

    • Manage Login Access Policies

    • Manage Password Policies

    • Manage Profiles and Permissions Sets

    • Manage Roles

    • Manage Sandboxes

    • Manage Sharing

    • View All Profiles

    • View All Users

    • Apex REST Services

    • Manage Users

    • Manage Connected Apps

    • Modify Metadata Through Metadata API Functions

    • Customize Application

    • Is Single Sign-On Enabled

  • API Permissions - Full access (full) scope. For more information see Create an API Client.

Setting Up the Integration

To successfully connect this adapter, you need to complete the following steps. Please note that some of the steps and processes are dependent on whether you authenticate the adapter with the ‘Client Credentials Flow’ or the ‘Username-Password Flow’, see Parameters for more information.

  1. Create a User Account

  2. Create a Connected Application

  3. Create a User Profile

  4. Generate the User Secret

Create a User Account

  1. Navigate to Users > Users.

  2. Click New User.

  3. Fill in information for the new user, in the email field enter an email that you have access to.

  4. Click Save.

  5. Copy the user's username.

  6. Back in Axonius, in the User Name field, paste the copied Salesforce user name.

  7. Set Password:

    1. Open the email you receive from Salesforce.

    2. Click Verify Account.
      VerifyAccount

    3. Enter a password for the user.

    4. Copy the password. It's best practice for the password to contain 32 characters.

    5. Enter a security question and answer.

    6. Click Change Password.
      PasswordScreen

    7. Back in Axonius, paste the copied password in the Password field.

  8. Connect the new user to the user profile you created earlier:

    1. In Salesforce, from the Administration menu, navigate to Users > Users.

    2. Select the user you just created.

    3. From the User License drop-down list, select Salesforce.

    4. From the profile drop-down list, select the profile you created earlier.

    5. Click Save.

  9. To verify that the user you created to fetch SaaS data has the correct permissions, make sure it has access to the following URLs. There is no need to modify any of the configurations on these pages.

    • https://{account}.lightning.force.com/lightning/setup/EnhancedProfiles/home

    • https://{account}.lightning.force.com/lightning/setup/SecuritySession/home

    • https://{account}.lightning.force.com/lightning/setup/SecurityPolicies/home

    • https://{account}.lightning.force.com/lightning/setup/LoginAccessPolicies/home

    • https://{account}.lightning.force.com/lightning/setup/IdentityVerification/home

    • https://{account}.lightning.force.com/lightning/setup/FileTypeSetting/home

    • https://{account}.lightning.force.com/lightning/setup/OrgDomain/home

Create a Connected Application

You need to create a connected application in Salesforce to generate the Consumer key and secret that you will use to connect the adapter.

  1. In Salesforce, in the Platform Tools menu, navigate to Apps > App Manager.

  2. Click New Connected App.

  3. Fill in the Connected App Name, API Name and Contact Email fields as you like.

  4. Select the Enable OAuth Settings checkbox.

  5. Under Selected OAuth Scopes section, select Full access (full) scope and click Add to add it.

  6. If you are authenticating with Client Credentials flow:

    1. Select the Enable Client Credentials Flow checkbox.

      Salesforce_AppManagerSettings
    2. In the Custom Connected App Handler area, click the Search icon Salesforce_SearchUserfor the ‘Run As’ field and select the user you want for the adapter connection.

      Salesforce_RunAs

      Note

      Selecting a user allows Salesforce to return access tokens on behalf of this user. The user must have the necessary API permission.

  7. Click Save.

  8. Navigate to Apps > App Manager.

  9. Locate the app you just created. In its drop-down menu, select View.

    NewConnectedApp_Lightning


  10. In the app, click Manage Consumer Details.

  11. In the Consumer Key field, click Copy.

  12. Back in Axonius, copy the pasted key in the Consumer Key field.

  13. In Salesforce, in the Consumer Secret field, click Copy.
    CopyKeySecret

  14. Back in Axonius, copy the pasted secret in the Consumer Secret field.

Create a User Profile

Before you create a user account for connecting the adapter, you need to configure a user profile so the user you create will have the right permissions and password policies.

  1. Navigate to Users > Profiles.

  2. Locate the System Administrator profile and in that row, click Clone.

  3. Enter a profile name (for example, Axonius).

  4. Click Save.

  5. Set Permissions for the profile: a. In the profile, click Edit.

    a. Configure the permissions so that the following permissions are selected:

    • Every permission from the General User section starting with the word "View" except for View Encrypted Data.

    • Lightning Experience User

    • API Enabled

    • Manage IP addresses

    • Manage Login Access Policies

    • Manage Password Policies

    • Manage Profiles and Permissions Sets

    • Manage Roles

    • Manage Sharing

    • View All Profiles

    • View All Users

    • Apex REST Services

    • Manage Users

    • Manage Connected Apps

    • Modify Metadata Through Metadata API Functions

    • Customize Application

    • Is Single Sign-On Enabled

    b. In the Connected App Access section, select the application you created earlier.

  6. Set the password policy:

    1. Locate the Password Policies section.

    2. From the User Passwords Expire in drop-down list, select Never Expires.

    3. Select Don't immediately expire links in forgot password emails.

    4. Click Save.

    Note:

    Before performing the following procedure, contact Axonius support for the list of IP ranges to exclude.

  7. Configure access to trusted IPs:

    1. In the left-menu, navigate to Security > Network Access.

    2. Click New.

    3. Add the Axonius ranges.

    4. Click Save.

  8. Navigate to Users > Users. Select the user you created above.

  9. From the Profile drop-down list, select the profile you just created.

  10. (For accounts with SaaS Management capabilities) Follow these instructions to generate a 2FA Secret Key. Back in Axonius, paste the secret key into the 2FA Secret Key field.

Generate the User Secret

This process is only relevant if you selected to authenticate the adapter with the ‘Username-Password flow’ and you did not add trusted IP ranges. For more information, see Reset Your Security Token.

  1. Log into Salesforce with an admin account with an email address that you have access to.

  2. Open the profile menu and click Settings.

  3. From the Left menu, select My Personal Information > Reset My Security Token.

  4. Click Reset Security Token.

  5. Access the account's email and copy the new token from the Salesforce email.

  6. In Axonius, paste the token in the User Secret field.

Set Up Two Factor Authentication

Note

This process is required for accounts with SaaS Management capabilities. To set up two-factor authentication, you will need access to an authenticator application such as Google Authenticator.

  1. On the Connect Salesforce Authenticator screen, select Choose Another Verification Method.

    Salesforce_2FA_AnotherVerification
  2. Select Use verification codes from an authenticator app.

  3. Click Continue.

    Salesforce_2FA_UseVerification
  4. Click I can’t Scan the QR Code.

    Salesforce_2FA_CantScan
  5. Copy the Key.

    Salesforce_2FA_Key
  6. Back in Axonius, paste in 2FA Secret Key field.

  7. In your authenticator app, paste the 2FA Key copy the one-time verification code.

  8. Back in Salesforce Paste the verification code and click Connect.

    Salesforce_2FA_VerificationCode

Parameters

The parameters that you need to fill out will differ based on the capabilities in your Axonius platform. 'General' pertains to users with Cybersecurity Asset Management and/or SaaS Management capabilities.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

General

  • Domain (required) - The full URL of the Salesforce server.

  • Consumer Key (required) - A consumer key associated with a user account that has the Required Permissions to fetch assets.

  • Consumer Secret (required) - A consumer secret associated with a consumer key.

  • Authentication Flow - Select whether you want to authenticate the adapter connection with a ‘Client Credentials Flow’ or ‘Username-Password flow’. or with Client Credentials. If you choose Client Credentials Flow, then you need to enable client in Salesforce. If you choose ‘Username-Password flow’', then the ‘User Name’, ‘Password’, and ‘User Secret’ parameters are displayed and need to be filled.

    • User Name and Password (required if  authenticating with “Username-Password Flow’) - The credentials for a user account that has the Required Permissions to fetch assets.

    • User Secret (required if  authenticating with “Username-Password Flow’) - The Salesforce security token associated with a user account to fetch assets. See Generate the User Secret.

  • Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

  • HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in Host Name or IP Address.

  • HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

  • HTTPS Proxy Password (optional) - The password to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

SaaS Management

  • 2FA Secret Key - The secret generated in Salesforce for setting up 2-factor authentication for the Salesforce user created for collecting SaaS Management data. For more information on how to generate this secret key, see Set Up Two Factor Authentication.

  • SSO Username and Password - If your organization accesses Salesforce with an SSO provider (such as Google, Microsoft 365, Okta, etc.) enter your credentials for the SSO platform in the SSO Username and SSO Password fields.

  • Use Unified Login Domain - Select this option to use the http://login.salesforce.com URL for logging in instead of sub-domain.salesforce.com (if the main domain is a sandbox, the URL will be test.salesforce.com). This allows you to directly login with Salesforce credentials instead of using an external SSO.

Authenticating the adapter connection with client credentials

Salesforce_ClientFlow

Authenticating the adapter connection with Username and Password

Salesforce_UsernameFlow

Advanced Settings

All of the advanced settings apply to environments with Cybersecurity Asset Management and/or SaaS Management capabilities.

Note:

Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​ Advanced Configuration for Adapters.

  • Fetch chatter user data - Select this option to fetch additional information about the chatter user platform.

  • Fetch only active users - Select this option to skip all inactive users and only fetch active users.

  • Fetch nodes - Select this option to enrich the Account devices field with data from the Opportunity and Contract tables. Axonius always tries to bring devices from the Axonius_Environment__c custom table. This setting is only supported for the Axonius_Environment__c table.

  • Only fetch Employee users - Select this option to fetch only "standard" Salesforce users.

  • Get "is_admin" by Profile Name - Select this option to fetch the admin role from the user profile name.

  • Fetch Tabs - Select this option to fetch Salesforce tabs from the account.

  • Fetch user groups - Select this option to fetch users group details.

  • Fetch user roles and permissions - Select this option to fetch user roles and permissions configured for the Salesforce accounts in your organization.

  • Fetch Audit Events - Toggle on to fetch audit events and show them on Axonius as Activities assets. When you select this option the settings below are available

    • Fetch Audit Events from the past X Days - Select the number of days back from which to fetch Audit events.

      Use the options below to select the type of events to fetch (login, logout, API, Lightning URI, URI). If you do not select these options then these are not fetched at all.

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.


Was this article helpful?

What's Next