Skip to main content

Documentation Index

Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

This is an updated and improved version of the Salesforce connector! If you’re setting up Salesforce with C1 for the first time, you’re in the right place.

Availability

C1 only integrates with the Salesforce editions with API access: Salesforce Enterprise, Unlimited, Developer, and Performance editions. You cannot use this connector successfully with Group or Essentials editions, or with Professional edition without an API add-on. Learn more about which Salesforce editions support API access in the Salesforce documentation.

Capabilities

ResourceSyncProvision
Accounts*
Groups
Roles
Permission sets
Permission set groups
Profiles
Connected apps
Territories**
The Salesforce connector supports automatic account provisioning. This connector does not support account deprovisioning. You must deprovision accounts directly in Salesforce. Territories require Enterprise Territory Management 2.0 to be enabled in your Salesforce org. If this feature is not enabled, the connector will return an error when attempting to sync territories.

Optional fields for custom validation rules

Some Salesforce orgs have custom validation rules that require additional fields to be set when creating a user (for example, a rule that requires FederationIdentifier for SSO). To add an optional field mapping in C1, use the exact Salesforce field API name as the mapping key (for example, FederationIdentifier, Department, CommunityNickname) allowing you to satisfy any validation rule. *You have the option to sync user accounts that use non-standard licenses.

Connector actions

Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the Perform connector action automation step.
Action nameAdditional fieldsDescription
update_user_statusresource_id (string, required)
is_active (Boolean, required)		Updates a Salesforce user’s status to active or inactive

Gather Salesforce credentials

Configuring the connector requires you to pass in credentials generated in Salesforce. Gather these credentials before you move on.
The connector user must have the API Enabled and Manage Users system permissions. If syncing connected apps, also add Customize Application. If using provisioning, also add Manage Roles and Role Hierarchy and Manage Groups.

Enable API access and permissions for your Salesforce user

Before you begin, make sure that the Salesforce user who will set up the integration with C1 has the required system permissions. The recommended approach is to create a Permission Set and assign it to the connector user.
1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “permission sets” and select Permission Sets.
3
Click New to create a permission set (for example, “C1 Connector Access”).
4
In the permission set, click System Permissions, then click Edit.
5
Enable API Enabled and Manage Users. If syncing connected apps, also enable Customize Application. If using provisioning, also enable Manage Roles and Role Hierarchy and Manage Groups.
6
Click Save.
7
Click Manage Assignments, then Add Assignment to assign the permission set to the connector user.
Your connector user now has the required permissions to sync Salesforce data.

Locate your Salesforce domain

1
Log into the Salesforce admin panel and copy the URL from your browser.
C1 integrates with domains that use one of the following Salesforce URL structures:
  • my.salesforce.com
  • sandbox.my.salesforce.com
  • test.salesforce.com
  • lightning.force.com
  • develop.lightning.force.com
  • sandbox.lightning.force.com
Done. Next, move on to the connector configuration instructions.

Create a Salesforce External Client App for JWT Bearer

Use these instructions if you want to authenticate using a signed JWT assertion and a private key.
1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “External Client App Manager” and select External Client App Manager.
3
Click New External Client App.
4
Fill in the basic information:
  • External Client App Name: a name of your choice (for example, baton-jwt)
  • Contact Email: your email address
5
Expand OAuth Settings and configure the following:
  • Callback URL: enter any valid URL
  • Selected OAuth Scopes: add Full access (full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access)
  • Under Flow Enablement, check Enable JWT Bearer Flow. A Certificate Upload field will appear — upload your certificate (.pem). You will need the corresponding private key (.pem) later when configuring the connector.
6
Click Create.
7
Go to the Policies tab and click Modify.
  1. Scroll down to the OAuth Policies section. Under Plugin Policies, set Permitted Users to Admin approved users are pre-authorized.
  2. After changing that setting, scroll back up to the App Policies section. Under Select Profiles, move the profile of your connector user (for example, System Administrator) from the available list to the selected list.
Click Save.
8
Go to the Settings tab, expand OAuth Configuration, and click Consumer Key and Secret to retrieve your Consumer Key. Save it — this is your Client ID.
Done. You now have a private.pem file and a Consumer Key to use with the JWT Bearer authentication method.

Create a Salesforce External Client App for Client Credentials

Use these instructions if you want to authenticate using a client ID and secret.
1
Log into Salesforce as an Administrator. Click the gear icon and select Setup.
2
Search for “External Client App Manager” and select External Client App Manager.
3
Click New External Client App.
4
Fill in the basic information:
  • External Client App Name: a name of your choice (for example, baton-cc)
  • Contact Email: your email address
5
Expand OAuth Settings and configure the following:
  • Callback URL: enter any valid URL
  • Selected OAuth Scopes: add Full access (full) and Manage user data via APIs (api)
  • Under Flow Enablement, check Enable Client Credentials Flow
6
Click Save.
7
Go to the Policies tab and click Modify.Scroll down to the OAuth Policies section and find the OAuth Flows and External Client App Enhancements subsection:
  1. Check Enable Client Credentials Flow. A Run As (username) field will appear directly below.
  2. In the Run As (username) field, enter the Salesforce username of your connector user.
Click Save.
8
Go to the Settings tab, expand OAuth Configuration, and click Consumer Key and Secret to retrieve your Consumer Key and Consumer Secret. Save both — these are your Client ID and Client Secret.
Done. You now have a Consumer Key and Consumer Secret to use with the Client Credentials authentication method.

Configure the Salesforce connector

To complete this task, you’ll need:
  • The Connector Administrator or Super Administrator role in C1
  • Access to the set of Salesforce credentials generated by following the instructions above
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Salesforce v2 and click Add.
3
Choose how to set up the new Salesforce connector:
  • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
  • Add the connector to a managed app (select from the list of existing managed apps)
  • Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Select your method of authenticating to Salesforce: OAuth, JWT Bearer, Client Credentials, or **Username and password (deprecated) **.
8
If you chose OAuth:
  1. In the Domain field, enter your Salesforce domain.
  2. Optional. Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization’s accounts. This option is especially helpful if your organization uses multiple service accounts that all share a noreply@salesforce.com email address.
  3. Optional. Check the box if you want the connector to sync connected apps.
  4. Optional. Uncheck the box if you do not want to sync deactivated users.
  5. Optional. Check the box if you want the connector to sync users on non-standard licenses, such as external users.
  6. Optional. Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
  7. Click Save.
  8. Click Login with OAuth.
  9. Log in and authorize C1 with your Salesforce instance.
  10. You will then be redirected back to the Salesforce setup page in C1, where you’ll see an authorization message.
If you chose JWT Bearer:
  1. In the Domain field, enter your Salesforce domain.
  2. In the Client ID field, enter the Consumer Key from your External Client App.
  3. In the Private Key (.pem) field, upload your private.pem file.
  4. In the JWT Subject field, enter the Salesforce username of the connector user.
  5. Optional. In the Login URL field, enter a custom Salesforce login URL. Defaults to https://login.salesforce.com. Use https://test.salesforce.com for sandbox orgs.
  6. Optional. Configure sync options as needed (connected apps, deactivated users, non-standard users, license mapping).
  7. Click Save.
If you chose Client Credentials:
  1. In the Domain field, enter your Salesforce domain.
  2. In the Client ID field, enter the Consumer Key from your External Client App.
  3. In the Client Secret field, enter the Consumer Secret from your External Client App.
  4. Optional. Configure sync options as needed (connected apps, deactivated users, non-standard users, license mapping).
  5. Click Save.
If you chose Username and password (deprecated):
Username and password authentication is deprecated. Salesforce is disabling SOAP API login for new orgs. Use JWT Bearer or Client Credentials instead.
  1. Enter your Salesforce username and password in the top two fields.
  2. Enter your Salesforce security token in the Security token field. If trusted IP is configured on your user, entering this token is optional. If needed, refer to Reset Your Security Token in the Salesforce documentation.
  3. In the Domain field, enter your Salesforce domain.
  4. Optional. Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization’s accounts. This option is especially helpful if your organization uses multiple service accounts that all share a noreply@salesforce.com email address.
  5. Optional. Check the box if you want the connector to sync connected apps.
  6. Optional. Uncheck the box if you do not want to sync deactivated users.
  7. Optional. Check the box if you want the connector to sync users on non-standard licenses, such as external users.
  8. Optional. Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
  9. Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your Salesforce connector is now pulling access data into C1.

Troubleshooting the Salesforce integration

When I try to log in with OAuth, I see a “This feature is not currently enabled for this user” error

Salesforce returns this error if the user who is logging in with OAuth does not have permission to access the Salesforce APIs: 
{"code":2, "message":"error getting info from connectorClient: [simpleforce] Error. http code: 403 Error Message:  This feature is not currently enabled for this user. Error Code: FUNCTIONALITY_NOT_ENABLED"}
If you see this message, follow the instructions to Enable API access for your Salesforce user and then try logging in again.

When I try to sync, I see an “insufficient access rights on cross-reference id” error

Salesforce returns this error if the connector user does not have sufficient permissions: 
{"error": "error: listing resources failed: rpc error: code = InvalidArgument desc = 400 Bad Request\n[simpleforce] Error. http code: 400 Error Message:  insufficient access rights on cross-reference id Error Code: INSUFFICIENT_ACCESS"}
Create a Permission Set with the following system permissions and assign it to the connector user: Required system permissions for sync:
PermissionPurpose
API EnabledAccess Salesforce APIs
Manage UsersRead users and setup objects
Customize ApplicationRequired only if syncing connected apps
Additional permissions required for provisioning:
PermissionPurpose
Manage Roles and Role HierarchyAssign and revoke role assignments
Manage GroupsAdd and remove users from public groups
Manage TerritoriesAdd and remove users from territories (only required if Enterprise Territory Management 2.0 is enabled)
To fix this error, follow the instructions to Enable API access and permissions for your Salesforce user to create a Permission Set with the required permissions and assign it to the connector user.