> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a Salesforce connector
> C1 provides identity governance for Salesforce. Integrate your Salesforce instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
**This is an updated and improved version of the Salesforce connector!** If you're setting up Salesforce with C1 for the first time, you're in the right place.
## Availability
C1 only integrates with the Salesforce editions with API access: Salesforce Enterprise, Unlimited, Developer, and Performance editions.
You cannot use this connector successfully with Group or Essentials editions, or with Professional edition without an API add-on.
Learn more about which Salesforce editions support API access in the [Salesforce documentation](https://help.salesforce.com/s/articleView?id=000385436\&type=1).
## Capabilities
| Resource | Sync | Provision |
| :-------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts\* | | |
| Groups | | |
| Roles | | |
| Permission sets | | |
| Permission set groups | | |
| Profiles | | |
| Connected apps | | |
| Territories\*\* | | |
The Salesforce connector supports [automatic account provisioning](/product/admin/account-provisioning).
This connector does not support account deprovisioning. You must deprovision accounts directly in Salesforce.
**Territories require Enterprise Territory Management 2.0 to be enabled in your Salesforce org. If this feature is not enabled, the connector will return an error when attempting to sync territories.**
### Optional fields for custom validation rules
Some Salesforce orgs have custom validation rules that require additional fields to be set when creating a user (for example, a rule that requires `FederationIdentifier` for SSO).
To add an optional field mapping in C1, use the exact Salesforce field API name as the mapping key (for example, `FederationIdentifier`, `Department`, `CommunityNickname`) allowing you to satisfy any validation rule.
\*You have the option to sync user accounts that use non-standard licenses.
### Connector actions
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the [Perform connector action](/product/admin/automations-steps-reference#perform-connector-action) automation step.
| Action name | Additional fields | Description |
| -------------------- | ---------------------------------------------------------------------- | -------------------------------------------------------- |
| update\_user\_status | `resource_id` (string, required)
`is_active` (Boolean, required) | Updates a Salesforce user's status to active or inactive |
## Gather Salesforce credentials
Configuring the connector requires you to pass in credentials generated in Salesforce. Gather these credentials before you move on.
The connector user must have the **API Enabled** and **Manage Users** system permissions. If syncing connected apps, also add **Customize Application**. If using provisioning, also add **Manage Roles and Role Hierarchy** and **Manage Groups**.
### Enable API access and permissions for your Salesforce user
Before you begin, make sure that the Salesforce user who will set up the integration with C1 has the required system permissions. The recommended approach is to create a Permission Set and assign it to the connector user.
Log into Salesforce as an Administrator. Click the gear icon and select **Setup**.
Search for "permission sets" and select **Permission Sets**.
Click **New** to create a permission set (for example, "C1 Connector Access").
In the permission set, click **System Permissions**, then click **Edit**.
Enable **API Enabled** and **Manage Users**. If syncing connected apps, also enable **Customize Application**. If using provisioning, also enable **Manage Roles and Role Hierarchy** and **Manage Groups**.
Click **Save**.
Click **Manage Assignments**, then **Add Assignment** to assign the permission set to the connector user.
Your connector user now has the required permissions to sync Salesforce data.
### Locate your Salesforce domain
Log into the Salesforce admin panel and copy the URL from your browser.
C1 integrates with domains that use one of the following Salesforce URL structures:
* `my.salesforce.com`
* `sandbox.my.salesforce.com`
* `test.salesforce.com`
* `lightning.force.com`
* `develop.lightning.force.com`
* `sandbox.lightning.force.com`
**Done.** Next, move on to the connector configuration instructions.
## Configure the Salesforce connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Salesforce credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Salesforce v2** and click **Add**.
Choose how to set up the new Salesforce connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Select your method of authenticating to Salesforce and click either **OAuth** or **Username and password**.
If you chose **OAuth**:
1. In the **Domain** field, enter your Salesforce domain.
2. **Optional.** Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization's accounts. This option is especially helpful if your organization uses multiple service accounts that all share a `noreply@salesforce.com` email address.
3. **Optional.** Check the box if you want the connector to sync connected apps.
4. **Optional.** Uncheck the box if you do not want to sync deactivated users.
5. **Optional.** Check the box if you want the connector to sync users on non-standard licenses, such as external users.
6. **Optional.** Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
7. Click **Save**.
8. Click **Login with OAuth**.
9. Log in and authorize C1 with your Salesforce instance.
10. You will then be redirected back to the Salesforce setup page in C1, where you'll see an authorization message.
If you chose **Username and password**:
1. Enter your Salesforce username and password in the top two fields.
2. Enter your Salesforce security token in the **Security token** field. If trusted IP is configured on your user, entering this token is optional. If needed, refer to [Reset Your Security Token](https://help.salesforce.com/s/articleView?id=xcloud.user_security_token.htm\&type=5) in the Salesforce documentation.
3. In the **Domain** field, enter your Salesforce domain.
4. **Optional.** Check the box to tell C1 to use Salesforce usernames as the email addresses for your organization's accounts. This option is especially helpful if your organization uses multiple service accounts that all share a `noreply@salesforce.com` email address.
5. **Optional.** Check the box if you want the connector to sync connected apps.
6. **Optional.** Uncheck the box if you do not want to sync deactivated users.
7. **Optional.** Check the box if you want the connector to sync users on non-standard licenses, such as external users.
8. **Optional.** Create a map of the Salesforce license types used by your organization and the profile associated with each license type that has the fewest permissions. C1 will use this information when deprovisioning user profiles to automatically reassign the user to the least-privilege profile associated with their license type.
9. Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Salesforce connector is now pulling access data into C1.
**Follow these instructions to use the Salesforce connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-salesforce): For stable binaries (Windows/Linux/macOS) and container images.
* [GitHub repository](https://github.com/conductorone/baton-salesforce): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new Salesforce connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Salesforce connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Salesforce connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-salesforce-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-salesforce-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Salesforce credentials
BATON_INSTANCE_URL:
BATON_SALESFORCE_PASSWORD:
BATON_SALESFORCE_USERNAME:
BATON_SECURITY_TOKEN:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
# Optional: include if you want to sync access to connected apps
BATON_SYNC_CONNECTED_APPS: true
# Optional: include if you DO NOT want to sync deactivated users (default = true)
BATON_SYNC_DEACTIVATED_USERS: false
# Optional: include if you want to sync accounts that use non-standard licenses
BATON_SYNC_NON_STANDARD_USERS: true
# Optional: include to use Salesforce usernames as the email addresses for your organization's accounts
BATON_USER_USERNAME_FOR_EMAIL: true
# Optional: include to provide info on how to manage least privileged profile changes
BATON_LICENSE_TO_LEAST_PRIVILEGED_PROFILE_MAPPING: <[map]>
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-salesforce.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-salesforce
labels:
app: baton-salesforce
spec:
selector:
matchLabels:
app: baton-salesforce
template:
metadata:
labels:
app: baton-salesforce
baton: true
baton-app: salesforce
spec:
containers:
- name: baton-salesforce
image: ghcr.io/conductorone/baton-salesforce:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-salesforce
envFrom:
- secretRef:
name: baton-salesforce-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Salesforce connector to. Salesforce data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Salesforce connector is now pulling access data into C1.
## Troubleshooting the Salesforce integration
### When I try to log in with OAuth, I see a "This feature is not currently enabled for this user" error
Salesforce returns this error if the user who is logging in with OAuth does not have permission to access the Salesforce APIs:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{"code":2, "message":"error getting info from connectorClient: [simpleforce] Error. http code: 403 Error Message: This feature is not currently enabled for this user. Error Code: FUNCTIONALITY_NOT_ENABLED"}
```
If you see this message, follow the instructions to [Enable API access for your Salesforce user](/baton/salesforce#enable-api-access-for-your-salesforce-user) and then try logging in again.
### When I try to sync, I see an "insufficient access rights on cross-reference id" error
Salesforce returns this error if the connector user does not have sufficient permissions:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{"error": "error: listing resources failed: rpc error: code = InvalidArgument desc = 400 Bad Request\n[simpleforce] Error. http code: 400 Error Message: insufficient access rights on cross-reference id Error Code: INSUFFICIENT_ACCESS"}
```
Create a Permission Set with the following system permissions and assign it to the connector user:
**Required system permissions for sync:**
| Permission | Purpose |
| :-------------------- | :-------------------------------------- |
| API Enabled | Access Salesforce APIs |
| Manage Users | Read users and setup objects |
| Customize Application | Required only if syncing connected apps |
**Additional permissions required for provisioning:**
| Permission | Purpose |
| :------------------------------ | :------------------------------------------------------------------------------------------------------ |
| Manage Roles and Role Hierarchy | Assign and revoke role assignments |
| Manage Groups | Add and remove users from public groups |
| Manage Territories | Add and remove users from territories (only required if Enterprise Territory Management 2.0 is enabled) |
To fix this error, follow the instructions to [Enable API access and permissions for your Salesforce user](/baton/salesforce#enable-api-access-and-permissions-for-your-salesforce-user) to create a Permission Set with the required permissions and assign it to the connector user.