Salesforce 3-legged OAuth 2.0 API Security Profile¶
Within a security profile, you can configure Salesforce as an OAuth 2.0 identity provider to provide API consumers access to an API using Salesforce authentication.
This API security profile does not currently support 2-legged OAuth.
This page shows how to configure and use Salesforce authentication with a Jitterbit Custom, OData, or Proxy API by following these steps:
- Enabling Salesforce as an Identity Provider
Configure the Salesforce instance as an identity provider.
- Creating a Connected App in Salesforce
Configure a Connected App in Salesforce and obtain the Salesforce Consumer Key (Client ID) and Salesforce Consumer Secret (Client Secret) that you will need to use as input for configuring a securing profile in API Manager.
- Configuring a Security Profile in API Manager
Configure and test Salesforce as the identity provider in API Manager. You will need to use the client ID and client secret obtained in the previous step.
- Assigning a Security Profile in API Manager
Assign the security profile to one or more Jitterbit Custom, OData, or Proxy APIs.
- Accessing an API with Salesforce Authentication
API consumers are able to use Salesforce authentication to consume Jitterbit Custom, OData, or Proxy APIs that the security profile is assigned to.
Follow these steps to enable Salesforce as an identity provider in the Salesforce Classic UI:
Log in to the Salesforce instance as a Salesforce Admin.
In the Salesforce Classic UI, navigate to Setup > Administer > Security Controls > Identity Provider.
In the section Identity Provider Setup, verify that you have a domain name configured and that Salesforce is enabled as an identity provider:
If you do not have a domain configured, click the link to Configure a Domain Name and follow the steps to set up a domain and deploy it to users. This automatically enables Salesforce as an identity provider.
If you have a domain configured but disabled as an identity provider, click the button Enable Identity Provider.
After making changes in Identity Provider Setup, you may need to refresh the page.
Follow these steps to configure a Connected App in Salesforce and obtain the Salesforce Consumer Key (Client ID) and Salesforce Consumer Secret (Client Secret):
If you are continuing from Enabling Salesforce as an Identity Provider, on the same screen, in the section Service Providers, click the link to create via Connected Apps. Otherwise, navigate to Setup > Build > Create > Apps and click New under the Connected Apps section.
Under Basic Information, provide a Connected App Name (for example, Jitterbit API Manager APIs) and populate other required fields.
Under API (Enable OAuth Settings), select Enable OAuth Settings. This enables the additional fields Callback URL and Selected OAuth Scopes:
Callback URL: Enter the URLs appropriate for your Harmony organization and region:
Enter the two URL values copied from the security profile configuration screen (the image below is cropped to show the relevant areas):
Enter the URL value appropriate for your region (see Finding My Region):
- Selected OAuth Scopes: Select these OAuth scopes by moving them to Selected OAuth Scopes:
- Full access (full)
- Perform requests on your behalf at any time (refresh_token, offline_access)
On clicking Save, the Consumer Key (equivalent to client ID in API Manager) and Consumer Secret (equivalent to client secret in API Manager) are displayed under API (Enable OAuth Settings). Retain these for later use, as they will be required when configuring the security profile.
During configuration, select OAuth 2.0 as the authentication Type and Salesforce as the OAuth Provider:
Enter the OAuth Client ID (Salesforce Consumer Key) and OAuth Client Secret (Salesforce Consumer Secret) values obtained in the previous section, Creating a Connected App in Salesforce:
Click Test Client ID + Secret to verify connectivity with the identity provider using the configuration.
4. Assigning a Security Profile in API Manager¶
To use the security profile with an API, follow the instructions for configuring a Custom API, OData Service, or Proxy API and select the security profile configured with Salesforce OAuth 2.0 authentication.
5. Accessing an API with Salesforce Authentication¶
To consume the API, use the link to Copy URL and use it within the calling application:
If the API supports GET, you can also paste the URL into a web browser to consume the API manually.
The browser redirects to the native login interface for Salesforce. Provide your credentials to authenticate with Salesforce.
If the authentication is successful, the expected payload is displayed in the web browser.