How to configure the Salesforce External Client App for Work-Relay deployment
Starting Release 8.2:
New in Release 8.0, Work-Relay deployment uses the Salesforce External Client App authentication mechanism, rather than direct username and password+token authorization. External Client App authentication is a secure connection and authentication mechanism between Salesforce orgs, as it doesn’t require storing target Salesforce org credentials in a Salesforce Source Org.
Note: The following actions should be performed in the Target Organization.
The following information is required in order to configure deployment settings:
- Organization Name - A user-defined name that identifies the Target Organization. (1)
- Domain URL - The URL of the Target Organization. This value can be quickly located by clicking the Profile icon and copying the value beneath your name (2). Remember to add "https://" at the beginning.
- Client Key (3) and Client Secret (4) - These values should be obtained once from Target Organization via the Work-Relay External Client App, as described below.
To create the Key and Secret, the following actions must be performed by the Target Organization admin:
- Add and configure the External Client App
Configure External Client App
In the Target Organization (to which Work-Relay components will be deployed), perform the following actions:
- Navigate to Setup and go to External Client App Manager.
- Click the New External Client App button.
Set the following properties:
Basic Information
- External Client App Name =
Work-Relay Connect - API Name =
Work_Relay_Connect Contact Email = (email address of responsible person)
OAuth Settings
- Enable OAuth Settings = true
- Callback URL (choose the appropriate value, depending upon org type):
- Production -
https://login.salesforce.com/services/oauth2/callback - Sandbox -
https://test.salesforce.com/services/oauth2/callback
- Production -
- Selected OAuth Scopes =
Manage user data via APIs (api)
Perform requests at any time (refresh_token, offline_access) - Enable Client Credentials Flow = true
- Require secret for Web Server Flow = true
- Require secret for Refresh Token Flow = true
- Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows = true
- External Client App Name =
- Leave other properties set to their defaults and save the External Client App.
- After saving the External Client App, switch to Policies tab, and in OAuth Policies -> OAuth Flows and External Client App Enhancements, modify the following settings:
- Enable Client Credentials Flow = true
- set Run As. This is the User that will be used to perform deployments. "Run As" user should have System Administrator Profile.
- Leave other properties set to their defaults and save the External Client App.
Retrieve the Client Key and Client Secret
- In Settings tab, OAuth Settings section, click Consumer Key and Secret button.
- You will be asked to provide the Verification code which will be delivered to your user's email address. Copy-paste the code that was sent via email, and Verify.
- You will be navigated to the External Client App screen with Consumer Key and Consumer Secret.
This Consumer Key and Consumer Secret must then be entered in the Target Organization Configuration as "Client Key" and "Client Secret", in order to be used for future Work-Relay Deployments.

0 Comments
Add your comment