How to configure the Salesforce External Client Application for Work-Relay deployment
From Release 8.4:
New in Release 8.4, Work-Relay deployment uses the Salesforce External Client App authentication mechanism, rather than direct username and password+token authorization. External Client App authentication is a secure connection and authentication mechanism between Salesforce orgs, as it doesn’t require storing target Salesforce org credentials in a Salesforce Source Org.
Note: The following actions should be performed in the Target Organization.
The following information is required in order to configure deployment settings:
- Organization Name - A user-defined name that identifies the Target Organization. (1)
- Domain URL - The URL of the Target Organization. This value can be quickly located by clicking the Profile icon and copying the value beneath your name (2). Remember to add "https://" at the beginning.
- Client Key (3) and Client Secret (4) - These values should be obtained once from Target Organization via the Work-Relay Connect application, as described below.
To create the Key and Secret, the following actions must be performed by the Target Organization admin:
- Add and configure the Salesforce External Client Application
- Set Up the Client Credentials Flow
Configure External Client App
In the Target Organization (which Work-Relay components will be deployed to), perform the following actions:
- Navigate to Setup and open App Manager
- Click the New External Client App button (5)
- Set the following properties:
-
Basic:
-
External Client App Name =
Work-Relay Connect -
API Name =
Work_Relay_Connect(will be populated automatically; note: Salesforce populates API name with hyphen, but this symbol is not allowed, so, amend it manually) - Contact Email = (email address of responsible person)
-
Distribution State =
Local
-
External Client App Name =
-
API (Enable OAuth Settings):
-
Enable OAuth =
true. Other fields will appear:-
App Settings:
- Callback URL (choose the appropriate value, depending upon org type):
-
OAuth Scopes =
Full access (full)
-
Flow Enablement:
-
Enable Client Credentials Flow =
true(check it and click "Ok" button in confirmation popup that will appear)
-
Enable Client Credentials Flow =
-
Security:
-
Require secret for Web Server Flow =
true -
Require secret for Refresh Token Flow =
true
-
Require secret for Web Server Flow =
-
App Settings:
-
Enable OAuth =
-
Basic:
- Leave other properties set to their defaults and save the External Client App
Set Up the Client Credentials Flow
- In the External Client App Manager, locate the newly created External Client App named "Work-Relay Connect" and click on it (6)
- Open Policies tab (7) on the Application page and click "Edit" button (8)
- In the Plugin Policies section (9) verify that Permitted users =
All users can self-authorize - In the OAuth Flows and External Client App Enhancements section (10) check Enable Client Credentials Flow (11) and enter an email address (12) of user, which deployments will be performed from
- Verify that the following parameters (13) are set in App Authorization section (other can be left default):
-
IP Relaxation =
Enforce IP restrictions
-
IP Relaxation =
- Save changes
Retrieve the Client Key and Client Secret
- Open Settings tab (14) on the Application page and expand OAuth Settings section (15)
- Click Consumer Key and Secret button (16) to open a proper page in a new browser tab
- Copy Consumer Key and Consumer Secret from here (17):
This Consumer Key and Consumer Secret must then be entered in the Target Organization Configuration., in order to be used for future Work-Relay Deployments.
0 Comments
Add your comment