• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Data connectivity & integrationAvailable connectorsSalesforce
    Feedback

    Salesforce

    Foundry's Salesforce connector allows you to sync data between Salesforce and Foundry datasets.

    This document refers to the latest version of the Salesforce connector. If you are editing an existing Salesforce connector, it may be a legacy version. Review the section on migration below for more information.

    Supported capabilities

    CapabilityStatus
    Exploration🟢 Generally available
    Bulk import🟢 Generally available

    Data model

    The connector models all available standard ↗ and custom Salesforce objects as Foundry datasets. Schemas are retrieved dynamically. The exploration view allows you to browse the data model and preview how Salesforce objects would appear once imported to Foundry.

    Data type mapping

    The connector maps Salesforce API types to the following Foundry field types:

    SalesforceFoundry
    Auto NumberSTRING
    Lookup RelationshipSTRING
    Master-Detail RelationshipSTRING
    External Lookup RelationshipSTRING
    CheckboxBOOLEAN
    CurrencyDECIMAL
    DateDATE
    Date/TimeLONG
    EmailSTRING
    GeolocationSTRING
    NumberDOUBLE
    PercentDOUBLE
    PhoneSTRING
    PicklistSTRING
    Picklist (Multi-Select)STRING
    TextSTRING
    Text AreaSTRING
    Text Area (Long)STRING
    Text Area (Rich)STRING
    Text (Encrypted)STRING
    TimeINTEGER
    URLSTRING

    Performance and limitations

    The connector leverages the Salesforce SOAP API ↗ that is subject to the Salesforce SOAP API Call Limits ↗.

    Setup

    1. Open the Data Connection app and select + New Source in the upper right corner of the screen.
    2. Select Salesforce from the available connector types.
    3. Choose to use a direct connection over the internet or to connect through an intermediary agent.
    4. Follow the additional configuration prompts to continue the set up of your connector using the information in the sections below.

    Learn more about setting up a connector in Foundry.

    Authentication

    Select a credential method to authenticate your Salesforce connection: JWT token or username-password.

    JWT token

    You can use the OAuth 2.0 JSON Web Token (JWT) bearer flow ↗ to authorize Foundry to access data without interactively logging in on each request.

    To enable JWT authentication, you must generate a certificate, upload it while creating a Connected App, then perform a one-time authorization of the integration user.

    Part 1: Generate a certificate

    First, create a Salesforce user and verify it has access permission for APIs and any Salesforce objects you wish to modify. Be sure you are able to log in as the integration user, as you will need to authorize as this user in a future step.

    Now, create a JWT certificate. The Salesforce JWT bearer flow ↗ requires an X.509 certificate and the associated private key. To generate a private key, use openssl at the command line and run the following commands:

    1. Generate the x.509 public and private key pair:

      Copied!
      1
2
% openssl genrsa 1024 | openssl pkcs8 -topk8 -inform PEM -out key.pem -nocrypt
% openssl req -new -x509 -key key.pem -out cert.pem -days 3650

    2. Export the certificate to a PFX store, convert to Base64, and copy to clipboard:

      Copied!
      1
% openssl pkcs12 -export -in cert.pem -inkey key.pem | openssl base64 | pbcopy

    Be sure to save the certificate value in a secure location. You will need to access the value later in the configuration.

    Part 2: Create a connected app

    In the Salesforce Lightning Experience setup page, scroll through the left side bar to select the Apps > App Manager entry under the Platform Tools section. In the App Manager page, create a new connected app by selecting New Connected App.

    In the Basic Information section of the app creation page, fill in the following fields:

    1. Connected App Name
    2. API Name
    3. Email

    Then, follow these steps to set up the API (Enable OAuth Settings) section:

    1. Check Enable OAuth Settings.
    2. Fill in the Callback URL with https://localhost:12345. This will be used again later.
    3. Check Use Digital Signatures and upload the cert.pem X.509 certificate file generated above.
    4. Select api, offline_access, and refresh_token from the available OAuth Scopes.
    5. Check Require Secret for Web Server Flow.

    Ignore the other sections, and finalize the connected app creation by selecting Save, then Confirm on the next page. Allow ten minutes to pass before attempting to use the connected app.

    Once the connected app is created, save the Consumer Key (for example, 3MVG9FG3dv...) in a secure place. The key is available under the API (Enable OAuth Settings) section.

    Part 3: Authorize user

    Authorize the integration user with one of the following options:

    • Perform a one-time authorization: Authorize the connected app for the integration user by performing the login flow in a browser:
      1. Navigate to the following Salesforce URL: https://<salesforce-url>/services/oauth2/authorize?client_id=<CONSUMER_KEY>&redirect_uri=<CALLBACK_URL>&scope=api%20offline_access%20refresh_token&response_type=code&response_mode=query&nonce=bebmwgu22zh
        • Replace <CONSUMER_KEY> with your connected app consumer key and <CALLBACK_URL> with the URL you entered during the API configuration step.
        • Replace <salesforce-url> with your Salesforce instance URL (<site>.my.salesforce.com).
      2. Complete the login flow as the integration user, selecting Use Custom Domain if necessary. Select Allow on the next page to allow the connected app to act on your behalf for the specified scopes. Ensure the username of the integration user is shown and not your personal account username.
      3. Then, you will be redirected back to https://localhost:12345 (the CALLBACK_URL). Since the callback URL is not real, the browser will show an expected "Not Found” error.
    • Pre-authorize the user by following the Salesforce guidance ↗ on how to change the Permitted Users policy to Admin approved users are pre-authorized. Once pre-authorization is complete, return to the connected app configuration page to grant access to the connected app.Access can be given to the individual integration user Profile, or a Permission Set that includes the integration user.

    Continue setting up a Salesforce connector in Foundry using the JWT authentication configuration options below:

    NameRequiredDescription
    This is a Salesforce sandbox accountYesDetermines if the connection should be made to a Salesforce sandbox account. Sets the default value for Login URL: login.salesforce.com for standard accounts and test.salesforce.come for sandbox accounts.
    UsernameYesEnter the username of the integration user.
    Base64 PFX certificateYesValue obtained from generating a certificate.
    The certificate is password protectedNoToggle on if the certificate store is password protected.
    Certificate passwordNoThe certificate store password.
    Specify the certificate subjectNoLeave off to use the first certificate in the store. Toggle on to specify a certificate to use if the certificate store contains multiple certificates.
    Certificate subjectNoThe subject of the desired certificate. Used to locate the certificate in the store . If an exact match is not found, the store is searched for a certificate whose subject contains the supplied value.
    Consumer keyYesEnter the consumer key available in the settings of the connected app.

    Username-password

    To connect to Salesforce with the username-password ↗ authentication method, you must create a service user account and connected app in Salesforce. Then, add credentials for both into the Salesforce connector.

    Follow the steps below to enable the username-password authentication flow.

    1. Create a Salesforce user and verify it has access permission for APIs and any Salesforce objects you wish to modify. Note the user’s username and password for future reference.

    2. Create a connected app:

      1. In the Salesforce Lightning Experience setup page, scroll through the left side bar to select the Apps > App Manager entry under the Platform Tools section. In the App Manager page, create a new connected app by selecting New Connected App.

      2. In the Basic Information section of the app creation page, fill in the following fields:

        1. Connected App Name
        2. API Name
        3. Email

      3. Then, follow these steps to set up the API (Enable OAuth Settings) section:

        1. Check Enable OAuth Settings.
        2. Fill in the Callback URL with https://localhost:12345. This field is required for configuration though the callback URL will not be used.
        3. Select Full access (full) from the available Selected OAuth Scopes to allow access to all data accessible to the active user.

      4. Ignore the other sections and finalize the connected app creation by selecting Save, then Confirm on the next page. Allow two to ten minutes to pass before attempting to use the connected app.

    Once the connected app is created, navigate to it from the App Manager page. Select Manage, then Edit Policies. Under OAuth Policies > Permitted Users select All users may self-authorize.

    The username-password authentication method supports the following configuration options:

    NameRequiredDescription
    This is a Salesforce sandbox accountYesDetermines if the connection should be made to a Salesforce sandbox account. Sets the default value for Login URL: login.salesforce.com for standard accounts and test.salesforce.come for sandbox accounts.
    UsernameYesThe username of the account that the connected app is imitating.
    PasswordYesThe password of the account that the connected app is imitating.

    If you experience authorization problems when trying to connect from Foundry and see Failed: API security token required in the Salesforce Login History of the user, you must add the user's security token to the end of the password.

    The security token is an automatically generated key that must be added to the password to log in to Salesforce from an untrusted network. Salesforce does not allow users to view the security token within the application; instead, you must log in to Salesforce as the integration user and navigate to My Settings in the top right corner. Then, navigate to Personal > Reset My Security Token.

    Networking

    If a direct connection is running your Salesforce connector, you must add a network egress policy to allowlist the connection.

    Choose to add an existing policy, or create a new policy.

    To allowlist a direct connection for Salesforce, add the following policies:

    • Login URL: Requires DNS, port 443 (HTTPS), and one of the following:

      • login.salesforce.com (production) OR
      • test.salesforce.com (sandbox)

    • Instance URL: Requires DNS for <site>.my.salesforce.com, port 443 (HTTPS).

    Certificates and private keys

    SSL connections validate servers certificates. Normally, SSL validations happen through a certificate chain; by default, both agent and direct connection run times trust most industry standard certificate chains. If the server to which you are connecting has a self-signed certificate, or if there is TLS interception during the validation, the connector must trust the certificate. Learn more about using certificates in Data Connection.

    Configuration options

    The Salesforce connector supports the following configuration options:

    NameRequiredDefaultDescription
    API versionYes50The Salesforce API version.
    Connected app credentialsYesJWT bearer tokenContains credentials needed to connect to Salesforce. Review the Authentication sections above for more information.
    Login URLNologin.salesforce.com (production), or test.salesforce.com (sandbox)The URL used to connect to retrieve OAuth tokens.
    TimeoutNo60The duration of time before the HTTP client connection times out while waiting for a response. Time is in seconds.
    Proxy settingsNoNoThe proxy configuration to use when connecting to Salesforce.

    Sync data from Salesforce

    Use the exploration view to sync tables. Additional configuration options are available when editing a sync.

    Incremental

    During incremental syncs with the Salesforce connector, new data is synced if the incremental column value is greater than or equal to the previous observed maximum value. This behavior, though required for precision and correctness of synced data, will lead to duplicate rows in the output dataset. Incremental pipelines should always contain a deduplication step.

    Filtering

    You can add row filters to a sync configuration to exclude data that does not fit a set criteria. Use the condition tree to define your filter:

    • Logical operators:
      • ALL: Requires all nodes nested beneath to be true.
      • ANY: Requires at least one of the nested nodes to be true.
    • Conditions:
      • Select from a list of available columns.
      • Depending on the column type, choose an appropriate operator.
      • Set a value to compare against the selected column.

    Be sure to Save your configurations to apply them to the sync.

    Migration

    If you already have a Salesforce connector, you may be running a legacy version. To identify your connector version, migrate to Connection settings > Connection details. If source configuration shows a Custom YAML section with a type: salesforce field, you are using a legacy Salesforce connector. You must migrate to the latest version to receive Palantir support beyond bug fixes.

    Migrate connector

    1. Open the Data Connection app and select + New Source in the upper right corner of the screen.
      1. Select Salesforce from the available connector types.
      2. Choose to use a direct connection over the Internet or to connect through an intermediary agent.
      3. Follow the additional configuration prompts to continue the set up of your connector using the information in the sections below.
    2. Configure the authentication to match that of the legacy source. In the legacy source configuration, find the auth-method or authentication-method block in the custom YAML.
      • If type: oauth2-jwt, configure the new source with JWT authentication:
        • claim-sub from the custom YAML becomes Username in new connector configuration.
        • x509-cert is exported to PFX, then Base64 encoded and becomes Certificate. Learn more about certificates in the JWT authentication section above.
      • If the PFX is password protected, toggle on The certificate is password protected and enter the Certificate password.
        • claim-iss from the custom YAML becomes becomes Consumer key in the new connector configuration.
      • If type: oauth2-username-password, configure the new source with username-password authentication:
        • username from the custom YAML becomes Usernamein the new connector configuration.
        • password from the custom YAML becomes becomes Passwordin the new connector configuration.
        • client-id and client-secret properties on the legacy source are not required by the new connector.
    3. Configure other properties:
      • auth-url from the custom YAML becomes becomes Login URLin the new connector configuration.
      • If auth-url had a value of test.salesforce.com in the custom YAML, toggle on Is Salesforce sandbox account in the new connector configuration.

    Migrate syncs

    After configuring a new Salesforce connector, create syncs for the objects that were previously synced by the legacy connector. Use the exploration view to bulk sync multiple objects at once and create new datasets.

    If using the same API version, both the legacy and new Salesforce connectors will use the same schema; all downstream applications should continue to function if inputs are remapped.

    You must migrate downstream pipelines to use the new sync datasets. Once you have confirmed that no other consumers require the legacy datasets, you can delete the datasets, associated syncs, and connections. Use Data Lineage to find where the legacy datasets are used in your environment.