Set Up Authentication with Salesforce External Client Apps

External client apps (ECA) are a new generation of connected apps. ECAs provide single sign-on (SSO) and use OAuth protocols to authorize external apps. The external apps that are integrated with Salesforce can run on the customer success platform and other platforms, devices, or SaaS subscriptions.

For more information on ECAs, including how to configure them in your organization, see External Client Apps.

USER PERMISSIONS NEEDED
To manage External Client Apps:Tableau Next Admin permission set or System Administrator
  1. To create an ECA for your ‌organization, from the Salesforce Setup page, enter External in the Quick Find box, and then select External Client App Manager.
  2. Click New External Client App.
  3. Enter the basic information
    1. Enter the name for the ECA to display in the External Client App Manager.
    2. Enter the API name to be used when referring to your app from a program. This field defaults to a version of the app’s name with underscores in place of the spaces.
    3. Enter the contact email for Salesforce to use in case we want to contact you or your support team.
    4. Determine the distribution state. To develop an app for your local org, choose Local. To develop an app for packaging and distribution, choose Packaged.
  4. Click Enable OAuth to configure the OAuth policy.
  5. Enter the app settings.
    1. Enter the Callback URL. The callback URL is the app URL where you’re embedding the code and the URL can accept the authentication returned from the Salesforce ECA. An example of a callback URL is https://<3p-domain>/callback.html.
    2. For OAUTH Scopes, select Manage user data via APIs (api), Manage user data via Web browsers (web), and Access Lightning applications (lightning). If you have other OAuth needs, select other scopes as needed.
  6. For Flow Enablement, select the appropriate flow for your web app.
    • If you select Enable Authorization Code and Credentials Flow, specify if user credentials are required in the POST body.
    • If you select Client Credentials Flow, it only works with the Manage user data via APIs (api), Access Lightning applications (lightning), or Manage user data via Web browsers(web) OAuth Scopes.
    • If you select JWT Bearer Flow, upload a valid public certificate file. Additional setup is needed, see the steps below.
  7. For Security, select Require secret for Refresh Token and any other options you need.
  8. Click Create.

If you are generating an access token, on the Settings tab, click Consumer Key and Secret to copy and save the values. You need the consumer key value for the client_id and the consumer secret value for the client_secret.

To use the JWT Bearer authentication flow, after you create your ECA, you must follow these steps.

  1. Create a custom Tableau Next Consumer permission set.
    1. In Salesforce Setup, enter Permission Sets in the Quick Find box, and then select Permission Sets.
    2. Find the Tableau Next Consumer permission set and click Clone.
    3. Enter a label and API name. For example, set the label to Tableau Next Consumer JWT and the API name to TableauUserJWT.
    4. Save the customized permission set.
  2. Update the OAuth Policies for your ECA.

    1. In Salesforce Setup, enter External in the Quick Find box, and then select External Client App Manager.

    2. To edit your ECA, select it from the list of apps.

    3. Click Edit.

    4. In the OAuth Policies section, update the Permitted Users value to Admin approved users are pre authorized. Editing the OAuth Polices plugin policy.

    5. In the App Policies section, add the custom permission set to the Selected Permission Sets list. Add the custom permission set to the App Policies.

    6. Save and close

For your users that are viewing embedded Tableau Next assets in your web app, assign the custom permission set in place of the standard Tableau Next Consumer permission set. This adds users for pre-authorization. For more information on assigning permission sets to users, see Assign Tableau Next User Permissions.

Next - Set Up CORS for Tableau Next Embedding