ISVforce Guide

Introduction
ISVforce Quick Start
Grow Your AppExchange Business
Designing and Building Your App
Overview of Packages
Components Available in Managed Packages
About API and Dynamic Apex Access in Packages
Architectural Considerations for Group and Professional Editions
Connected Apps
Create a Connected App
Edit, Reconfigure, or Delete a Connected App in Salesforce Classic
Install a Connected App
View Connected App Details
Manage a Connected App
Edit Connected App Behavior
Monitor Usage for an OAuth Connected App
Uninstall a Connected App
Environment Hub
Developer Hub
Notifications for Package Errors
Packaging and Testing Your App
Passing the Security Review
Publish Your Offering on the AppExchange
Manage Orders
Managing Licenses
Manage Features
Provide a Free Trial
Supporting Your AppExchange Customers
Upgrading Your App
Appendices
Glossary
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Edit Connected App Behavior

Modify connected app settings and permissions to control how it behaves. For example, you can change refresh token and session-level policies for all connected apps running in your org. You can change OAuth policies for OAuth-enabled connected apps. And you can customize the behavior of a connected app with Apex.
Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
Connected Apps can be created in: Group, Professional, Enterprise, Performance, Unlimited, and Developer Editions

Connected Apps can be installed in: All Editions

User Permissions Needed
To read, create, update, or delete connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update all fields except Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND either

Modify All Data OR Manage Connected Apps
To update Profiles, Permission Sets, and Service Provider SAML Attributes: Customize Application AND Modify All Data
To install and uninstall connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps
To install and uninstall packaged connected apps: Customize Application AND either

Modify All Data OR Manage Connected Apps

AND Download AppExchange Packages
  1. Open the list of apps.
    • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, select Apps (under Build | Create), then click the name of the connected app.
    • In Lightning Experience, from Setup, enter Apps in the Quick Find box, select App Manager, click Action dropdown, and then select Edit.

Basic Information

Basic Information applies to all connected apps, except canvas apps.

  • Start URL—For connected apps that use single sign-on. Set the URL to the page where the user starts the authentication process. This URL also appears in the app menu.
  • Mobile Start URL—For mobile connected apps to direct users to a specific location when the app is accessed from a mobile device.

If your app is a canvas app, the connected app ignores the start URL fields. Instead, it uses the canvas app URL specified when the connected app was created.

OAuth Policies

OAuth policies apply if the connected app is OAuth-enabled.

  • The Permitted Users policy determines who can run the app.
    • All Users may self-authorize—Default. Anyone in the org can authorize the app. Users must approve the app the first time they access it.
    • Admin-approved users are pre-authorized—Only users with the appropriate profile or permission set can access the app. These users don’t have to approve the app before they can access it. Manage profiles for the app by editing each profile’s Connected App Access list. Manage permission sets for the app by editing each permission set’s Assigned Connected Apps list. This setting is not available in Group Edition.

    If you switch from All Users may self-authorize to Admin-approved users are pre-authorized, anyone using the app loses access, unless a user’s permission authorizes the connected app specifically.

    Warning

    If users have the Use Any API Client permission, they can access any connected app—even if it’s set to Admin-approved users are pre-authorized. Be careful when using the Use Any API Client permission. It’s intended for a limited number of admins.

    Note

  • The IP Relaxation policy determines whether a user’s access to the app is restricted by IP ranges. A Salesforce admin can choose to enforce or bypass IP restrictions by choosing one of the following options.

    IP restrictions are enforced only if they are configured on a user’s profile. The SAML bearer assertion and JWT bearer token flows always enforce IP restrictions regardless of the connected app policy.

    Note

    • Enforce IP restrictions—Default. A user running this app is subject to the org’s IP restrictions, such as IP ranges, which are set in the user’s profile.
    • Enforce IP restrictions, but relax for refresh tokens—A user running this app is subject to the org’s IP restrictions, such as IP ranges, which are set in the user’s profile. However, after initial login, when later using a refresh token to obtain a new access token, the restrictions are bypassed.
    • Relax IP restrictions for activated devices—A user running this app bypasses the org’s IP restrictions when either of these conditions is true.
      • The app has a whitelist of IP ranges and is using the web server OAuth authentication flow. Only requests coming from the whitelisted IPs are allowed.
      • The app has no IP-range whitelist, is using the web server or user-agent OAuth authentication flow, and the user successfully completes identity verification if accessing Salesforce from a new browser or device.
    • Relax IP restrictions—A user running this app is not subject to any org IP restrictions.

    If Enforce login IP ranges on every request is enabled, it affects the IP relaxation behavior. For more information, see Connected App IP Relaxation and Continuous IP Enforcement.

    Note

  • The Refresh Token policy determines whether a refresh token is provided during authorization to get a new access token. If refresh tokens are provided, users can continue to access the OAuth-enabled connected app without having to reauthorize when the access token expires. Admins limit the lifetime of access tokens with the session timeout value. The connected app exchanges the refresh token with an access token to start a new session. A Salesforce admin can choose one of the following refresh token policies.
    • Refresh token is valid until revoked—Default. The refresh token is used indefinitely, unless revoked by the user or Salesforce admin. You revoke tokens on a user’s detail page under OAuth Connected Apps or on the OAuth Connected Apps Usage Setup page.
    • Immediately expire refresh token—The refresh token is invalid immediately. The user can use the current session (access token) already issued, but can’t obtain a new session when the access token expires.
    • Expire refresh token if not used for n—The refresh token is valid as long as it’s been used within a specified amount of time. For example, if set to seven days, and the refresh token isn’t exchanged for a new session within seven days, the next attempt to use the token fails. The expired token can’t generate new sessions. If the refresh token is exchanged within seven days, the token is valid for another seven days. The monitoring period of inactivity also resets.
    • Expire refresh token after n—The refresh token is valid for a fixed amount of time. For example, if the policy states one day, the user can obtain new sessions only for 24 hours.

    The Refresh Token policy is evaluated only during usage of the issued refresh token and doesn’t affect a user’s current session. Refresh tokens are required only when a user’s session has expired or isn’t available. For example, if you set a refresh token policy to expire the refresh token after 1 hour, and the user uses the app for 2 hours, the user isn’t forced to authenticate after one hour. However, the user is required to authenticate again when the session expires and the client attempts to exchange its refresh token for a new session.

If your connected app is a canvas app that uses signed request authentication, be sure to:
  • Set Permitted Users to Admin-approved users are pre-authorized.
  • Set Expire Refresh Tokens to Immediately expire refresh token.
  • Give users access via profiles and permission sets.

Session Policies

Session policies apply to all connected apps.
  • Session Timeout Value—Specifies when access tokens expire to end a user’s connected app session. You can control how long a user’s session lasts by setting the timeout value for the connected app, user profile, or org’s session settings (in that order). If you don’t set a value or None is selected (the default), Salesforce uses the timeout value in the user’s profile. If the profile doesn’t specify a timeout value, Salesforce uses the timeout value in the org’s Session Settings.
  • The current permissions for the connected app are also listed in the org’s Session Settings.
  • High Assurance session required—Requires users to enter a time-based token when trying to log in to access the app.

Mobile App Settings

Mobile App settings apply to mobile connected apps that enforce PIN protection.

  • Require Pin after—Specifies how much time can pass while the app is idle before the app locks itself and requires the PIN before continuing. Allowable values are none (no locking), 1, 5, 10, and 30 minutes. This policy is only enforced if a corresponding pin length is configured. Enforcement of the policy is the responsibility of the connected app. Apps written using the Salesforce Mobile SDK can enforce this policy, or the app can read the policy from the UserInfo service and enforce the policy.

    This setting doesn’t invalidate a user’s session. When the session expires due to inactivity, this policy only requires that the user enter a PIN to continue using the current session.

    Note

  • Pin Length—Sets the length of the identification number sent for authentication confirmation. The length can be from 4 to 8 digits, inclusive.

Custom attributes are available for all connected apps. Developers can set custom SAML metadata or custom OAuth attributes for a connected app. Salesforce admins can delete or edit the attributes or add custom attributes. Attributes deleted, edited, or added by admins override attributes set by developers. For more information, see Edit, Reconfigure, or Delete a Connected App in Salesforce Classic.

Custom Connected App Handler

Write a custom connected app handler in Apex to customize the behavior of the connected app. Create a class that extends the ConnectedAppPlugin Apex class, and associate it with the connected app. The class can support new authentication protocols or respond to user attributes in a way that benefits a business process.

  1. For Apex Plugin Class, enter the name of the Apex class you created to customize the behavior of the connected app.
  2. For Run As, select the name of the user to run the plug-in as.

    The plug-in runs on behalf of a user account. If the user isn’t authorized for the connected app, use the authorize method to do so. For more information, see the ConnectedAppPlugin class in the Apex Code Developer's Guide.

User Provisioning Settings

Enable User Provisioning—Enable user provisioning for the connected app to create, update, and delete user accounts in the connected app based on users in your Salesforce org. Salesforce provides a wizard to guide you through configuring or updating user provisioning settings.