Refresh a Sandbox

Refreshing a sandbox updates its metadata from the source org.
Ease of Implementation Medium
Estimated Time to Implement 30 minutes

In this example, we show you how to reuse an AWS Account to refresh your sandbox and relink the refreshed sandbox to the Amazon Connect instance.

This configuration applies to users of Salesforce Voice with telephony provided by Amazon Connect.

Note: Starting in the Summer '26 release, connected apps can no longer be created. New contact centers use external client apps (ECA) for single sign-on (SSO). Contact centers created before the Summer '26 release will continue to use their connected apps for SSO.

In this example, you will perform the following steps to refresh the sandbox:

  1. Retrieve (back up) the metadata for the following packages:
    • *ConversationVendorInfo
    • CallCenter
    • Single sign-on external client app or connected app
  2. Refresh the sandbox.
  3. *Deploy the ConversationVendorInfo metadata to the refreshed sandbox.
  4. Deploy the single sign-on external client app or connected app metadata to the refreshed sandbox and update the CallCenter metadata with the new connected app values or app id for external client app.
  5. Create the REST API OAuth external client app.
  6. Deploy the CallCenter metadata to the refreshed sandbox.
  7. Map the identity provider (IdP) certificate to the external client app or connected apps.
  8. Update the AWS IAM SalesforceServiceVoiceIdp identity provider with the latest IdP certificate.
  9. Update the AWS Lambda functions with the latest environment variable settings.

*Skip this step if your telephony model is Salesforce Voice with Partner Telephony from Amazon Connect.

Prerequisites

Before you begin:
  • Verify that you have AWS root user or AWS administrator credentials.
  • Verify the AWS Account you want to use isn’t being used by another Salesforce org.
  • Review the Sandbox Org Guidelines guidance around sandbox orgs and sandbox refreshes.

Refresh the Sandbox

  1. Skip this step if your telephony model is Salesforce Voice with Partner Telephony from Amazon Connect.

    Retrieve the ConversationVendorInfo metadata from the sandbox org to create a backup copy named package.xml. The ConversationVendorInfo package contains information about the AWS Account.

    Here’s a sample version of the ConversationVendorInfo package:

    1<!— ConversationVendorInfo Package package.xml-->
    2<?xml version="1.0" encoding="UTF-8"?>
    3<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    4<types>
    5<members>SERVICE_CLOUD_VOICE</members>
    6<name>ConversationVendorInfo</name>
    7</types>
    8<version>55.0</version>
    9</Package>
  2. Retrieve the CallCenter metadata from the sandbox org to create a backup copy named package.xml. The CallCenter package contains the call center definition used to integrate the Salesforce contact center with the Amazon Connect instance.

    Here’s a sample version of the CallCenter package, where ContactCenterWest is the internal name of the contact center:

    1<!— CallCenter Package package.xml-->
    2<?xml version="1.0" encoding="UTF-8"?>
    3<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    4<types>
    5<members>ContactCenterWest</members>
    6<name>CallCenter</name>
    7</types>
    8<version>55.0</version>
    9</Package>
  3. Retrieve the Single Sign-On external client app or Connected App metadata from the sandbox org to create a backup copy named package.xml. The single sign-on external client app or connected app package contains the app configuration used to integrate Salesforce with the Amazon Connect instance.

    Here’s a sample version of the package.xml for a single sign-on external client app, where ContactCenterWest_ECA is the internal name of the contact center's app.

    1<?xml version="1.0" encoding="UTF-8"?> <Package xmlns="http://soap.sforce.com/2006/04/metadata"> <types> <members>ContactCenterWest_ECA</members> <name>ExternalClientApplication</name> </types> <version>60.0</version> </Package>

    Here’s a sample version of the single sign-on connected app package, where ContactCenterWest is the internal name of the contact center:

    1<!— ConnectedApp Package package.xml-->
    2<?xml version="1.0" encoding="UTF-8"?>
    3<Package xmlns="http://soap.sforce.com/2006/04/metadata">
    4<types>
    5<members>ContactCenterWest_Connected_App</members>
    6<name>ConnectedApp</name>
    7</types>
    8<version>55.0</version>
    9</Package>
  4. Refresh your sandbox.
  5. Skip this step if your telephony model is Salesforce Voice with Partner Telephony from Amazon Connect.

    Deploy the ConversationVendorInfo metadata to the refreshed sandbox org and verify that you receive an email from Salesforce confirming Salesforce Voice successfully connected to the AWS Account.

  6. Skip this step if your telephony model is Salesforce Voice with Partner Telephony from Amazon Connect.

    Perform the following steps to finish turning on Salesforce Voice in the refreshed sandbox org:

    • Go to Setup > Voice > Amazon Setup and verify that Turn on Voice with Amazon Connect is ON and grayed out.
    • In the Register Tax Number section, click Confirm Settings.
    • Verify that you receive an email from Salesforce confirming Salesforce Voice is turned on.
  7. Deploy the single sign-on external client app or connected app metadata to the refreshed sandbox org.
  8. Copy the following values from the newly deployed single sign-on external client app or connected app to the CallCenter metadata XML file:
    • reqConnectedAppId. From the Developer Console, open the ConnectedApplication.obj file and copy the 15- or 18-digit org ID of the newly deployed connected app. For an external client app, open the ExternalClientApplication.obj file and copy the 15- or 18-digit ID of the newly deployed external client app. Replace the value of reqConnectedAppId in the XML file with the value you just copied.
    • reqIdentityUrl. For an external client app, go to Setup > External Client App Manager . Open your external client app, navigate to the SAML Settings, and copy the IdP-Initiated Login URL. For connected app, go to Setup > App Manager. Click Manage next to the newly deployed connected app and copy the IdP-Initiated Login URL. Replace the value of reqIdentityUrl in the XML file with the IdP-Initiated Login URL value you just copied.
  9. Give users access to the single sign-on external client app or connected app using permission sets (preferred) or profiles.

    For a local external client app, go to Setup > External Client App Manager, click Edit Policies next to your app, and assign the profiles or permission sets. For a managed external client app, go to Setup > Voice Settings, open the Contact Center Details page, and assign the profiles or permission sets in the App Policies section.

    For connected app, go to Setup > App Manager. Click Manage next to the newly deployed connected app and assign the profiles to the app or enable the Salesforce Voice Permission Set in the app.
  10. Set up OAuth for your external client app, as described in Enable an OAuth Plugin.
  11. Copy the following value from the external client app or newly created REST API OAuth connected app to the CallCenter metadata XML file:
    • reqRestApiConnectedAppId. From the Developer Console, open the ConnectedApplication.obj file of the newly deployed connected app and copy the reqRestApiConnectedAppId value. For an external client app, open the ExternalClientApplication.obj file of the newly deployed app and copy the ID value. Replace the value of reqRestApiConnectedAppId in the XML file with the value you just copied.
  12. Delete the contactCenterChannels element from the CallCenter metadata XML file.
  13. Deploy the CallCenter metadata containing the values you just updated to the refreshed sandbox org.
  14. Map the IdP certificate to the single sign-on external client app or connected app.
    1. For a managed external client app, go to Setup > Voice Settings, click your contact center name to open the Contact Center Details page, and locate the certificate in the SAML Policies section. For a connected app, find your IdP certificate for single sign-on, select Setup > Apps > Connected Apps > Manage Connected Apps, and open the connected app with the label {salesforce_contact_center_internal_name} Connected App. Write down the label name of the currently chosen certificate.
    2. Go to Setup > Identity > Identity Provider and make sure that the current Idp certificate label is the same as that of the external client app or connected app certificate label noted down in step 14.a. If the labels do not match, update the single sign-on external client app's or connected app's certificate to match with the Salesforce Identity Provider certificate.
    3. Click Download Metadata on the Salesforce Identity Provider page to download the SAML metadata in XML format.
  15. Update the SalesforceServiceVoiceIdp provider in AWS IAM with the latest IdP metedata from Salesforce.
    1. Go to IAM > Identity Providers, and click SalesforceServiceVoiceIdp to drill down to the details.
    2. Click Replace Metadata and replace the metadata with the XML file you downloaded in step 14.c.
  16. Set the SALESFORCE_ORG_ID value depending on your contact center version.
    • For contact center versions below 19.0, set the SALESFORCE_ORG_ID environment variable in the AWS Lambda functions to the org ID of the refreshed sandbox.
      1. Find and copy the 15- or 18-digit org ID.
      2. Go to AWS Lambda.
      3. Click the name of the Lambda function that has the SALESFORCE_ORG_ID environment variable. For example, click InvokeTelephonyIntegrationApiFunction.
      4. Change the value of SALESFORCE_ORG_ID to the org ID you just copied.
      5. Repeat these steps for all Lambda functions - including custom ones - that have the SALESFORCE_ORG_ID environment variable.

        After you change the SALESFORCE_ORG_ID environment variable for each of the impacted Lambda functions. make sure you publish the updated version of the Lambda function and set the Alias to the right version.

    • For contact center versions 19.0 or later, set the value of the SALESFORCE_ORG_ID key in the Secret of the contact center.
      1. In Secrets Manager in the AWS console, select the secret for the contact center. The secret is in the format <Contact Center Internal Name>-salesforce-secret.
      2. In the Secret Value section, select Retrieve Secret and click Edit.
      3. Select the Plaintext view, and paste the org ID of the refreshed sandbox as the value for the SALESFORCE_ORG_ID key.
      4. Save your changes.