Exercise 1: Configure Salesforce MCP Servers

In this exercise, you'll:

1. set and verify your user's email
2. create an External Client App (ECA) so MCP clients can authenticate and connect
3. prepare a permission set to secure the access to your MCP servers
4. secure the access to your ECA with a permission set
5. activate the Salesforce hosted MCP servers.

Step 1: Set and Verify your User's Email

1. From Setup, in the Quick Find box, enter Users, then select Users.

2. Click Edit next to EPIC, OrgFarm in the user table.

3. Replace the Email value with your own email.

4. Click Save.

5. Click OK to confirm the email change.

6. Open your email inbox and look for an email from Salesforce titled "Finish changing your Salesforce account’s email address".

7. Click on the link to validate the email change.

8. Click Verify Email Address.

9. Click Continue.

   TIP

   Updating and verifying the email of your user allows you to reset your password in case you forget it and is required for the next steps.

Step 2: Create an External Client App (ECA)

1. From Setup, in the Quick Find box, enter External Client, then select External Client App Manager.

2. Click New External Client App.

3. Under Basic Information, fill in the required fields:

   Field name	Field Value
   App Name	Workshop MCP Client
   API Name	Workshop_MCP_Client (auto-filled)
   Contact Email	Your email address

4. Expand the API (Enable OAuth Settings) section and configure the following app settings:

   1. Check Enable OAuth

   2. Callback URL:

      https://mcp-playground-360-lb-75bfc079c1f3.herokuapp.com/oauth/sf/callback

   3. Selected OAuth Scopes:

      • Perform requests at any time (refresh_token, offline_access)
      • Access Salesforce hosted MCP servers (mcp_api)

5. Under Security, apply the following configuration:

   1. Uncheck these boxes:
      • Require secret for Web Server Flow
      • Require secret for Refresh Token Flow
   2. Check these boxes:
      • Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
      • Issue JSON Web Token (JWT)-based access tokens for named users

   At this point, your configuration should look like this:

   

   TIP

   Always define one ECA per client type (one for Claude, one for ChatGPT...). This helps you control permissions and facilitates logging.

6. Click Create.

   TIP

   The External Client App can take up to 30 minutes to become available. The delay is similar to registering a new domain with DNS.

Step 3: Create a Permission Set

1. From Setup, in the Quick Find box, enter Permission, then select Permission Sets.

2. Click New.

3. Fill in the following fields:

   Field name	Field Value
   Label	MCP Client User
   API Name	MCP_Client_User (auto-filled)
   Description	Grants access to the Salesforce hosted MCP servers.

4. Click Save.

5. Assign the permission set to yourself:

   1. Click Manage Assignments.
   2. Click Add Assignment.
   3. Check the box next to OrgFarm EPIC (this is your user).
   4. Click Next.
   5. Click Assign.

Step 4: Secure the Access to the External Client App

1. From Setup, in the Quick Find box, enter External Client, then select External Client App Manager.

2. Click Workshop MCP Client.

3. Click Edit in the Policies tab of your ECA.

4. Expand the OAuth Policies section.

5. Change the Permitted Users dropdown to Admin approved users are pre-authorized.

6. Click OK to confirm the changes.

7. Under Select Permission Sets, select your MCP Client User permission set from the Available Permission Sets list and move it to the Selected Permission Sets list.

   

8. Click Save.

9. Click Settings, then under OAuth Settings click Consumer Key and Secret.

10. Check your inbox for a verification code email and enter the code in the form.

11. Copy the Consumer Key and Consumer Secret. Store them securely — you'll need them to connect MCP clients to your org.

Step 5: Activate Salesforce Hosted MCP Servers

1. From Setup, in the Quick Find box, enter MCP Servers, then select MCP Servers under API Catalog.

2. Click Salesforce Servers.

3. Open the sobject-all MCP server and click Activate.

4. Open the salesforce-api-context MCP server and click Activate.

5. Open the metadata-experts MCP server and click Activate.

   TIP

   Activating these servers exposes Salesforce object metadata, data, and API context to your MCP clients. We'll connect to those servers with a third party MCP client and with Agentforce Vibes.

Summary

In this exercise, you created a secure External Client App. You then activated the sobject-all, salesforce-api-context, and metadata-experts Salesforce hosted MCP servers. In the next exercise, you'll test these servers in the Headless 360 Playground.