Salesforce configuration

Configure Salesforce for data ingestion data store

To configure Salesforce for a data ingestion data store, follow the steps in this section.

Supported versions

The Salesforce V2 connector supports SOAP API version 30.0 or later.

Generate a service attachment

To generate a service attachment, perform the following steps:

• For Public endpoint: If the Salesforce data center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console.
• For Private endpoint:
  1. Use PSC to enable connections from private instances to Google Cloud.
  2. Create a Virtual Private Cloud network and the required subnets.
  3. Create a Virtual Machine (VM) instance and install the backend service.
  4. Optional: Set up a health check probe to monitor backend health.
  5. Add a load balancer to route traffic to the VM or backend.
  6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
  7. Publish the endpoint by creating a PSC service attachment.

Generate authentication credentials

Data ingestion data stores can use any of the following supported authentication types:

• OAuth 2.0 - Client credentials
• OAuth 2.0 - JWT bearer
• Username and password

Set up for OAuth 2.0 - Client credentials authentication

You must set up Gemini Enterprise as an external client app (connected app) in Salesforce to obtain the following authentication information:

• Consumer ID or client ID
• Consumer secret or client key

Create and configure an external client app

1. In your Salesforce app, click the setup icon, and select Setup.
2. Enter Apps in the quick find box and select App manager.
3. Select New external client app.
4. Enter the required basic information (Name, API name, and Contact email).
5. In the API (Enable OAuth settings) section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration.
   1. Select the Enable OAuth checkbox.
   2. Enter the Callback URL as https://vertexaisearch.cloud.google.com/oauth-redirect.
   3. In the Selected OAuth scopes section, add the Full access (full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access) scopes. For more information, see OAuth Tokens and Scopes.
   4. In the Flow enablement section, select the Enable client credentials flow checkbox.
6. Click Create.

Pre-authorize external client app access

After creating the external client app, authorize specific users or permission sets to access it.

1. In your Salesforce app, enter External client app in the quick find box and select External client app manager.
2. Click the name of your external client app that you created.
3. Select the Policies tab and click Edit.
4. In the OAuth policies section:
   1. In the Permitted users field, select Admin approved users are pre-authorized.
   2. Under OAuth flow and external client enhancement, select Enable client credentials flow and enter the user's email ID.
   3. In the Refresh token policy field, select Refresh token is valid until revoked.
5. In the App policies section, select the profiles or permission sets authorized for this connection.
6. Click Save.
7. Navigate to the Settings > OAuth settings, click Consumer key and secret, and copy and store the consumer key and consumer secret to be used as authentication credentials.

Configure permissions

To verify that the user configuring the connector has the required minimum data fetching permissions, complete the following steps:

1. In your Salesforce app, enter Profiles in the Quick Find box and select Profiles.
2. Select the user profile running the connector.
3. Navigate to the Standard object permissions section and verify the permissions.
4. Verify that the selected user has access to the required permissions. This process must be repeated for each entity you intend to ingest.
5. To allow access to the object, create a permission set and share it with the user:
   1. Enter Permission sets in the Quick Find box and select Permission sets.
   2. Click New.
   3. Enter a name and save the permission set.
   4. Open the created permission set and navigate to the Apps section.
   5. Select Object settings.
   6. Select the View all records checkbox.
   7. In the Field permissions section, grant Read access to all fields you want to synchronize.
   8. Save the settings and navigate back.
6. Enable system permissions:
   1. In the System section, select System permissions.
   2. Enable the following minimum permissions:
      • API enabled
      • View all users
      • View roles and role hierarchy
      • View setup and configuration
7. Assign the user to the permission set:
   1. Enter Users in the Quick find box and select Users.
   2. Select the user.
   3. In the Permission set assignments section, select Edit assignments.
   4. Add the recently created permission set to the Enabled permission sets section.

For more information, see Data access in Salesforce and Organization-Wide Sharing Defaults.

Set up for OAuth 2.0 - JWT bearer authentication

You must set up Gemini Enterprise as an external client app (connected app) in Salesforce to obtain the following authentication information:

• Customer key
• Public key
• Username

Generate private key and public certificate

1. Generate a 2048-bit RSA private key by executing the following command: openssl genrsa -out server.key 2048

   This command creates a file named server.key, which contains your private key. Keep this file secure and confidential.

2. Generate a self-signed public certificate by executing the following command: openssl req -new -x509 -sha256 -days 3650 -key server.key -out server.crt

   This command generates a file named server.crt, which is your public certificate. You can upload this certificate to Salesforce during the external client app (connected app) configuration.

Create and configure external client app

1. In your Salesforce app, click the setup icon, and then select Setup.
2. Enter Apps in the quick find box and select App manager.
3. Select New external client app.
4. Enter the required basic information for your external client app (connected app), such as the External client app name, API name, and Contact email.
5. In the API (Enable OAuth settings) section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration.
   1. Select the Enable OAuth checkbox.
   2. Enter the Callback URL as https://vertexaisearch.cloud.google.com/oauth-redirect.
   3. In the Selected OAuth scopes section, add Full access (full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes.
   4. In the Flow enablement section:
      1. Select Enable JWT bearer flow.
      2. Upload the server.crt generated in the Generate private key and public certificate section.

         

Get login URL

To get the login URL for your Salesforce instance, do the following:

1. In your Salesforce app, enter My domain in the quick find box and select My domain.
2. Copy the domain ending in my.salesforce.com.
3. Add https:// to the beginning of the copied domain. This is the instance URL that you need to create the Salesforce connector in Gemini Enterprise. The instance URL must be in the following format: https://DOMAIN_NAME.my.salesforce.com.

Install the OAuth connected app

You must install the external client app that you created. Navigate to the Connected Apps OAuth Usage page in your Salesforce account and install the app. For more information, see Connected App Usage Restrictions Change.

Set up for username and password authentication

For username and password authentication, use an existing security token, or reset the security token to receive a new one in your registered email.

To reset your security token:

1. In your Salesforce app, click your profile icon and select Settings.

   

2. Navigate to Reset my security token and click Reset security token.