Connect Salesforce

This page describes how to connect Salesforce to Agentspace.

We recommend using the Salesforce V2 (Recommended) connector to ingest Salesforce data into Agentspace. The existing Salesforce connector will be deprecated. If you are using an existing data store that uses the Salesforce connector, create a new data store using the Salesforce V2 connector.

Supported versions

The Salesforce V2 connector supports SOAP API version 30.0 or later.

Before you begin

Before setting up your connection, do the following:

  1. Use either a Salesforce enterprise or a Salesforce developer plan. Trial accounts are not supported.
  2. Set up access control for your data source. For information about setting up access control, see Use data source access control.
  3. Verify that the Salesforce CORS allowlist contains Google Cloud.
    1. To configure the allowlist, see Enable CORS for OAuth Endpoints.
    2. To include Google Cloud, add https://console.cloud.google.com/ as the origin URL, and save your configuration.
  4. Configure Salesforce for connectivity. The configurations vary based on your chosen authentication type.

Generate a service attachment

Use the following steps to generate a service attachment:

  • For Public endpoint: If the Salesforce data center Destination type is Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URL field of the Google Cloud console.

  • For Private endpoint:

    1. Use PSC to enable connections from private instances to Google Cloud.
    2. Create a Virtual Private Cloud network and the required subnets.
    3. Create a Virtual Machine (VM) instance and install the backend service.
    4. Optional: Set up a health check probe to monitor backend health.
    5. Add a load balancer to route traffic to the VM or backend.
    6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
    7. Publish the endpoint by creating a PSC service attachment.

Configure Salesforce for connectivity

To connect a Salesforce data source to Agentspace, you must complete specific configurations within Salesforce. These configurations vary based on the authentication type you choose.

Set up for username and password authentication

For username-password authentication, use an existing security token, or reset the security token to receive a new one in your registered email.

To reset your security token:

  1. Click your profile icon and select Settings.

    Settings
    Settings

  2. Navigate to the Reset my security token tab and click Reset security token.

    Reset security token
    Reset security token

    Salesforce sends the new security token to your registered email.

Set up for OAuth 2.0 - JWT bearer authentication

You must set up Vertex AI Search as a connected app in Salesforce for API integration.

After you connect Vertex AI Search as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

  • Customer key
  • Public key
  • Username (pre-authorized to use the application)

Generate private key and public certificate

  1. Execute the following OpenSSL command to generate a 2048-bit RSA private key.

    openssl genrsa -out server.key 2048

    This command creates a file named server.key, which contains your private key. Keep this file secure and confidential.

  2. Execute the following OpenSSL command to generate a self-signed public certificate using the private key.

    openssl req -new -x509 -sha256 -days 3650 -key server.key -out server.crt

    This command generates a file named server.crt, which is your public certificate. You can upload this certificate to Salesforce during the connected app configuration.

Create and configure connected app in Salesforce

  1. In your Salesforce app, click the setup icon, and then select Setup.

    Setup
    Setup

  2. Enter Apps in the quick find box and select App manager.

  3. Select New external client app.

    New external client app
    New external client app

  4. Enter the required basic information for your connected app, such as the External client app name, API name, and Contact email.

  5. In the API (Enable OAuth settings) section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration.

    1. Select the Enable OAuth checkbox.
    2. Enter the Callback URL as https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html.
    3. In the Selected OAuth scopes section, add Full access(full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes.

    4. In the Flow enablement section:

    5. Select the Enable JWT bearer flow checkbox.

    6. Upload the public certificate created in Generate private key and public certificate.

      Enable OAuth settings- OAuth2 JWT token
      Enable OAuth settings - OAuth2 JWT

    7. Click Create.

Pre-authorize external client app access

After creating the Connected App, you must explicitly authorize specific users or permission sets to access it.

  1. Enter External client app in the quick find box and select External client app manager.
  2. Locate and open the external client app that you created earlier.
  3. In the Policies tab, click Edit to modify the app details.

  4. In the OAuth policies section, do the following:

    1. In the Permitted users field, select Admin approved users are pre-authorized.
    2. In the Refresh token policy field, select Refresh token is valid until revoked.
    3. In the IP relaxation field, select Relax IP restrictions.
      Policies - OAuth2 JWT Bearer
      OAuth policies - OAuth2 JWT Bearer

    The IP relaxation option controls whether the connected app's access is limited by IP ranges. IP restrictions are enforced based on the user profile settings. You must verify if an organization-wide IP range enforcement is active in the user settings. If Enforce login IP ranges on every request is enabled, then setting IP Relaxation to Relax IP restrictions does not override the existing IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement.

    • If you want to enforce IP restrictions in the connected app, set up a trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App.
    • If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every request isn't selected.

  5. In the App policies section, select the profiles and permission sets for which this authentication type needs to be authorized.

    App policies
    App policies

  6. Click Save.

  7. Navigate to the Settings tab.

  8. In the OAuth settings section, click Consumer key and secret and copy the Consumer key and Consumer secret.

Set up for OAuth 2.0 - Client credentials authentication

You must set up Agentspace as a connected app in Salesforce for API integration.

After you connect Agentspace as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

  • Consumer ID or client ID
  • Consumer secret or client key

Create and configure an external client app

  1. In your Salesforce app, click the setup icon, and then select Setup.

  2. Enter Apps in the quick find box and select App manager.

  3. Select New external client app.

  4. Enter the required basic information for your connected app, such as the External client app name, API name, and Contact email.

  5. In the API (Enable OAuth settings) section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration.

    1. Select the Enable OAuth checkbox.
    2. Enter the Callback URL as https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html.
    3. In the Selected OAuth scopes section, select Full access(full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes.
    4. In the Flow enablement section, select the Enable client credentials flow checkbox.
      Enable OAuth settings- OAuth2 client credentials
      Enable OAuth settings- OAuth2 client credentials

  6. Click Create.

Pre-authorize external client app access

After creating the external client app, you must explicitly authorize specific users or permission sets to access it.

  1. Enter External client app in the quick find box and select External client app manager.
  2. Click the name of the external client app that you created.
  3. In the Policies tab, click Edit to modify the app details.

  4. In the OAuth policies section, do the following:

    1. In the Permitted users field, select Admin approved users are pre-authorized.

    2. In the OAuth flow and external client enhancement section:

      1. Select the Enable client credentials flow checkbox.
      2. Enter the user's email ID.

    3. In the Refresh token policy field, select Refresh token is valid until revoked.

    4. In the IP relaxation field, select Relax IP restrictions.

      Policies - OAuth2 client credentials
      OAuth policies - OAuth2 client credentials

    The IP relaxation option controls whether the connected app's access is limited by IP ranges. IP restrictions are enforced based on the user profile settings. You must verify if an organization-wide IP range enforcement is active in the user settings. If Enforce login IP ranges on every request is enabled, then setting IP Relaxation to Relax IP restrictions does not override the existing IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement.

    • If you want to enforce IP restrictions in the connected app, set up a trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App.
    • If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every request isn't selected.

  5. In the App policies section, select the profiles and permission sets for which this authentication type needs to be authorized.

    App policies
    App policies

  6. Click Save.

  7. Navigate to the Settings tab.

  8. In the OAuth settings section, click Consumer key and secret, then copy the Consumer key and Consumer secret.

Get login URL

To get the Login URL for your Salesforce instance, do the following:

  1. Enter My domain in the quick find box and select My domain.
  2. Copy the domain that ends in my.salesforce.com.
  3. Add https:// to the beginning of the copied domain. This is the instance URL that you need when you create the Salesforce connector in Agentspace. The instance URL must be in the following format: https://DOMAIN_NAME.my.salesforce.com.

Configure user minimum permissions

To verify that the user configuring the connector has the required minimum data fetching permissions, complete the following steps:

  1. Enter Profiles in the quick find box and select Profiles.
  2. Select the user profile running the connector.
  3. Navigate to the Standard object permissions section and verify the permissions.

Verify that the selected user has access to the permissions. This process must be repeated for each entity you intend to ingest. This involves checking whether the default access at the user's profile level is set to Private. When an entity's access is set to Private, your Google Cloud connector can't access the required object and registers an error in Cloud Logging. To allow access, do the following:

  1. Create a permission set and share it with the user

    1. Enter Permission sets in the quick find box and select Permission sets.

    2. Click New.

    3. Enter a name and save the permission set.

    4. Open the created permission set and navigate to the Apps section.

    5. Select Object settings.

    6. Select the View all records checkbox.

    7. In the Field permissions section, grant read access to all fields you want to synchronize.

      Object settings - Permissions
      Object Settings

    8. Save the settings and navigate back.

    9. In the System section, select System permissions.

    10. Enable the following minimum permissions:

      • API enabled

      • View all users

      • View roles and role hierarchy

      • View setup and configuration

  2. Add the user to the permission set:

    1. Enter Users in the quick find box and select Users.

    2. Select the user.

    3. In the Permission set assignments section, select Edit assignments.

    4. Add the recently created permission set to the Enabled permission sets section.

For more information, see Data access in Salesforce and Organization-Wide Sharing Defaults.

Create a Salesforce V2 connector

Console

To use the Google Cloud console to sync data from Salesforce to Agentspace , follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for Salesforce V2 to connect your third-party source.

  5. In the Authentications section, select the authentication method and enter the authentication information.

  6. In the Destinations section, select Public or Private.

    1. For the Public destination type, you are not required to create the setup for service attachment. In the Login URL field, enter your login URL to the Salesforce server.

    2. For the Private destination type, enter all the required information:

      1. Service attachment: Enter your service attachment.
      2. Base domain name: Enter your base domain.
      3. Login URL: Enter your login URL to the Salesforce server.

  7. Click Continue.

  8. In the Entities to sync section, do the following:

    1. Select the entities you want to sync.
    2. Optional. Add custom entities. The custom entity must be in the following format custom_object_name__c. For example: MyObject__c.

    3. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

      If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

      Custom options for full data sync.
      Setting separate schedules for full entity sync and full identity sync.
    4. Click Continue.
      Connector Entities to sync
      Entities to sync

  9. In the Configure your data connector section, do the following:

    1. Select a region for your data store.
    2. Enter a name for your data store.
    3. Click Create. Agentspace creates your data store and displays your data stores on the Data stores page.
      Connector Configure your data connector
      Configure your data connector

  10. To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take minutes or hours.

Rate limits

The default rate limit for the Salesforce connector is 5 requests per second.

Known limitations

  • You can process up to 1 million records.

  • Category based access control lists for knowledge article versions are not supported.

Connect Salesforce (V1)

Before you begin

Before setting up your connection, do the following:

  1. Use either an Enterprise or a Developer plan. Trial accounts are not supported.
  2. Set up access control for your data source. For information about setting up access control, see Use data source access control.
  3. Verify that the Salesforce CORS allowlist contains Google Cloud.
    1. To configure the allowlist, see Enable CORS for OAuth Endpoints.
    2. To include Google Cloud, add https://console.cloud.google.com as the source URL, and save your configuration.

Create a connected app in Salesforce

You must set up Vertex AI Search as a connected app in Salesforce for API integration.

After you connect Vertex AI Search as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

  • Instance URL
  • Consumer ID or client ID
  • Consumer secret or client key

To enable OAuth 2.0 and obtain the authentication information, do the following:

  1. In your Salesforce app, click the setup icon, and then select Setup.

    select setup for your salesforce app
    Select Setup for your Salesforce app

  2. Enter External Client App in the Quick Find box and select External Client App Manager.

  3. In the menu, go to Settings.

  4. Turn the Allow creation of connected apps toggle to the on position and click New Connected App.

    To do so, you must have the correct permissions for external client apps. Verify whether you have the following permissions:

    • Create, edit, and delete external client apps
    • View all external client apps
    • View all external client apps, view their settings, and edit their policies
    Find your app manager and create new connected app
    Find your App Manager and create new connected app

  5. In the creation page for the new connected app, add the basic information for your app, such as the app name, your contact details, and a logo to identify your app. For more information, see Configure Basic Connected App Settings.

  6. In the API (Enable OAuth Settings) section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration.

    Enable and configure OAuth Settings
    Enable and configure OAuth settings

    1. Select Enable OAuth Settings.

    2. Specify the callback URL as https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html.

    3. In the Selected OAuth scopes section, add Full Access(full) and Perform request at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes.

    4. Select Enable Client Credentials Flow.

    5. Select Enable Authorization Code and Credentials Flow.

    6. Select the Require user credentials in the POST body for Authorization Code and Credentials Flow.

    7. In Custom connected app handler, specify a Run as user. This user must have read permissions to all the entities that the user needs the connector to extract.

      Specify Run as in Custom connected app handler
      Specify a Run as user who has read permissions

  7. Click Save to create the connected app.

  8. Enter Manage connected apps in the Quick Find box and select Manage connected apps.

  9. Find your app in the list, select Edit, and then on the connected app details page select Edit policies to configure the following details:

    manage connected app and edit policies
    Manage the connected app and edit its policies

    1. Set IP Relaxation to Relax IP restrictions.

      Configure the connected app and add client credentials flow
      Additional setup for the connected app and client credentials flow

      This option determines whether the access to the connected app is restricted by IP ranges. IP restrictions are enforced based on how they're set in the user profile. You must verify whether an organization-wide IP ranges enforcement is configured in the user settings. If Enforce login IP ranges on every request is enabled, then setting the IP Relaxation option to Relax IP restrictions doesn't remove the IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement. If you want to enforce IP restrictions in the connected app, set up trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every request isn't selected.

    2. Set Refresh Token Policy to Refresh token is valid until revoked.

    3. Set Permitted Users to All users may self-authorize.

    4. In the Client Credentials Flow section, specify a Run As user. The specified user must have read permissions to all the entities that they need the connector to extract. To check whether the user you selected has all the required permissions, do the one of the following:

      1. In your Salesforce app, click the setup icon, and then select Setup.
      2. In the main menu, click Users and click the username whose permissions you want to verify.
      3. Click Profiles, go to the Standard object permissions section and verify the permissions.
        Verify user read permissions
        Verify the user's permissions

    5. Verify that the selected user has access to the permissions. This involves checking whether the default access at the user's profile level is set to Private. When an entity's access is set to Private, your Google Cloud connector can't access the required object and registers an error in Cloud Logging. To allow access, do one of the following:

      • Change the default profile permission to Public.
      • Configure the access to each entity separately in Sharing settings.
        Sharing settings for entities
        Configure sharing settings for entities
      • Create a permission set and share the permission set with the user:
        1. Enter Permission sets in the Quick Find box and select Permission sets.
        2. Click New.
        3. Enter a name and save the permission set.
        4. Under System, click System permissions.
        5. Click Edit, select View setup and configuration, and save.
        6. On the Permission sets page, click Manage assignments
        7. Click Add assignments, select the user that you want to assign the permission set to, and then click Assign.
      • For more information, see Data access in Salesforce and Organization-Wide Sharing Defaults.

  10. Click Save.

  11. Enter OAuth and openID connect settings in the Quick Find box, select OAuth and OpenId Connect Settings, and then enable Allow Authorization Code and Credentials Flows

    Set OAuth and openID connect settings
    Set OAuth and openID connect settings

  12. Get the instance URL:

    1. Enter My domain in the Quick Find box and select My Domain.
      Copy app domain name
      Copy your app's domain name
    2. Copy the domain that ends in my.salesforce.com.
    3. Add https:// to the beginning of the copied domain. This is the instance URL that you need when you create the Salesforce connector in Agentspace. The instance URL must be in the following format: https://<var>DOMAIN_NAME</var>.my.salesforce.com</var>.

  13. Get the consumer ID and consumer key.

    1. Go to App manager, locate your app, and in the options, select View.
      View app details in app manager
      View app details
    2. Click Manage Customer Details.
      Click manage consumer details
      Click Manage Consumer Details button
    3. If prompted, verify your identity.

    4. Copy the consumer details.

      Copy the consumer key and secret
      Copy the consumer key and secret

      This is the instance URL that you need when you create the Salesforce connector in Agentspace.

      If Refresh token is enabled, ensure that the token is refreshed and that you copy the latest token when you create the Salesforce connector in the Agentspace.

Create a Salesforce (V1) connector

Console

To use the Google Cloud console to sync data from Salesforce to Agentspace , follow these steps:

  1. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  2. In the navigation menu, click Data stores.

  3. Click Create data store.

  4. On the Select a data source page, scroll or search for Salesforce to connect your third-party source.

  5. Enter your Salesforce authentication information.

  6. Select which entities to sync and click Continue.

  7. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

    If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

    Custom options for full data sync.
    Setting separate schedules for full entity sync and full identity sync.

  8. Select a region for your data store.

  9. Enter a name for your data store.

  10. Click Create. Agentspace creates your data store and displays your data stores on the Data stores page.

  11. To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

    Depending on the size of your data, ingestion can take minutes or hours.

Next steps