Configure OAuth and REST integration

This topic describes how to configure the Salesforce app integration to use REST APIs for provisioning authentication using OAuth 2.0.

Important:

Salesforce is restricting the creation of new connected apps. Okta recommends using external client apps instead. See Switch to external client app.

Before you begin

Create an administrator account in Salesforce. You need this account to create the OAuth consumer key and consumer secret used in the Salesforce REST integration.
Create a custom user profile in Salesforce. This profile is required for both SOAP and REST integrations. See Enable Salesforce provisioning.

Configure an external client app in Salesforce

You must configure an external client app in Salesforce to generate the OAuth consumer key and consumer secret required by Okta.

Sign in to Salesforce as an administrator.
Create a new external client app or migrate an existing connected app. See Create an External Client App or Migrate Connected App to External Client App.
Configure the external client app OAuth settings.
- In the App settings section, use the following values:
  - Enable OAuth: Enabled
  - Callback URL: https://system-admin.asqula.com/admin/app/generic/oauth20redirect
  - OAuth Scopes: Manage user data via APIs (api) and Perform requests at any time (refresh_token, offline_access)
- In the Security section, enable the following options:
  - Require secret for Web Server Flow
  - Require secret for Refresh Token Flow
  - Require Proof Key for Code Exchange (PKCE) extension for Supported Authorization Flows
  - Enable Refresh Token Rotation
In the Policies tab, use the following values:
- Permitted Users: All users can self-authorize
- Refresh Token Policy: Refresh token is valid until revoked
Go to the Settings tab. Under OAuth Settings > App Settings, click Consumer Key and Secret.
Copy the Consumer Key and Consumer Secret. You will need these values when you configure provisioning in Okta.
Note:
Salesforce can take up to 10 minutes to replicate these changes. Wait for 10 minutes before proceeding to the Okta configuration.

Configure OAuth and REST integration

Note:

For existing customers:

Okta continues to use your existing SOAP credentials (admin username and password) for provisioning operations until this OAuth configuration is complete. If you haven't configured SOAP credentials or if you fail to complete the OAuth configuration, provisioning operations will return an Invalid API Credentials error.

In the Admin Console, go to Provisioning > Integration.
Enter the configuration values:
- OAuth Consumer Key: Paste your Salesforce consumer key.
- OAuth Consumer Secret: Paste your Salesforce consumer secret.
- PKCE Enabled: Select this checkbox.
Click Authenticate with Salesforce.com.
In the new Salesforce.com window, enter the administrator username and password that you used to create the external client app. If you previously entered SOAP credentials, you don't need to re-enter them here.
Click Allow to grant Okta access to the external client app.
Click Save.

Your Salesforce integration is now configured to use the REST API via OAuth.