# Salesforce Application Integration Setup
### Getting Started
BalkanID recommends creating a separate service account for the purposes of this integration, instead of using personal or employee named accounts.
#### Overview
You will:
1. Create an External Client App in Salesforce
2. Enable OAuth with JWT Bearer Flow
3. Configure OAuth policies
4. Retrieve the Consumer Key
5. Create and assign a Permission Set to the integration user
#### Prerequisites
Before starting, ensure you have:
* Salesforce **Admin access**
* An **integration user** in Salesforce
* A certificate file (`salesforce.crt`) for JWT authentication *(provided separately beforehand)*
***
#### Create a new user profile:
1. Navigate to **Setup**
* Click the **Gear Icon** → **Setup**
2. Open **Profiles** page
* In Quick Find, search for `Profiles`
* Select **Users > Profiles.**
3. Click on "Create a new profile".
4. Clone the profile from a **Standard Platform User** profile. Give it a name.
5. Click **Save.**
6. Scroll down to the **Administrative Permissions** section and ensure the following are enabled:
* `View Setup and Configuration`
* `View Roles and Role Hierarchy`
7. Save the profile with updated permissions.
#### Creating an integration user:
1. Navigate to **Setup**
* Click the **Gear Icon** → **Setup**
2. Open **Users** page
* In Quick Find, search for `Users`
* Select **Users.**
3. Click on create a new user
4. Create a new user with the **Salesforce Platform** license. If the new user option isn't available, clone an existing user. You can fill in the below fields according to your convenience or follow this.
* **Firstname**: BalkanID
* **Lastname**: BalkanID
* **Alias**: BalkanID
* **User License**: Salesforce Platform (If you are unable to see it, you might already have exhausted your user quota for this license)
* **Role**: None
* **Profile**: Use the profile we created above
* **Username**:
* **Email**:
#### Step 1: Create External Client App
1. Navigate to **Setup**
* Click the **Gear Icon** → **Setup**
2. Open **External Client App Manager**
* In *Quick Find*, search for: `External Client App`
* Select **External Client App Manager**
* Path: **Apps → External Client App Manager**
3. Click **New External Client App**
4. Fill in basic details:
| Field | Value |
| ---------------------- | --------------------------------------- |
| **Name** | `BalkanID Extractor` |
| **API Name** | Auto-filled (e.g. `BalkanID_Extractor`) |
| **Contact Email** | Your email (used for verification) |
| **Distribution State** | `Local` |
***
#### Step 2: Enable OAuth & JWT Bearer Flow
**Configure OAuth Settings**
1. Enable:
* **Enable OAuth**
2. Provide:
* **Callback URL**: `https://app.balkan.id`
3. Select **OAuth Scopes** *(exactly these)*:
* `Manage user data via APIs (api)`
* `Perform requests at any time (refresh_token, offline_access)`
**Enable JWT Flow**
1. Enable:
* **Enable JWT Bearer Flow**
2. Upload certificate:
* Upload `salesforce.crt`
3. Security setting:
* Uncheck **Require Proof Key for Code Exchange (PKCE)** *(Not required for JWT flow)*
4. Click **Create**
***
#### Step 3: Configure OAuth Policies
After creating the app:
1. Open the app → **Policies** tab
2. Click **Edit**
**OAuth Policies**
| Setting | Value |
| ------------------- | ------------------------------------------------------------------------------ |
| **Permitted Users** | `Admin approved users are pre-authorized` |
| **IP Relaxation** | Configure as needed *(recommended: Relax IP restrictions for backend systems)* |
**App Policies**
* This will be configured **after creating the Permission Set (Step 5)**
3. Click **Save**
***
#### Step 4: Retrieve Consumer Key
1. Open the app → **Settings** tab
2. Expand **OAuth Settings**
3. Click **Consumer Key and Secret**
4. Complete identity verification (via email)
**Save the following:**
| Field | Usage |
| ---------------------------- | ---------------------------------------------------- |
| **Consumer Key (Client ID)** | Used as `app_consumer_key` in BalkanID configuration |
***
#### Step 5: Create Permission Set & Assign to Integration User
**5.1 Create Permission Set**
| Field | Value |
| ------------ | -------------------- |
| **Label** | `BalkanID Extractor` |
| **API Name** | `BalkanID_Extractor` |
| **License** | `None` |
**5.2 Add Required System Permissions**
| Permission | Purpose |
| ----------------- | ------------------------------------- |
| **API Enabled** | Required for API access (REST / SOQL) |
| **View All Data** | Read access to all required objects |
***
**5.3 Assign Permission Set**
* Assign this Permission Set to your **integration user**
**5.4 Link Permission Set to External Client App**
1. Go back to **External Client App → Policies**
2. Edit **App Policies**
3. Add the created **Permission Set**
4. Save changes
### Configure Salesforce in your BalkanID tenant
1. Login to the BalkanID application and switch to the tenant you would like to add your integration to.
2. Head to *Integrations* > **Add Integration**, select **Salesforce.**
3. Set up the *Primary Application owner (mandatory)* and the *Description*, if any. Set up Secondary Application Owner(s), if any.
Select the Extraction Type. From here, you can configure your application using one of the following methods:
1. **Direct integration** - Provide your Salesforce User Name and Consumer Key obtained above to set up a direct connection with BalkanID.
2. **SCIM integration** - Provide SCIM server credentials to set up a SCIM connection with BalkanID.
3. **Manual file upload** - Upload Entity and Entity Relations through a .CSV file upload. Contact the team for assistance with this.
4. **Automated upload using API -** You can upload data using our [Bulk APIs](https://developer.balkan.id/) with the help of an API key which will be provided to you. Please refer to the [entity](https://developer.balkan.id/bulk-entities-upload-api-early-access-12828095e0) and [entity relation](https://developer.balkan.id/bulk-entity-relations-upload-api-early-access-12828102e0) upload docs for specific instructions on uploading your data through the API.
4. Click on next to move onto *Optional Configuration.*
5. Fill **Optional configuration,** if required.
6. Once you filled in the information, click **Save**. Your integration is now configured and you will see the status of the integration displayed alongside other integrations on the *Integrations* page. When data is available, the integration Status will read **Connected** and the integration Message will read **Data available**.
#### Salesforce Certificate
{% file src="/files/0hucSaBeuUWMSDxaYUmh" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.balkan.id/getting-started/setting-up-your-tenant/application-integrations/direct-application-integration/salesforce-application-integration-setup.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.