Connected App
Salesforce Connected Apps are a framework by which third party applications can integrate with Salesforce in a trusted fashion. A properly installed Connected App is necessary for GRAX to utilize your Integration User and for end-users to use Single Sign On to access GRAX. Additionally, Connected App settings can be customized to restrict access to GRAX or make it more seamless.
Recent Changes to Connected Apps
As a result of recent Salesforce data breaches, changes have been made by Salesforce to limit access to Connected Apps and the ability to install/approve them. For more information on this change, see the related Salesforce Knowledge Article.
When a GRAX service connects to your Salesforce org for the first time, the "Approve Uninstalled Connected Apps" permission must* be assigned to the authenticating user. This permission does not need to be assigned to every user, and can be removed after initial installation of the Connected App.
*exact restrictions are dependent on security restrictions in the org, including API Access Control settings.
Installing the Connected App
The first time a GRAX service connects to your org, Salesforce will automatically try installing the related Connected App. Successful installation is necessary for any GRAX service to operate as designed. Whatever user is used to connect for the first time must have the following permissions:
Customize Application
Modify All Data OR Manage Connected Apps
Approve Uninstalled Connected Apps
Most of these permissions are automatically assigned to the default System Administrator profile. Cloned and custom admin profiles will vary.
To view the connected apps that exist in your org as well as if they're installed, open the "Connected Apps OAuth Usage" page in setup.
When you first use a Connected App, you will be asked to confirm the installation:
Once the app is installed, you will see "Uninstall" as an available action, as shown below:
If you encounter errors while connecting a GRAX service or installing the Connected App, double check the expected permissions listed above and the API Access Control settings within your organization.
Customizing the Connected App
By clicking the "Managed App Policies" option in the "Connected Apps OAuth Usage" menu, administrators can modify the behavior of the connected app, the sessions associated with it, and the ability of users in the org to utilize the app. The option will not appear if the app is not installed.
GRAX is not compatible with all possible options, and not all possible options have an effect on GRAX. Meaningful settings and their impact are broken out below.
Permitted Users
All users may self-authorize
All users in the org may SSO via the connected app, but will be individually asked for their consent and authorization of the app and associated scopes. This can interfere with use of the LWCs if users have never logged into GRAX before.
Admin approved users are pre-authorized
Users must be pre-approved based on assigned profile by an administrator, but will not need to individually consent to and authorize the app and associated scopes. This can make the LWC and SSO experience more seamless, but may be more of a burden to manage. Enabling this option will immediately prevent all users in the org from using the app, regardless of whether they have authorized it previously. They must be authorized by profile before they can use the app again.
IP Relaxation
Enforce IP restrictions
Login requests using this connected app must come from one of the IPs configured within the user's "Login IP Ranges". If no ranges are configured for the user, this has no effect.
Relax IP Restrictions
Login requests using this connected app are allowed regardless of the configured "Login IP Ranges" for a user.
Refresh Token Policy
Refresh token is valid until revoked
This is the only supported value. GRAX will perpetually refresh the integration user connection until the refresh token is revoked by any means.
Last updated
Was this helpful?