Skip to main content

Managing Connections to Salesforce.com

tip

The connector to SaaS Management supersedes and overrides the connector to Salesforce.com. This means that if you implement the SaaS Management connector (see IT Asset Management Settings: Integrations Tab), any licenses that are created for imports through the Salesforce.com connector are automatically given a status of Retired , so that they have no impact on license reconciliation calculations. Instead, new licenses are created from the SaaS Management imports, and these are included in license reconciliations as usual.

Use the following procedure to create a connection to Salesforce.com on the FlexNet Beacon (when you are not integrating with SaaS Management). IT Asset Management provides an inventory adapter to import Salesforce.com license allocations and usage data. Operators can easily see unused Salesforce.com subscriptions which, in turn, allows you to manage costs at subscription renewal. A connection is required for each organization of Salesforce.com. The inventory beacon requires this connection to import all Salesforce.com licenses available to the enterprise, show consumption for each allocated license, show unused subscriptions, and support multiple Salesforce.com instances.

You must make sure that the Salesforce tenant user has the required System Administrator privilege for this operation. Also make sure that the following prerequisites are met on each inventory beacon that needs to download data from Salesforce (noting that the order of installation of prerequisite software may be significant). These requirements should have been met when the inventory beacon was installed:

  • 32-bit version of PowerShell 5.1 or later is running on Windows Server 2008 R2 SP1 or later, or Windows 7 SP1 or later; with the PowerShell execution policy set to RemoteSigned .
tip

The PowerShell execution policy can be set by running PowerShell with administrator rights and executing the following command:

Set-ExecutionPolicy RemoteSigned

  • A browser is installed with JavaScript enabled on the machine the inventory beacon software is installed on.
  • A Javascript-enabled browser installed on the machine the inventory beacon software is installed on
  • The inventory beacon server supports Transport Layer Security (TLS) 1.2 in order for the connection to Salesforce to work.

To create a connection to Salesforce.com:

  1. Login to Salesforce and create a connected app. (A connected app is required for a connection to Salesforce.com on the FlexNet Beacon to work.) For information about how to create a connected app in Salesforce, see Create a Connected App.
    • When creating the connected app, ensure that you select Enable OAuth Settings , select the Enable for Device Flow check box and select all Available OAuth Scopes . The connected app in Salesforce uses standard SAML and OAuth protocols to authenticate, provide single sign-on, and provide tokens for use with Salesforce APIs. In addition to standard OAuth capabilities, connected apps allow Salesforce admins to set various security policies and have explicit control over who can use the corresponding apps. After creating the connected app in Salesforce, you can view the app details in order to copy and paste the Consumer Key and Consumer Secret values to the corresponding fields in the FlexNet Beacon PowerShell Source Connection dialog in Step 8 .

  2. Login to Salesforce and access the connected app to view details.
  3. In the FlexNet Beacon interface, ensure that you have your preferred schedule for imports from Salesforce set on the appropriate inventory beacon:
  4. Log into the inventory beacon interface as an administrator (for example, in the Windows Start menu, search for FlexNet Beacon , right-click it, and select Run as administrator ).
tip

Remember that you must run the inventory beacon software with administrator privileges.

  1. From the Data collection group in the navigation bar, choose Scheduling .
  2. If there is not already a suitable schedule in the list, click New... and complete the details (see the help topic for that page for more information). Otherwise, identify the schedule you will use.
  3. Select the Inventory Systems tab (in the same navigation group).
  4. Choose either of the following:
    • To change the settings for a previously-defined connection, select that connection from the list, and click Edit... .
    • To create a new connection, click the down arrow on the right of the New split button, and choose Powershell .
  5. Complete (or modify) the values for the following required fields:
    • Connection Name —Enter a name for the inventory connection. The name may contain alphanumeric characters, underscores or spaces, but must start with either a letter or a number. When the data import through this connection is executed, the data import task name is same as the connection name.
    • Source Type —Select Salesforce from this list.
  6. Optionally, if your enterprise uses a proxy server to enable Internet access, complete (or modify) the values in the Proxy Settings section of the dialog box in order to configure the proxy server connection.
    • Use Proxy —Select this check box if your enterprise uses a proxy server to enable Internet access. Complete the additional fields in the Proxy Settings section, as needed. If the Use Proxy check box is not selected, the remaining fields in the Proxy Settings section are disabled.

    • Proxy Server —Enter the address of the proxy server using HTTP, HTTPS, or an IP address. Use one of the following formats:

    • https://ProxyServerURL:PortNumber

    • http://ProxyServerURL:PortNumber

    • IPAddress:PortNumber

    • This field is enabled when the Use Proxy check box is selected.

    • Fetch credentials from CyberArk (for proxy settings) —When this check box is selected, the Query field appears, allowing you to enter the CyberArk query string to retrieve the vault for the username and password.

    • Username and Password —If your enterprise is using an authenticated proxy, specify the user name and password of an account that has credentials to access the proxy server that is specified in the Proxy Server field. These fields are enabled when the Use Proxy check box is selected.

  7. Complete (or modify) the values in the Salesforce section of the dialog box. All of the following fields require a value:
    • If you have multiple organizations to Salesforce (for example, separate organizations for different corporate units or locations), you need to create a separate connector for each organization using its own credentials.

    • Fetch credentials from CyberArk (for specific connection type) —When selected, an additional Query field appears, allowing you to enter the CyberArk query string to retrieve the vault credentials for the specific connection type.
    • Salesforce URL —Enter the address of the Salesforce URL to be used for generating a new token.
    • Consumer Key —Copy this value from the Consumer Key field in the Salesforce connected app.
    • Consumer Secret —Copy this value from the Consumer Secret field in the Salesforce connected app. In the Salesforce connected app, click Click to reveal to view the value. For CyberArk integrations, when Fetch credentials from CyberArk (for specific connection type) is selected, the following hint will appear in this field: Enter CyberArk field name or leave empty for password. This allows you to specify the CyberArk vault field name. If left empty, the password will be used by default. For connection settings that do not display this hint, the locally stored value will be used.
    • Refresh Token —Click the Generate button to generate a refresh token that will be used to authenticate the connection to Salesforce. For CyberArk integrations, when Fetch credentials from CyberArk (for specific connection type) is selected, the following hint will appear in this field: Enter CyberArk field name or leave empty for password. This allows you to specify the CyberArk vault field name. If left empty, the password will be used by default. For connection settings that do not display this hint, the locally stored value will be used.
  8. When you click Generate to the right of the Refresh Token field, a Web browser is launched in Salesforce.com with an 8-digit code automatically populated in the Code field. In the Salesforce.com screen, do the following:
  9. Click Connect . A Salesforce login page displays. If you are already logged into Salesforce, skip to step 8e .
  10. Enter your Salesforce username. If there are multiple Salesforce accounts, select your user name from the Saved Username list or click Log In with a Different Username . A Password field appears.
  11. In the Password field, enter your Salesforce password.
  12. Click Login . An Allow Access page appears.
  13. Click Allow to allow Salesforce to access the FlexNet Beacon to have the refresh token sent back to PowerShell Source Connection dialog. A message appears to notify you that the connection is successful. Click Continue or close the browser.
    • The following table provides help with potential issues that you may encounter when attempting to connect to Salesforce.

  • Fetch credentials from CyberArk (for proxy settings) —When this check box is selected, the Query field appears, allowing you to enter the CyberArk query string to retrieve the vault for the username and password.
ErrorDescription
Mandatory parameter(s) missingOne or more of the fields in the FlexNet Beacon PowerShell Source Connection dialog is missing a value. Ensure that all mandatory fields contain values before clicking Generate to the right of the Token field.
The remote name could not be resolved: 'login.salesforce.com'The most common cause is that there is no Internet connection available on the machine the inventory beacon software is installed on. There may be other reasons such as Salesforce.com being blocked or is currently down.
invalid_client_idThe value that you entered for the Consumer Key field does not match the Consumer Key value from the Salesforce connected app. Copy the correct Consumer Key value from the Salesforce connected app and paste it into Consumer Key field in the FlexNet Beacon PowerShell Source Connection dialog.
TimeoutWhen the Web browser (that is invoked after clicking Generate to the right of the Token field) is not responding in a timely fashion, a Timeout error occurs. Some of the most common scenarios that will trigger this error are: The Internet browser that was invoked when you clicked Generate was subsequently closed inadvertently or prematurely. A login error was encountered that may be the result of incorrect login credentials. You may have waited too long before attempting to login to Salesforce.
invalid_requestYou have clicked Deny instead of clicking Allow in Step 5e to access the FlexNet Beacon to have the refresh token sent back to PowerShell Source Connection dialog.
  1. In the FlexNet Beacon PowerShell Source Connection dialog, click Save to save the connection.
  2. Select your new connection from the displayed list, and click Schedule... .
  3. In the dialog that appears, select the name of your chosen schedule for inventory collection through this connection, and click OK .
  4. At the bottom of the FlexNet Beacon interface, click Save , and if you are done, also click Exit .
tip

Consider whether you want to select your connection, and click Execute Now , before you exit.

After a successful data import, the users, applications, licenses, and usage data are all visible in the appropriate pages of IT Asset Management.

note

To know more about the operations available on the Inventory Systems tab of FlexNet Beacon, see Inventory Systems Tab. For scheduling data imports through this connection, see Scheduling a Connection.