Before you create a Salesforce workspace

Configure Salesforce as an Identity Provider

You must enable Salesforce as an Identity Provider.

This is required for authentication between Salesforce and Structural. It is independent of any existing Salesforce single sign-on (SSO) user login.

Enable Grant API Enabled Access

You must enable Salesforce with Grant API Enabled Access.

This is required for authentication between Salesforce and Structural.

Creating the connected Salesforce application for Structural

For the integration between Structural and Salesforce:

  • Salesforce is set up as an Identity Provider for Structural

  • OAuth bearer tokens are used to transparently access Salesforce from Structural.

There are no separate passwords or user secrets. Each user is limited to only the data available based on their available level of access for their Salesforce or Structural account.

Create the application in Salesforce

  1. Log into your Salesforce instance.

  2. Make sure that Salesforce is enabled as an Identity Provider with Grant API Enabled Access.

  3. In the top right corner, click the gear icon.

  4. On the Setup page, in the Quick Find box, enter App Manager.

  5. Click New Connected App.

  6. On the New Connected App page, under Basic Information, fill in the following fields:

    • Connected App Name. We recommend that you include 'Tonic' somewhere in the name. Note that after you create a connected app, you cannot change the name.

    • API Name

    • Contact Email

  7. Under API (Enable OAuth Settings):

    1. Check Enable OAuth Settings.

    2. In the Callback URL field, enter the URL of your Structural instance with /oauth2/callback appended to it. For a self-hosted instance, if you do not have access to the URL, contact the Structural administrator at your organization. If your organization has deployed more than one Structural instance, you can enter multiple URLs. For Structural Cloud, the URL is

    3. Under Selected OAuth Scopes, move the following settings from Available OAuth Scopes to Selected OAuth Scopes:

      1. Manage user data via APIs (api)

      2. Perform requests at any time (refresh_token, offline_access)

    4. Leave the currently checked checkboxes checked.

    5. Check the following additional checkboxes:

      1. Issue JSON Web Token (JWT)-based access tokens for named users

      2. Introspect All Tokens

  8. Navigate to the bottom of the page, then click Save.

  9. After you save the page:

    1. From the API (Enable OAuth Settings) dropdown list, select Manager Consumer Details.

    2. Locate and copy the values of Customer Key and Customer Secret. You use these to populate the consumer key and secret values in Structural.

Set the consumer key and secret Structural environment settings

In the configuration file for your instance, configure the following Structural environment settings:

  • TONIC_SALESFORCE_CONSUMER_KEY - Set to the consumer key value that you copied from Salesforce.

  • TONIC_SALESFORCE_CONSUMER_SECRET - Set to the consumer secret value that you copied from Salesforce.

If you do not configure these environment settings, then you must provide the consumer key and consumer secret in the workspace configuration. For example, on Structural Cloud, you must always configure the consumer key and secret in the workspace.

Creating the source and destination connections

For a Salesforce workspace, the source and destination data connections must be separate orgs.

The source and destination connections can be production orgs, sandbox orgs, or scratch orgs.

However, the destination connection can only be a scratch org if the source connection is also a scratch org.

Ensuring required Salesforce user permissions

Salesforce users who authorize Structural to connect on their behalf must have the following permissions configured:

  • Granted the Marketing User option.

  • Assigned the All Access role.

  • Assigned the System Administrator profile.

  • Granted the additional permission Update Records with Inactive Owners.

Making the Update Records with Inactive Owners permission available to grant

Before you can grant the Update Records with Inactive Owners permission, you must make sure that it is available to grant.

To make the permission available:

  1. Go to Setup > User Interface.

  2. Check the “Set Audit Fields upon Record Creation” and “Update Records with Inactive Owners” User Permissions checkbox.

Granting the Update Records with Inactive Owners permission

After you enable the permission, to grant it, you can create and assign a permission set:

  1. Go to Setup.

  2. Under Administration, click Users, then Permission Sets.

  3. Create the new permission set:

    1. On the Permission Sets page, click New.

    2. In the Label field, provide a name for the permission set.

    3. Leave License set to None.

    4. Click Save.

  4. Assign the permission to the permission set:

    1. Under System Permissions, click Edit.

    2. Check the Update Records with Inactive Owners permission.

    3. Click Save and confirm your changes.

  5. Assign the permission set to your user:

    1. From the permission set details, click Manage Assignments.

    2. Click Add Assignment.

    3. Select the user or users that you intend to use with Structural.

    4. Click Next, then confirm the permission set assignments.

Last updated