Console
    Contact Us Start free

    Connect Salesforce

    This page describes how to connect Salesforce to Agentspace.

    We recommend using the Salesforce V2 (Recommended) connector to ingest Salesforce data into Agentspace. The existing Salesforce connector will be deprecated. If you are using an existing data store that uses the Salesforce connector, create a new data store using the Salesforce V2 connector.

    Supported versions

    The Salesforce V2 connector supports SOAP API version 30.0 or later.

    Before you begin

    Before setting up your connection, do the following:

    1. Use either a Salesforce enterprise or a Salesforce developer plan. Trial accounts are not supported.

    2. Configure Salesforce for connectivity based on your chosen authentication type. Supported authentication types are:

    Generate a service attachment

    Use the following steps to generate a service attachment:

    • For Publicendpoint: If the Salesforce data center Destination typeis Public, you are not required to create the setup for service attachment. Instead, you can use your public URL in the Domain URLfield of the Google Cloud console.

    • For Privateendpoint:

      1. Use PSC to enable connections from private instances to Google Cloud.
      2. Create a Virtual Private Cloud network and the required subnets.
      3. Create a Virtual Machine (VM) instance and install the backend service.
      4. Optional: Set up a health check probe to monitor backend health.
      5. Add a load balancer to route traffic to the VM or backend.
      6. Define firewall rules to allow traffic between the PSC endpoint and the backend.
      7. Publish the endpoint by creating a PSC service attachment.

    Configure Salesforce for connectivity

    To connect a Salesforce data source to Agentspace, you must complete specific configurations within Salesforce. These configurations vary based on the authentication type you choose.

    Set up for username and password authentication

    For username-password authentication, use an existing security token, or reset the security token to receive a new one in your registered email.

    To reset your security token:

    1. Click your profile icon and select Settings.

      Settings
      Settings

    2. Navigate to the Reset my security tokentab and click Reset security token.

      Reset security token
      Reset security token

      Salesforce sends the new security token to your registered email.

    Set up for OAuth 2.0 - JWT bearer authentication

    You must set up Vertex AI Search as a connected app in Salesforce for API integration.

    After you connect Vertex AI Search as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

    • Customer key
    • Public key
    • Username (pre-authorized to use the application)

    Generate private key and public certificate

    1. Execute the following OpenSSL command to generate a 2048-bit RSA private key.

      openssl genrsa -out server.key 2048

      This command creates a file named server.key , which contains your private key. Keep this file secure and confidential.

    2. Execute the following OpenSSL command to generate a self-signed public certificate using the private key.

      openssl req -new -x509 -sha256 -days 3650 -key server.key -out server.crt

      This command generates a file named server.crt , which is your public certificate. You can upload this certificate to Salesforce during the connected app configuration.

    Create and configure connected app in Salesforce

    1. In your Salesforce app, click the setup icon, and then select Setup.

      Setup
      Setup

    2. Enter Apps in the quick find box and select App manager.

    3. Select New external client app.

      New external client app
      New external client app

    4. Enter the required basic information for your connected app, such as the External client app name, API name, and Contact email.

    5. In the API (Enable OAuth settings)section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration .

      1. Select the Enable OAuthcheckbox.
      2. Enter the Callback URLas https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html .
      3. In the Selected OAuth scopessection, add Full access(full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes .

      4. In the Flow enablement section:

      5. Select the Enable JWT bearer flowcheckbox.

      6. Upload the public certificate created in Generate private key and public certificate .

        Enable OAuth settings- OAuth2 JWT token
        Enable OAuth settings - OAuth2 JWT

      7. Click Create.

    Pre-authorize external client app access

    After creating the Connected App, you must explicitly authorize specific users or permission sets to access it.

    1. Enter External client app in the quick find box and select External client app manager.
    2. Locate and open the external client app that you created earlier.
    3. In the Policiestab, click Editto modify the app details.

    4. In the OAuth policiessection, do the following:

      1. In the Permitted usersfield, select Admin approved users are pre-authorized.
      2. In the Refresh token policyfield, select Refresh token is valid until revoked.
      3. In the IP relaxationfield, select Relax IP restrictions.
        Policies - OAuth2 JWT Bearer
        OAuth policies - OAuth2 JWT Bearer

      The IP relaxation option controls whether the connected app's access is limited by IP ranges. IP restrictions are enforced based on the user profile settings. You must verify if an organization-wide IP range enforcement is active in the user settings. If Enforce login IP ranges on every requestis enabled, then setting IP Relaxation to Relax IP restrictionsdoes not override the existing IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement .

      • If you want to enforce IP restrictions in the connected app, set up a trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App .
      • If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every requestisn't selected.

    5. In the App policiessection, select the profiles and permission sets for which this authentication type needs to be authorized.

      App policies
      App policies

    6. Click Save.

    7. Navigate to the Settingstab.

    8. In the OAuth settingssection, click Consumer key and secretand copy the Consumer key and Consumer secret .

    Set up for OAuth 2.0 - Client credentials authentication

    You must set up Agentspace as a connected app in Salesforce for API integration.

    After you connect Agentspace as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

    • Consumer ID or client ID
    • Consumer secret or client key

    Create and configure an external client app

    1. In your Salesforce app, click the setup icon, and then select Setup.

    2. Enter Apps in the quick find box and select App manager.

    3. Select New external client app.

    4. Enter the required basic information for your connected app, such as the External client app name, API name, and Contact email.

    5. In the API (Enable OAuth settings)section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration .

      1. Select the Enable OAuthcheckbox.
      2. Enter the Callback URLas https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html .
      3. In the Selected OAuth scopessection, select Full access(full), Manage user data via APIs (api), and Perform requests at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes .
      4. In the Flow enablement section, select the Enable client credentials flowcheckbox.
        Enable OAuth settings- OAuth2 client credentials
        Enable OAuth settings- OAuth2 client credentials

    6. Click Create.

    Pre-authorize external client app access

    After creating the external client app, you must explicitly authorize specific users or permission sets to access it.

    1. Enter External client app in the quick find box and select External client app manager.
    2. Click the name of the external client app that you created.
    3. In the Policiestab, click Editto modify the app details.

    4. In the OAuth policiessection, do the following:

      1. In the Permitted usersfield, select Admin approved users are pre-authorized.

      2. In the OAuth flow and external client enhancementsection:

        1. Select the Enable client credentials flowcheckbox.
        2. Enter the user's email ID.

      3. In the Refresh token policyfield, select Refresh token is valid until revoked.

      4. In the IP relaxationfield, select Relax IP restrictions.

        Policies - OAuth2 client credentials
        OAuth policies - OAuth2 client credentials

      The IP relaxation option controls whether the connected app's access is limited by IP ranges. IP restrictions are enforced based on the user profile settings. You must verify if an organization-wide IP range enforcement is active in the user settings. If Enforce login IP ranges on every requestis enabled, then setting IP Relaxation to Relax IP restrictionsdoes not override the existing IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement .

      • If you want to enforce IP restrictions in the connected app, set up a trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App .
      • If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every requestisn't selected.

    5. In the App policiessection, select the profiles and permission sets for which this authentication type needs to be authorized.

      App policies
      App policies

    6. Click Save.

    7. Navigate to the Settingstab.

    8. In the OAuth settingssection, click Consumer key and secret, then copy the Consumer key and Consumer secret .

    To get the Login URL for your Salesforce instance, do the following:

    1. Enter My domain in the quick find box and select My domain.
    2. Copy the domain that ends in my.salesforce.com .
    3. Add https:// to the beginning of the copied domain. This is the instance URL that you need when you create the Salesforce connector in Agentspace. The instance URL must be in the following format: https:// DOMAIN_NAME .my.salesforce.com .

    Configure user minimum permissions

    To verify that the user configuring the connector has the required minimum data fetching permissions, complete the following steps:

    1. Enter Profiles in the quick find box and select Profiles.
    2. Select the user profile running the connector.
    3. Navigate to the Standard object permissionssection and verify the permissions.

    Verify that the selected user has access to the permissions. This process must be repeated for each entity you intend to ingest. This involves checking whether the default access at the user's profile level is set to Private . When an entity's access is set to Private , your Google Cloud connector can't access the required object and registers an error in Cloud Logging. To allow access, do the following:

    1. Create a permission set and share it with the user

      1. Enter Permission sets in the quick find box and select Permission sets.

      2. Click New.

      3. Enter a name and save the permission set.

      4. Open the created permission set and navigate to the Appssection.

      5. Select Object settings.

      6. Select the View all recordscheckbox.

      7. In the Field permissionssection, grant read access to all fields you want to synchronize.

        Object settings - Permissions
        Object Settings

      8. Save the settings and navigate back.

      9. In the System section, select System permissions.

      10. Enable the following minimum permissions:

        • API enabled

        • View all users

        • View roles and role hierarchy

        • View setup and configuration

    2. Add the user to the permission set:

      1. Enter Users in the quick find box and select Users.

      2. Select the user.

      3. In the Permission set assignmentssection, select Edit assignments.

      4. Add the recently created permission set to the Enabled permission setssection.

    For more information, see Data access in Salesforce and Organization-Wide Sharing Defaults .

    Create a Salesforce V2 data store

    Console

    To use the Google Cloud console to sync data from Salesforce to Agentspace , follow these steps:

    1. In the Google Cloud console, go to the Agentspacepage.

      Agentspace

    2. In the navigation menu, click Data stores.

    3. Click Create data store.

    4. On the Select a data sourcepage, scroll or search for Salesforce V2to connect your third-party source.

    5. In the Authenticationssection, select the authentication method and enter the authentication information.

    6. In the Destinationssection, select Publicor Private.

      1. For the Publicdestination type, you are not required to create the setup for service attachment. In the Login URLfield, enter your login URL to the Salesforce server.

      2. For the Privatedestination type, enter all the required information:

        1. Service attachment: Enter your service attachment.
        2. Base domain name: Enter your base domain.
        3. Login URL: Enter your login URL to the Salesforce server.

    7. Click Continue.

    8. In the Entities to syncsection, do the following:

      1. Select the entities you want to sync.
      2. Optional. Add custom entities. The custom entity must be in the following format custom_object_name __c . For example: MyObject__c .

      3. Select the Sync frequencyfor Full syncand the Incremental sync frequencyfor Incremental data sync. For more information, see Sync schedules .

        If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options .

        Custom options for full data sync.
        Setting separate schedules for full entity sync and full identity sync.
      4. Click Continue.
        Connector Entities to sync
        Entities to sync

    9. In the Configure your data connectorsection, do the following:

      1. Select a region for your data store.
      2. Enter a name for your data store.
      3. Click Create. Agentspace creates your data store and displays your data stores on the Data storespage.
        Connector Configure your data connector
        Configure your data connector

    10. To check the status of your ingestion, go to the Data storespage and click your data store name to see details about it on its Datapage. The Connector statechanges from Creatingto Runningwhen it starts synchronizing data. When ingestion is complete, the state changes to Activeto indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

      Depending on the size of your data, ingestion can take minutes or hours.

    Rate limits

    The default rate limit for the Salesforce connector is 5 requests per second.

    Error messages

    The following table lists the error messages that you might get when you use the Salesforce connector:

    Error message
    Description
    Troubleshooting
    Initialize connector failed due to pipeline failure. Please delete the connector and retry creation.
    The connector failed to initialize because of a pipeline failure. This is due to an internal service error.
    Delete the existing connector and re-create it.
    Connector is blocked due to the project being added to the VPC-SC perimeter. Please re-create the data store.
    After the data store was created, this project was added to the VPC Service Controls perimeter.
    Delete the existing data store and re-create it. This ensures the data store is properly configured to operate within the VPC Service Controls perimeter.
    Connection is not in active state. Connection state: ERROR and description: Failed to retrieve OAuth token information. [INVALID_GRANT] no client credentials user enabled.
    When using JWT client credentials authentication, the connection is not active because the OAuth token cannot be retrieved.
    • In the Salesforce instance navigate to the external client app and find the client app used for the data store. In the Client credentials flow section, add the email of a user with the necessary permissions to the Run as user field . Click Save.
    • In the Google Cloud console delete, and then re-create the data store.
    Connection is not in active state. Connection state: ERROR and description: INVALID_LOGIN: Invalid username, password, security token; or user locked out.
    The connection failed because of incorrect login information. The connection is not in an active state due to an invalid username, password, or security token.
    • Verify that the username and password are correct. Username is usually an email address, such as user@company.com.
    • Confirm that the security token is correct and up to date. Each time you reset your password, your security token becomes invalid. If your security token is invalid, you can reset it.
    Connection is not in active state. Connection state: ERROR and description: Failed to retrieve OAuth token information. [INVALID_GRANT] audience is invalid.
    The connection failed because the OAuth token retrieval for JWT authentication returned an invalid audience, likely due to incorrect user credentials.
    Verify that the username and password are correct. Username is usually an email address, such as user@company.com.
    [INVALID_SESSION_ID] Invalid or expired session, please try reconnecting. If the problem persists, it may be due to the following: A) You have exceeded your session limits for this user. B) It may be related to MFA being required for your account. C) 'Lock sessions to the IP they are generated from' is enabled in Salesforce Security Controls and your IP is changing between requests.
    The session is no longer valid. This can happen if you have exceeded your session limits or if your account requires multi-factor authentication (MFA). It can also occur if a security setting is enabled that locks your session to a specific IP address, and your IP address changes.
    • Navigate to Salesforce settings and ensure that Lock sessions to the IP address from which they originated is set to Off .
    • In the user's profile settings, verify that Session Security Level Required at Login is set to None .

    Known limitations

    • Category based access control lists for knowledge article versions are not supported.

    • Tasks are only visible to users with View All Datapermission, task owners, and those who have access through the hierarchy.

    • When you add a project to a VPC Service Controls (VPC-SC) perimeter after you create a connection, the connector sync run fails.

    Connect Salesforce (V1)

    Before you begin

    Before setting up your connection, do the following:

    1. Use either an Enterprise or a Developer plan. Trial accounts are not supported.
    2. Set up access control for your data source. For information about setting up access control, see Use data source access control .
    3. Verify that the Salesforce CORS allowlist contains Google Cloud.
      1. To configure the allowlist, see Enable CORS for OAuth Endpoints .
      2. To include Google Cloud, add https://console.cloud.google.com/ as the source URL, and save your configuration.

    Create a connected app in Salesforce

    You must set up Vertex AI Search as a connected app in Salesforce for API integration.

    After you connect Vertex AI Search as a connected app, you can obtain the following authentication information that is needed to create a Salesforce connector in Agentspace.

    • Instance URL
    • Consumer ID or client ID
    • Consumer secret or client key

    To enable OAuth 2.0 and obtain the authentication information, do the following:

    1. In your Salesforce app, click the setup icon, and then select Setup.

      select setup for your salesforce app
      Select Setup for your Salesforce app

    2. Enter External Client App in the Quick Findbox and select External Client App Manager.

    3. In the menu, go to Settings.

    4. Turn the Allow creation of connected appstoggle to the on position and click New Connected App.

      To do so, you must have the correct permissions for external client apps. Verify whether you have the following permissions:

      • Create, edit, and delete external client apps
      • View all external client apps
      • View all external client apps, view their settings, and edit their policies
      Find your app manager and create new connected app
      Find your App Manager and create new connected app

    5. In the creation page for the new connected app, add the basic information for your app, such as the app name, your contact details, and a logo to identify your app. For more information, see Configure Basic Connected App Settings .

    6. In the API (Enable OAuth Settings)section, configure the following OAuth settings. For more information, see Enable OAuth Settings for API Integration .

      Enable and configure OAuth Settings
      Enable and configure OAuth settings

      1. Select Enable OAuth Settings.

      2. Specify the callback URL as https://vertexaisearch.cloud.google.com/console/oauth/salesforce_oauth.html .

      3. In the Selected OAuth scopessection, add Full Access(full)and Perform request at any time (refresh_token, offline_access). For more information, see OAuth Tokens and Scopes .

      4. Select Enable Client Credentials Flow.

      5. Select Enable Authorization Code and Credentials Flow.

      6. Select the Require user credentials in the POST body for Authorization Code and Credentials Flow.

      7. In Custom connected app handler, specify a Run asuser. This user must have read permissions to all the entities that the user needs the connector to extract.

        Specify Run as in Custom connected app handler
        Specify a Run as user who has read permissions

    7. Click Saveto create the connected app.

    8. Enter Manage connected apps in the Quick Find box and select Manage connected apps.

    9. Find your app in the list, select Edit, and then on the connected app details page select Edit policiesto configure the following details:

      manage connected app and edit policies
      Manage the connected app and edit its policies

      1. Set IP Relaxationto Relax IP restrictions.

        Configure the connected app and add client credentials flow
        Additional setup for the connected app and client credentials flow

        This option determines whether the access to the connected app is restricted by IP ranges. IP restrictions are enforced based on how they're set in the user profile. You must verify whether an organization-wide IP ranges enforcement is configured in the user settings. If Enforce login IP ranges on every requestis enabled, then setting the IP Relaxationoption to Relax IP restrictionsdoesn't remove the IP restrictions. For more information, see Connected App IP Relaxation and Continuous IP Enforcement . If you want to enforce IP restrictions in the connected app, set up trusted IP. For more information, see Configure Trusted IP Ranges for a Connected App If you don't want to have any IP access restrictions, verify that the Enforce login IP ranges on every requestisn't selected.

      2. Set Refresh Token Policyto Refresh token is valid until revoked.

      3. Set Permitted Usersto All users may self-authorize.

      4. In the Client Credentials Flowsection, specify a Run Asuser. The specified user must have read permissions to all the entities that they need the connector to extract. To check whether the user you selected has all the required permissions, do the one of the following:

        1. In your Salesforce app, click the setup icon, and then select Setup.
        2. In the main menu, click Usersand click the username whose permissions you want to verify.
        3. Click Profiles, go to the Standard object permissionssection and verify the permissions.
          Verify user read permissions
          Verify the user's permissions

      5. Verify that the selected user has access to the permissions. This involves checking whether the default access at the user's profile level is set to Private . When an entity's access is set to Private , your Google Cloud connector can't access the required object and registers an error in Cloud Logging. To allow access, do one of the following:

        • Change the default profile permission to Public .
        • Configure the access to each entity separately in Sharing settings.
          Sharing settings for entities
          Configure sharing settings for entities
        • Create a permission set and share the permission set with the user:
          1. Enter Permission sets in the Quick Find box and select Permission sets.
          2. Click New.
          3. Enter a name and save the permission set.
          4. Under System, click System permissions.
          5. Click Edit, select View setup and configuration, and save.
          6. On the Permission setspage, click Manage assignments
          7. Click Add assignments, select the user that you want to assign the permission set to, and then click Assign.
        • For more information, see Data access in Salesforce and Organization-Wide Sharing Defaults .

    10. Click Save.

    11. Enter OAuth and openID connect settings in the Quick Find box, select OAuth and OpenId Connect Settings, and then enable Allow Authorization Code and Credentials Flows

      Set OAuth and openID connect settings
      Set OAuth and openID connect settings

    12. Get the instance URL:

      1. Enter My domain in the Quick Find box and select My Domain.
        Copy app domain name
        Copy your app's domain name
      2. Copy the domain that ends in my.salesforce.com .
      3. Add https:// to the beginning of the copied domain. This is the instance URL that you need when you create the Salesforce connector in Agentspace. The instance URL must be in the following format: https://<var>DOMAIN_NAME</var>.my.salesforce.com</var> .

    13. Get the consumer ID and consumer key.

      1. Go to App manager, locate your app, and in the options, select View.
        View app details in app manager
        View app details
      2. Click Manage Customer Details.
        Click manage consumer details
        Click Manage Consumer Details button
      3. If prompted, verify your identity.

      4. Copy the consumer details.

        Copy the consumer key and secret
        Copy the consumer key and secret

        This is the instance URL that you need when you create the Salesforce connector in Agentspace.

        If Refresh tokenis enabled, ensure that the token is refreshed and that you copy the latest token when you create the Salesforce connector in the Agentspace.

    Create a Salesforce (V1) data store

    Console

    To use the Google Cloud console to sync data from Salesforce to Agentspace , follow these steps:

    1. In the Google Cloud console, go to the Agentspacepage.

      Agentspace

    2. In the navigation menu, click Data stores.

    3. Click Create data store.

    4. On the Select a data sourcepage, scroll or search for Salesforceto connect your third-party source.

    5. Enter your Salesforce authentication information.

    6. Select which entities to sync and click Continue.

    7. Select the Sync frequencyfor Full syncand the Incremental sync frequencyfor Incremental data sync. For more information, see Sync schedules .

      If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options .

      Custom options for full data sync.
      Setting separate schedules for full entity sync and full identity sync.

    8. Select a region for your data store.

    9. Enter a name for your data store.

    10. Click Create. Agentspace creates your data store and displays your data stores on the Data storespage.

    11. To check the status of your ingestion, go to the Data storespage and click your data store name to see details about it on its Datapage. The Connector statechanges from Creatingto Runningwhen it starts synchronizing data. When ingestion is complete, the state changes to Activeto indicate that the connection to your data source is set up and awaiting the next scheduled synchronization.

      Depending on the size of your data, ingestion can take minutes or hours.

    Next steps
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: